Slide 1
Slide 1 text
+"846(ಢΦϑϥΠϯपײँࡇ
"84/FUXPSL'JSFXBMM1SPYZ
Λ৮ͬͯΈͨ
ޒຯͳ͗͞ʢ9ɿ!OBHJTB@ʣɹ
Slide 2
Slide 2 text
ࣗݾհ
w ໊લɿޒຯͳ͗͞
w ࣄɿ4*FSΠϯϑϥ෦Ϋϥυؔ࿈άϧʔϓϚωʔδϟʔ
w झຯɿΩοΫϘΫγϯά
ɺεΩϡʔόμΠϏϯά
w ͖ͳ"84αʔϏεɿ/8ܥαʔϏεશൠ
"84$PNNVOJUZ#VJMEFSTʢ/FUXPSLJOHBOE$POUFOU%FMJWFSZʣ
"84"NCBTTBEPSTʢʣ
"84+BQBO5PQ&OHJOFFSTʢʣ
+BQBO"MM"84$FSUJGJDBUJPOT&OHJOFFSTʢʣ
+"846(Ϋϥυঁࢠձ࠼ͷࠃ࡛ۄࢧ෦ӡӦ
+"84%":4࣮ߦҕһʢӶҙ४උதʂʣ
Slide 3
Slide 3 text
"84/FUXPSL'JSFXBMM1SPYZ 1SFWJFX
w "84Ϛωʔδυͳ'PSXBSE1SPYZ
w ʹ1SFWJFX൛ͱͯ͠ొ
w ͜Ε·ͰϚωʔδυͳ'PSXBSE1SPYZ͕ͳ͘ɺ
'2%/Ͱͷ੍ޚΛݫີʹߦ͍͍ͨ߹ɺ
4RVJEͷQSPYZαʔόΛϢʔβʔଆͰཱͯΔඞཁ͕͋ͬͨɻ
ˠɹ͍ͭʹ"84ϚωʔδυͰར༻Ͱ͖Δ1SPYZ͕ʂ
Slide 4
Slide 4 text
ैདྷͷ"/'ʹ͓͚ΔѼઌ੍ޚͷ՝
ANF
ಁաతɻ
HTTPS௨৴ͷ߹ɺ
ʢTLS InterceptionΛར༻͍ͯ͠ͳ͍ݶΓʣ
௨৴ͷதݟΕͳ͍ͨΊ
SSL/TLSϋϯυγΣΠΫͷClient Helloʹؚ·ΕΔ
SNIͷΛݩʹ੍ޚɻ
※HTTPͷ߹Host Headerͷ
SNIͷ࣮ࡍͷѼઌFQDNͱҟͳΔʹِՄೳ
ڐՄ͍ͯ͠Δϗετ໊ΛSNIʹೖΕͯ͠·͑௨৴Ͱ͖ͯ͠·͏
ΫϥΠΞϯτͱͯ͠
Ѽઌʹͦͷ··ଓ
Ѽઌɿ
https://example.com
Slide 5
Slide 5 text
ैདྷͷ"/'ʹ͓͚ΔѼઌ੍ޚͷ՝
Proxy
Ѽઌͷ௨৴ΛProxyαʔό͕தܧ͢ΔܗʹͳΔɻ
HTTPS௨৴ͷதݟΕͳ͍͕ɺΫϥΠΞϯτ
HTTP CONNECTϝιουͰProxyαʔόʹଓͨ͠ͷͪ
ʹProxyαʔόʹͯѼઌͷ໊લղܾΛߦ͏ͨΊɺ
࣮ࡍͷѼઌͱͳΔFQDNΛݩʹ੍ͨ͠ޚ͕Մೳ
ProxyΛ໌ࣔతʹࢦఆ
Ѽઌɿ
https://example.com
Slide 6
Slide 6 text
/FUXPSL'JSFXBMM1SPYZͷߏ
Ҿ༻ݩɿhttps://aws.amazon.com/jp/blogs/networking-and-content-delivery/securing-egress-architectures-with-network-firewall-proxy/
NAT GatewayͱηοτͰར༻
Proxy Endpoint͕࡞ΒΕɺ
ΫϥΠΞϯτଆProxy EndpointΛ
ϓϩΩγαʔόͱͯ͠ࢦఆ
ैདྷͷNetwork Firewallͷ
Endpointෆཁ
Slide 7
Slide 7 text
࣮ࡍʹͬͯΈͨ
w ҎԼͭΛॱʹઃఆ
w ϓϩΩγάϧʔϓ
w ϓϩΩγઃఆ
w ϓϩΩγʢຊମʣ
Slide 8
Slide 8 text
ϓϩΩγάϧʔϓ
w ϧʔϧͷϑΣʔζͱ݅ɺΞΫγϣϯʢڐՄڋ൱ʣΛઃఆ
w ϑΣʔζ
w QSF%/4
w υϝΠϯ໊ղܾલʹධՁ͞ΕΔ
w 1SF3FRVFTU
w %/4ղܾޙɺ)551TϦΫΤετΛૹ৴͢ΔલʹධՁ͞ΕΔ
w 1PTU3FTQPOTF
w )551TϨεϙϯεΛड৴ͨ͠ޙʹධՁ͞ΕΔ
˞1SF3FRVFTUͱ1PTU3FTQPOTFཁ5-4*OUFSDFQUJPO
Slide 9
Slide 9 text
ิ
5-4*OUFSDFQUJPO
ΫϥΠΞϯτͱProxyؒͰTLS SessionΛཱ֬͠ɺҰProxy্Ͱ҉߸ԽΛղ͍ͯ
தΛ֬ೝͷ্ɺProxyͱຊདྷͷѼઌؒͰTLS SessionΛཱ֬͢Δɻ
͜ͷ߹ɺΫϥΠΞϯτͱͷTLS Sessionͷཱ֬ͷͨΊʹඞཁͳূ໌ॻͷProxy
ͷηοτɺΫϥΠΞϯτଆʹ֘ͷূ໌ॻͷϧʔτূ໌ॻΛImport͢Δ
ͳͲͷରԠ͕ඞཁɻ
Ҿ༻ݩɿhttps://aws.amazon.com/jp/blogs/networking-and-content-delivery/securing-egress-architectures-with-network-firewall-proxy/
Slide 10
Slide 10 text
ϓϩΩγάϧʔϓ
w ݅
ϑΣʔζʹΑͬͯ
͑Δ݅ҟͳΔ
Slide 11
Slide 11 text
ϓϩΩγάϧʔϓ
ࠓճQSF%/4ϑΣʔζͰಛఆ'2%/ΛڐՄ͢ΔϓϩΩγάϧʔϓΛ࡞
Slide 12
Slide 12 text
ϓϩΩγઃఆ
w σϑΥϧτͷΞΫγϣϯͱඥ͚Δϧʔϧάϧʔϓͷઃఆ
PreRequest/PostResponseͷσϑΥϧτΞΫγϣϯΛʮڋ൱ʯʹ͍ͯ͠ΔͱHTTPϦΫΤετ/Ϩεϙϯεͷத
ΛݟΑ͏ͱ͢Δಈ࡞ʹͳΔͷ͔ɺʮTLS interceptionʯΛར༻͠ͳ͍ঢ়ଶͰɺ͜ͷޙߦͬͨಈ࡞֬ೝͷ
ࡍʹTLS Connection Error͕ൃੜͨ͠ͷͰཁҙɻ
PreDNSͷϧʔϧ͔͠Θͳ͍߹ɺPreDNSͷΈʮڋ൱ʯͱ͍ͯ͠Εظ͢Δ੍ޚ͕Մೳɻ
ࠓճϓϩΩγάϧʔϓ
ͰڐՄͨ͠FQDNҎ֎ڋ
൱͍ͨ͠ͷͰɺσϑΥϧ
τΛʮڋ൱ʯͰઃఆɻ
͕ɺҎԼ՝ɻ
Slide 13
Slide 13 text
ϓϩΩγʢຊମʣ
w ඥ͚Δ/"5(BUFXBZ5-4JOUFSDFQUJPOɺ
ϙʔτ൪߸ͳͲͷઃఆΛߦ͏
ݱ࣌Ͱ
Resional NAT Gateway
ࢦఆෆՄ
Slide 14
Slide 14 text
ૄ௨֬ೝ
w ڐՄͨ͠'2%/ˠૄ௨0,
w ૄ௨0,ڐՄ͍ͯ͠ͳ͍Ѽઌ1SPYZܦ༝Ͱ$VSM
ˠ$0//&$5ʹର͠1SPYZ͔Β͕ฦ͓ͬͯΓૄ௨/(
Slide 15
Slide 15 text
ऴΘΓʹ
w ࣮ࡍʹͬͯΈ͕ͨҰൠతͳ1SPYZ༻్ͱͯ͠ඞཁͳػೳΛඋ͍͑ͯͦ͏
w ৄ͘͠ҎԼΛݟ͍ͯͩ͘͞
"84ͷ&HSFTT௨৴पΓͷΞοϓσʔτʹ৮ΕͯΈͨ3FHJPOBM/"5(BUFXBZ
/FUXPSL'JSFXBMM1SPYZ
w Ұൠఏڙ։࢝ͨ͠ޙͷ͓ஈؾʹͳΔͱ͜Ζɻɻɻ
ˠैདྷͷ/FUXPSL'JSFXBMMͷ&OEQPJOUΛར༻͢ΔܗͰͳ͍ͷͰ
ผྉۚମܥʹͳΔͷͰͱظ
ૣ͘དྷͯ΄͍͠
Slide 16
Slide 16 text
No content