The Importance of FQDN in Payment Industry
This is my second conversation with cloud architects. Click here for the first conversation.
Meet Roberto Sato, EVP of Technologies at Global Electronic Technology, a privately hold credit card processing service company.
Roberto is a dream customer, he is collaborative, patient and meticulous. Roberto is a VP, yet he is hands on, knowledgable and personally involved in evaluating new technologies.
Sherry: Tell us what you were looking for?
Roberto: Our primary motive was security. We are in the payment industry and we must be PCI compliant. We were about to launch a new product in AWS and our external security accessor informed us the limitations of the IP addresses based security groups by AWS for egress control, which were not sufficient as we need URL based policies. We needed to find a solution.
I read a blog on AWS that referred to 3 companies, Aviatrix, Sophos and Fortinet. I started with the latter two as I was already familiar with what they do. For Fortinet, it requires a AWS lambda script being managed by the customer which would be risky for the new mission critical product. Sophos deployment is quite complex, requiring queen node, worker node, etc., their Linux kernel version was older too.
So finally, I tried Aviatrix. Within 30 minutes I was able to bring up the Aviatrix Controller and test the user VPN and Egress FQDN features. It was very simple to use.
Sherry: That’s great. Do you not use an IDS/IPS appliance?
Roberto: We do use AlienVault for IDS service, they monitor servers for threats and events.
Sherry: Then why do you still need egress control policy?
Roberto: Egress control policy is a separate PCI measure. The purpose of this one is to control the outgoing and incoming traffic. For example, a hacker could get into a server and figure out a way to decrypt the payment data. However the hacker would not be able to send the data to a place he desires as the outgoing traffic is only opened to a specific whitelist.
Sherry: I see, thanks for the explanation. How did you decide on Aviatrix?
Roberto: I decided to go with Aviatrix because it is the easiest and most straightforward egress security solution in the marketplace, the support team is amazing and having great companies such as Netflix as your customer made me feel very comfortable.
Sherry: That’s right, Netflix was one of our earliest customers, our user VPN solution was initially developed in collaboration with the Netflix team.
What feedback do you have for us on the product?
Roberto: There are services in our infrastructure that use non HTTP/HTTPS protocols, for example Sysdig runs on TCP port 6666, and these services need to be URL whitelisted too. But Aviatrix FQDN filter only works for HTTP/HTTPS traffic, so we had to whitelist the IP addresses. Luckily for us, most of these services run on AWS, so we used your L4 stateful firewall to whitelist all AWS published public IP addresses taking advantage of the almost unlimited rules that it allows us to write, which would have been very difficult to accomplish by just using AWS Security Groups.
Sherry: Thank you. Since it is implemented in software, you can write as many rules as you like. And I have good news for you. In our next release 3.4, we will be adding support for URL filtering for non HTTP/HTTPS TCP/UDP traffic.
Roberto: That’s awesome. Do we have to change our current implementation?
Sherry: No, it’s an expansion to the existing feature, you do not need to remove what you have built.
Since you have moved significant amount of workloads to the cloud, did you have to reduce your workforce?
Roberto: No, we didn’t have to. We are retraining our server guys for the cloud. Instead of staring at the logs all day, they now learn to write scripts and use DevOps tools. You still need people to manage the infrastructure after all.
Sherry: Glad to hear that, I bet they are having fun doing it.
What is your next step with Aviatrix then?
Roberto: We have finished our performance tests and we have found that there is no degradation after adding the FQDN filter. We have deployed Aviatrix Controllers and Gateways in our production environment and now we are planning to expand to more AWS regions.
Sherry: Let us know how that goes. Last question, if you were to tell a colleague about Aviatrix, what would you say?
Roberto: I would say: Aviatrix is really making networking painless and easier. Today every company needs to focus on what really matters, how to deliver value to your customers, and it needs to be faster every time. With Aviatrix, you don’t need to spend days or weeks setting up a VPN and Egress security solution, you are just a couple of clicks away from it which saves you time and allows you to keep working on your customers.
Sherry: Thank you so much for your time!
