AWS for Beginners: What is AWS Network Firewall and How it works: Part 23

Read on:

AWS for Beginners: What is AWS Transit Gateway and How it works: Part 22

What is AWS Network Firewall? How does it protect from attacks?

A fully managed Network firewall solution provided by AWS. It inspects all east-west or north-south network traffic. All traffic originated from AWS to the internet or destined to AWS from the internet is inspected. Meanwhile, all traffic travels to your on-premises network or from your on-premises network is also inspected.Traffic between VPC to VPC is inspected. It’s a stateful and managed network firewall which also provide intrusion detection and prevention for AWS VPCs.

How AWS Network Firewall works?

With AWS Network Firewall, you can define firewall rules that provide fine-grained control over network traffic. Network Firewall works together with AWS Firewall Manager so you can build policies based on Network Firewall rules and then centrally apply those policies across your virtual private clouds (VPCs) and accounts.

Use cases

1. Traffic can be Inspected and filtered from VPC to VPC. Let’s take an example you have PCI data in some VPCs and Non-PCI data in some other VPCs. You can create policies to logically separate the traffics.
2. You can Inspect and filter all outbound internet traffic.
3. Prevent and filter inbound internet traffic.
4. You can inspect your traffic coming from on-premises over direct connect or site to site VPN.

Architecture to follow

Firewall subnet: A dedicated subnets for AWS network firewall to provision firewall endpoint in your VPC. Don’t use firewall subnet for any other resource as it’s not inspected or filtered by Network Firewall.

Network Firewall: A resource provides traffic filtering and inspection logic for the subnets.

Network Firewall policy: A resource that defines rules and other settings for a firewall to use.

Network Firewall Rule Group: A set of rules created in the firewall. Once the rules match network firewall will take action.

Stateless rule: Criteria for inspecting a single network traffic flow packet without having any information related other packet in the traffic flow and the direction of the flow.

Stateful rule: Criteria for inspecting network traffic packets in the context of their traffic flow.

Pre-requisite

1. AWS Account with proper permission
2. 1 VPC with 2 subnets (Application and Firewall) in each availability zone
3. 1 internet gateway and attach it to a route table
4. 1 Ec2 Instance in each Application subnet

Internet Gateway

Route table for each subnet

Steps to create AWS Firewall

1. Configure the VPC subnets for your firewall endpoints: Create a separate subnet for firewall in each availability zone of your VPC in which you want to create the Firewall endpoint or get inspected.
2. Create the Firewall Rule Group: Create the stateless and stateful rules for your firewall. Managed rule groups are collections of predefined, ready-to-use rules that AWS writes and maintains for you.
3. Configure the Firewall Policy: Define the firewall policy for your firewall by specifying its rule groups.
4. Create the Firewall: Create a Network Firewall and provide all the firewall subnet details.
5. Modify your subnet route tables to include the firewall: Update your subnet route table to have routes towards Network firewall endpoint. All traffic to and forth will be inspected.

Configure the VPC subnets for your firewall endpoints

1. Navigate to Subnet section under VPC. Create subnet in each availability zone. Do not provision any resources under that subnet. This subnet is not going to inspected by the Firewall.
2. This step has been completed as pre requisite.

Create the Firewall Rule Group

1. Navigate to Network Firewall under VPC section, click on create Network firewall Rule group.
2. Choose stateful rule group, provide a name, Capacity 10.

3. Choose 5-tuple as Stateful rule group option and choose Default for stateful rule order

4. Under Add rule section choose protocol as ICMP, Source any and destination is our VPC range. All incoming ICMP traffic is going to drop.

5. Choose Traffic direction Forward and Action as Drop. Click on Add rule. You can add required rule under the rule group.

6. Click on create Rule group.

Stateful Rule Group options

• 5-tuple: Use the 5-tuple format, specifying the source IP, source port, destination IP, destination port, and protocol. Specify the action to take for matching traffic.
• Domain List: Specify a list of domain names and the action to take for traffic that tries to access one of the domains.
• Suricata Compatible IPS rules: Intrusion prevention system (IPS) rules – Provide advanced firewall rules using Suricata rule syntax. Suricata is an open-source network IPS that includes a standard rule-based language for traffic inspection.

Configure the Firewall Policy

• Navigate to Network Firewall under VPC section, click on create Network firewall Policies.
• Provide a name, Choose the Stream exception policy as Drop, click on next

• Under Add rule groups, keep all parameter as default and add the stateful rule created earlier

• Keep everything else as default and click on create Firewall policy.

Note: Stateless default Action. There are options how the Firewall is going to handle if the packet doesn’t match the stateless rule.

Create the Firewall

1. Navigate to Network Firewall under VPC section, click on create Network firewall.
2. Provide a Name, Choose the VPC, Choose the subnets for each availability zone created earlier.

3. Associate the created Firewall policy and choose the respective change protections

4. Click on Create Firewall

Modify your subnet route tables to include the firewall

1. Navigate the Route table section under VPC, Click on the Application subnet Route tables. Edit as below

All subnet route tables are updated. All traffic from the Internet or to internet or between subnet to subnet will flow via Firewall.

Testing

We have 3 Rules. Means No one can ping the servers from Internet. The systems can internally ping each other. The Internal systems can ping Google.com(8.8.8.8) but not 8.8.4.4

Login to Application Instance 1

First Ping 8.8.8.8 . The Ping is successful.

Second Ping 8.8.4.4 . The traffic is dropping because of the Firewall.

Conclusion

Network Firewall helps in filtering the traffic from the internet or to the internet. It also provides IPS and IDS capabilities. Network Firewall also helps inspect all the traffic between VPCs, subnets and on-premises. It’s a managed firewall which provides scalability, durability and high availability.

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.