AWS Network Firewall

AWS Network Firewall is a managed network security service that helps secure your Amazon Virtual Private Cloud (VPC) environments by providing advanced network traffic filtering. It enables deep packet inspection, intrusion detection, and prevention through integration with stateful firewall rules and Suricata, an open-source threat detection engine. AWS Network Firewall can be used to detect, filter, log, and block suspicious or malicious network activity.

Key Features of AWS Network Firewall

  1. Managed Service

    • No need to manage infrastructure—AWS handles firewall scaling, availability, and updates.

  2. Stateful and Stateless Packet Filtering

    • Stateless rules: Evaluate individual packets without keeping session state (for high-performance filtering).

    • Stateful rules: Monitor traffic flows and maintain context about sessions (e.g., TCP connections).

  3. Suricata Integration

    • Supports deep packet inspection and intrusion detection/prevention with Suricata rules.

  4. TLS Inspection

    • Inspects encrypted traffic for anomalies using TLS inspection rules.

    • Supports certificate revocation checks for outbound traffic.

  5. Centralized Management

    • Integrates with AWS Firewall Manager to manage firewall policies across multiple accounts and VPCs.

  6. Logging and Monitoring

    • Provides detailed logs for traffic analysis and threat detection.

    • Logs can be sent to Amazon S3, CloudWatch Logs, or Kinesis Data Firehose for further analysis.

  7. Flexible Rule Management

    • Define custom rules, use pre-built rule groups, or integrate with third-party threat intelligence feeds.

How AWS Network Firewall Works

1. Deployment in VPCs

AWS Network Firewall deploys firewalls at the VPC level, acting as a perimeter defense for incoming and outgoing traffic. Firewalls are associated with subnets within a VPC, and each firewall endpoint is deployed within an Availability Zone for redundancy.

2. Rule Engine

  • Stateless rules: Fast evaluation of individual packets, suitable for rate-limiting or dropping traffic based on specific criteria.

  • Stateful rules: Maintain session context, enabling more advanced capabilities like:

    • Intrusion detection

    • Blocking known malicious IP addresses

    • Detecting command-and-control (C2) traffic patterns

3. Traffic Flow

  • Inbound/Outbound Traffic: Firewalls analyze both ingress (inbound) and egress (outbound) traffic.

  • VPC Peering and Transit Gateway: You can inspect traffic across VPC peers or routed through AWS Transit Gateway.

Use Cases for AWS Network Firewall

  1. Intrusion Detection and Prevention (IDS/IPS)

    • Identify and block malicious activities using Suricata rules.

    • Detect command-and-control (C2) traffic or port scanning attempts.

  2. Monitoring and Blocking SSL/TLS Traffic

    • Perform TLS inspection to detect encrypted malware communications.

    • Enforce certificate revocation for outbound SSL/TLS traffic to prevent connections to compromised sites.

  3. Segmentation and Access Control

    • Segment network traffic by creating firewall rules to allow or block specific IP ranges, ports, or protocols.

  4. Data Exfiltration Prevention

    • Monitor outbound traffic for large data transfers or connections to suspicious destinations.

  5. Compliance Enforcement

    • Enforce security policies required for regulatory compliance (e.g., PCI-DSS, HIPAA).

Logging and Monitoring with AWS Network Firewall

Network Firewall generates detailed logs for:

  • Alert and flow events using Suricata's EVE JSON format.

  • TLS events: Capture traffic inspection data, including certificate errors and revocation checks.

Logs can be sent to:

  • Amazon S3: For long-term storage.

  • Amazon CloudWatch Logs: For monitoring and creating real-time alerts.

  • Amazon Kinesis Data Firehose: For streaming to external analysis tools or SIEM platforms.

Comparison: AWS Network Firewall vs. Security Groups vs. NACLs

Feature

Network Firewall

Security Groups

NACLs (Network ACLs)

Packet Inspection

Deep packet inspection (stateful)

Basic allow/deny rules (stateful)

Packet filtering only (stateless)

Intrusion Detection

Yes (Suricata-based)

No

No

TLS Inspection

Yes

No

No

Management Scope

Centralized policy for multiple VPCs

VPC-level or instance-level

Subnet-level

Use Case

Advanced threat detection and prevention

Controlling instance-level access

Basic subnet-level filtering

Benefits of AWS Network Firewall

  1. Scalable and High Availability

    • Firewalls are deployed across multiple Availability Zones and scale automatically with traffic.

  2. Integration with AWS Services

    • Works with AWS Firewall Manager to enforce consistent security policies across accounts.

    • Compatible with AWS Transit Gateway for central traffic inspection.

  3. Cost-Effective Security

    • Pay only for the firewall capacity and logging data consumed.

  4. Compliance Readiness

    • Simplifies compliance with regulations by monitoring and controlling network traffic.

Limitations of AWS Network Firewall

  1. Latency Impact

    • TLS inspection and deep packet inspection may add slight latency to network traffic.

  2. Complex Configuration

    • Requires understanding of firewall policies, rule groups, and Suricata rules for effective deployment.

  3. No Direct Integration with Security Groups

    • Network Firewall complements, but does not replace, security groups or NACLs.

PreviousAccess Analyzer API ReferenceNextPermissions

Last updated