Scrums.com logomark
SovTech is now Scrums.com! Same company, new name.
SovTech is now Scrums.com!!
Read more here

Issue #8 – Microsoft level Auth – AWS Networking Pitfalls

Issue #8 – Microsoft level Auth – AWS Networking Pitfalls – OWASP 10

Aobakwe Kodisang
February 14, 2023
Blog cover image

Issue #8 – Microsoft level Auth – AWS Networking Pitfalls – OWASP 10

<1/> The Kerberos Protocol

The internet is an insecure place, and well many systems or applications are designed to provide a high level of security for some organisations and use cases; this is not enough. Kerberos is MIT developed protocol designed to give systems with secure authentication to services over an unsecured network. What makes it so cool:

  • Passwords are never sent across the network.
  • Encryption keys are never directly exchanged.
  • Magically authenticates you with the other service, based on tickets.

Originally developed to protect services provided by Project Athena (a project started by Intel dedicated to creating ideal laptops for high achievers). This protocol is unique because it requires third-party authentication to authorise a user to use tickets.

The client authenticates a session through an Authentication Server (AS) which then passes the username to a key distribution centre (KDC). The role of KDC is to issue a ticket (ticket-granting ticket or TGT), which is time-stamped and encrypted.

When the client needs to communicate with a service, it sends another ticket that is usually shared by the same host as the KDC. This is a protocol used in many OS systems like macOS or Microsoft’s active directory (An interesting article explaining it entirely).

<2/> Advanced AWS Networking: Pitfalls That You Should Avoid

Here is an article that touches on so much that makes building in the cloud so true, the fact that there is are a wide range of choices to put together complex architectures. And with that power, you should understand some of the pitfalls of designing architecture necessarily around networking.

Now the article does do an excellent job in explaining each consideration more in-depth; here is a high-level breakdown of each header:

VPC Peering or Transit Gateway? VPC Peering (basically ensuring that another group accompanies a VPC) or Transit Gateway (allowing you to connect up to 5000 networks) both have to do with enabling communication between networks, and it seems like Transit Gateway looking at factors like pricing, bandwidth and configuration.

NAT Gateway or Public Subnet, public subnets comes with a route to the internet gateway, make accessible from the internet, private networks, on the other hand, are not; however, NAT Gateway enables outgoing connectivity. The article provides an architecture that uses both (as advised by AWS) and possible alternatives.

CloudFront or Akamai, Cloudflare, Fastly …? this could be a whole other blog; when choosing a CDN, consider the costs associated with things like outbound traffic.

Route 53 Resolver or Public Hosted Zone? The components that name the endpoints responsible for directing traffic for applications running in AWS and which options to use for different scenarios.

The article does end off with a summary, which provides you with key points to take away from each paragraph. But a side note is that the website itself could be a helpful tech pick for you to expand your AWS knowledge.

<3/> Inside the console

With regulations around data usage and with the cloud being the place where all that data is being utilised, it’s essential for any team to limit access to critical resources were required to be compliant with those new rules.

Need to create permissions for users and groups to be able to access AWS resources. Like any IAM service, AWS Identity and Access Management enable you to securely manage access to AWS services and resources.

Here is some security to best practices you can use in your accounts.

<4/> Geeking it up

Radix UI

Ever wanted a complete design system packed with icons, colours and components for your React web app.

10 new Amplify features

Amplify has come a long way from its 2018 days when it was first released in 2012, introducing NextJS support or extending features already built to offer containers.

Git Bisect

The best way to find a bug using git. Git Bisect helps you track down when a bug was introduced by checking out commits and accepting feedback; this tutorial takes you from beginning to end.

OWASP

The most popular standard in the industry for security and awareness welcomes a new instalment of OWASP top 10, 2021 draft.

As seen on FOX, Digital journal, NCN, Market Watch, Bezinga and more
Scale Your Development Team
Faster With Scrums.com
Get in touch and let's get started
Book a Demo
Tick
Cost-effective
Tick
Reliable
Tick
Scalable