In today's interconnected world, securing your cloud infrastructure is not just a best practice, it's a necessity. Amazon Web Services (AWS) offers a powerful, fully managed solution for network security within your Virtual Private Clouds (VPCs): AWS Network Firewall. This service acts as a robust shield, providing stateful network firewall and intrusion detection and prevention (IDPS) capabilities, allowing you to filter traffic at the perimeter of your VPCs with precision and scale. Whether your traffic is flowing to and from an internet gateway, NAT gateway, VPN, or AWS Direct Connect, Network Firewall has you covered
Understanding the Core Building Blocks of AWS Network Firewall
AWS Network Firewall simplifies network security by managing several key AWS resource types that work together to protect your VPCs. Think of them as the different layers of your security armor
Firewall: This is the central control point, defining the traffic filtering logic for a VPC. It also specifies the primary VPC to protect and designates a primary subnet for a firewall endpoint in each Availability Zone.
Firewall Policy:
This resource defines the rules and other settings that your firewall uses to filter both incoming and outgoing traffic within a VPC. A single firewall policy can be used across multiple firewalls, offering reusability and consistent security enforcement.-
Rule Group:
A rule group is a reusable collection of criteria for inspecting network traffic and determining actions when a match is found. Network Firewall supports two main types- Stateless Rule Groups: These inspect each packet in isolation, without considering the broader traffic flow or connection state. They prioritize evaluation speed and are similar to Amazon VPC network access control lists (ACLs).
- Stateful Rule Groups: These inspect packets within the context of their traffic flow, allowing for more complex rules and deep packet inspection (DPI) capabilities. They are powered by Suricata, an open-source intrusion prevention system (IPS), and support Suricata-compatible rules. Stateful rule groups are akin to Amazon VPC security groups but default to allowing traffic.
VPC Endpoint Association:
Beyond the primary firewall endpoints defined by the Firewall resource, VPC endpoint associations allow you to create additional firewall endpoints. This enables you to deploy firewall protection in other VPCs or to have multiple firewall endpoints within a single Availability Zone for enhanced capabilities.
How Network Firewall Intercepts and Filters Your Traffic??
The magic of Network Firewall lies in its dual-engine approach to traffic inspection
-
Stateless Rules Engine First:
When a network packet arrives, Network Firewall first evaluates it against the stateless rules defined in your firewall policy. Rules are processed based on their assigned priority, with the lowest priority number being evaluated first.- If a stateless rule matches, the packet is handled according to the rule's action: it can be passed through, dropped, or forwarded to the stateful rules engine.
- If no stateless rule matches, the firewall policy's default stateless rule actions for full packets or UDP packet fragments are applied.
-
Stateful Rules Engine for Deeper Inspection:
Packets forwarded by the stateless engine (or those that don't match stateless rules and are configured to forward) then undergo inspection by the stateful rules engine. This engine examines packets in the context of their traffic flow, maintaining a firewall state table to track and manage flow information.- Stateful rules can apply more sophisticated logic, including deep packet inspection on payload data.
- By default, stateful rules are processed by action setting priority pass rules first, then drop, then reject, and finally alert. You can also enforce a strict order where rules are processed precisely as defined.
- When a match occurs, the stateful engine either drops packets (with an optional alert) or passes them to their destination (with an optional alert).
Crucially, to enable Network Firewall's protection, you must modify your Amazon VPC route tables to direct network traffic through the firewall endpoints. This effectively places the firewall between your protected subnets and external locations.
Granular Control: Managing Your Rules and Policies
Network Firewall gives you extensive control over traffic filtering through its rule management capabilities.
- Rule Group Settings: Every rule group has common settings: a Type (stateless or stateful), a unique Name, an optional Description, and a Capacity setting that dictates its processing requirements. For stateful rule groups, the maximum capacity is 30,000 rules, and for stateless, it's also 30,000.
Stateful Rule Options: Stateful rule groups leverage Suricata's powerful language and can be defined in several ways
Standard Stateful Rules:
These provide easy entry for basic Suricata rules with settings like Action (pass, drop, reject, alert), Protocol, Source IP, Destination IP, Source port, Destination port, and Traffic directionSuricata Compatible Rule Strings:
You can directly provide rule strings in Suricata syntax, offering maximum flexibility-
Stateful Domain List Rule Groups:
Create allow lists or deny lists based on domain names, inspecting HTTP or HTTPS protocols using SNI (for HTTPS) or HTTP host headers.- For traffic originating outside the deployment VPC (e.g., via Transit Gateway), you must manually set the HOME_NET variable in the rule group to include other CIDR ranges you want to inspect. The EXTERNAL_NET automatically negates HOME_NET.
IP Set References:Dynamically use IP addresses or CIDRs from other AWS resources like Amazon VPC prefix lists or Resource Groups in your Suricata-compatible rules. Network Firewall automatically updates rules when these referenced IP sets change.
Geographic IP Filtering:Match country codes for source and destination IP addresses in network traffic using the Suricata geoip keyword.
Rule Actions:
Stateless Rules:
Pass, Drop, or Forward to stateful rules. You can also specify a custom action to publish metrics to Amazon CloudWatch.Stateful Rules:
Pass, Drop, Reject (for TCP traffic), and Alert. Alerts are sent to firewall logs if logging is configured.
Firewall Policy Settings: A firewall policy ties together your rule groups and defines overall behavior. Key settings include:Stream Exception Policy:
Determines how Network Firewall handles traffic when a network connection breaks midstream. Options include Drop (default, fails closed), Continue (applies rules without prior context), or Reject (drops traffic and sends TCP reset).Stateless Default Actions:
How to handle packets that don't match any stateless rules.Stateful Engine Options:
Defines the RuleOrder (e.g., Strict order or Action order) for stateful rule evaluation. This cannot be changed after policy creation.Policy Variables:
Override the default HOME_NET value for Suricata to include custom CIDR ranges.TCP Idle Timeouts:
Define how long a TCP connection can remain idle before the firewall considers it timed out.TLS Inspection Configuration:
Enables decryption and re-encryption of SSL/TLS traffic for inspection.
Advanced Capabilities for Enhanced Security
AWS Network Firewall offers several advanced features to deepen your security posture
-
TLS Inspection Configurations:
Decrypts inbound and outbound SSL/TLS traffic, allowing Network Firewall's stateful rules to inspect the payload, then re-encrypts it.- Requires importing or issuing certificates to AWS Certificate Manager (ACM).
- Supports TLS versions 1.1, 1.2, and 1.3.
- Can check certificate revocation status (OCSP and CRL) for outbound traffic, with configurable actions (Pass, Drop, Reject).
- Important: TLS inspection is not supported for firewalls with VPC endpoint associations if the firewall is shared across accounts.
-
Flow Operations:
Allows you to manage the firewall's state table.- Flow Capture Operations: Collects information about active traffic flows within a specified time frame, helping analyze patterns and troubleshoot connectivity.
- Flow Flush Operations: Removes specified flows from the firewall's state table, forcing subsequent matching traffic to be treated as new flows and evaluated against current rule configurations. This is particularly useful after updating stateful rules.
-
AWS Managed Rule Groups:
Predefined, ready-to-use rule sets maintained by AWS. They include:- Active Threat Defense: Protects against active threats using AWS threat intelligence from MadPot, blocking communication with known harmful infrastructure (malware staging, botnet C2).
- Domain and IP Managed Rule Groups: Block HTTP/HTTPS traffic to low-reputation domains or those associated with malware/botnets.
- Threat Signature Managed Rule Groups: Inspect for and defend against signatures related to malware, exploits, DoS, botnets, web attacks, phishing, and more.
- These rule groups receive automatic updates from AWS to protect against new vulnerabilities. You can also copy threat signature rules into your own rule groups for customization, though copied rules do not automatically inherit updates.
Tag-Based Resource Groups:Dynamically identifies collections of AWS resources (e.g., EC2 instances, network interfaces) based on their tags. You can reference these resource groups in your stateful rule groups, ensuring your rules automatically stay in sync with changing IP addresses of tagged resources.
AWS Network Firewall offers a comprehensive, scalable, and highly available solution for securing your Amazon VPCs. By integrating deeply with your AWS environment and providing both stateless and stateful inspection capabilities, along with advanced features like TLS inspection and managed rule groups, it empowers you to define and enforce stringent network security policies. Just as a seasoned security guard diligently monitors every entry and exit point of a building, ensuring only authorized individuals and packages pass through, AWS Network Firewall stands guard at the critical junctures of your VPC, meticulously inspecting every packet to uphold the integrity and security of your cloud network.
Top comments (0)