AWS Network Firewall
Learn how to perform intrusion detection into the virtual private cloud using AWS Network Firewall.
We'll cover the following
AWS Network Firewall is a fully managed firewall and intrusion detection service that is used to protect the resources inside the Amazon VPC. Through this service, we can monitor and filter the incoming and outgoing traffic for our VPC through resources such as AWS Direct Connect, internet gateways, or NAT gateways.
Following is an overview of the main features of AWS Network Firewall:
Limiting the types of domain names our application can access by creating customized lists.
Performing deep packet inspection of all the incoming and outgoing traffic for our VPC.
Allowing traffic only from specific AWS resources or IP addresses to enter our VPC.
Filter incoming traffic based on certain protocols such as HTTP.
How AWS Network Firewall works
Network Firewall protects the subnets in a VPC by monitoring and filtering the traffic that can enter the subnets. It is important to remember that a Network Firewall and the resources we want to protect should be deployed inside different subnets of the same VPC. The following diagram depicts how the AWS Network Firewall works.
Network Firewall components
Following is an overview of some of the key components associated with the AWS Network Firewall:
Rule group: A rule group is a reusable set of criteria used to inspect the network traffic. We can add more than one rule group to a firewall. These rule groups can be both stateful and stateless.
Firewall policy: In a firewall policy, we define the actions the firewall takes against network traffic packets. These policies define whether an incoming packet should be dropped or allowed to pass based on the rule groups.
Firewall: In AWS Network Firewall, a firewall connects a firewall policy with the VPC it is supposed to protect.
Rule engines
In AWS Network Firewall, we have two types of rule engines, stateless and stateful rule engines, that inspect incoming traffic packets based on the rules we define in a firewall policy. Once a network firewall receives a packet, the stateless engine inspects it according to our defined rules. After inspection, the stateless engine forwards this packet to its destination, drops it, or sends it to the stateful rule engine. The stateful engine uses the configured stateful rules in the context of their traffic flow.
In the stateless rule engine, all packets are inspected independently, and their direction of traffic, such as their source and destination, is not inspected. A stateless engine processes packets till it finds a match within the rules we define and drops them in case no match is found. However, in stateful rule engines, the context of the traffic of a packet is observed, and the source and destination of an incoming packet are inspected. This engine might introduce some delay in our traffic flow as it tries to group together incoming traffic packets to inspect them together. The rules defined in a stateful engine are Suricata compatible.
Best practices
Implementing AWS Network Firewall effectively involves following several best practices to maximize its capabilities and enhance security monitoring and threat detection in AWS environments. Here are some key best practices for using AWS Network Firewall:
Understanding incoming traffic: Before implementing a network firewall, you must thoroughly understand your network traffic, for example, the expected incoming and outgoing traffic, to ensure you can create well-defined rules.
Principal of least privilege: Ensure that by default, the rules you define reject all incoming traffic and only allow the traffic that meets certain criteria can enter our VPC.
Enable logging: Monitor how AWS Network Firewall filters incoming traffic by logging network firewall logs in S3 buckets, CloudWatch, or Firehose.
Get hands-on with 1300+ tech skills courses.