☁️
CTHFM: AWS
  • Welcome
  • Getting Started
    • Account Setup
  • AWS CLI
    • AWS CLI Overview
    • Installation
  • AWS Fundamentals
    • AWS Documentation
    • AWS Shared Responsibility Model
    • Organizational Hierarchy
    • AWS Principals
    • IAM Fundamentals
      • IAM Policy Components
      • IAM Documentation References
    • AWS Security Services Overview
    • AWS Core Services
    • AWS Frameworks
    • Regions and Availability Zones
  • SQL
    • SQL Refresher for Threat Hunting
  • Logging Reference
    • Cloudtrail
      • What is Cloudtrail?
      • Setting Up Cloudtrail
      • Cloudtrail Events Structure
      • Filtering and Searching CloudTrail Logs
      • IAM ID Prefixes
      • Additional Resources
      • API References
    • VPCFlow Logs
    • GuardDuty
      • Multi-Account Setup
      • GuardDuty Concepts
      • GuardDuty Finding References
      • S3 Protection
      • Malware Protection
        • EC2 Malware Protection
          • EC2 Protection Resources
          • Monitoring Scans
          • EC2 Malware Protection Events: CloudWatch
        • S3 Malware Protection
          • Enabling S3 Malware Protection
          • After Enabling S3 Malware Protection
          • S3 Malware Resource Plan Status
          • S3 Malware Protection Quotas
      • RDS Protection Enablement
      • Lambda Protection Enablement
      • Trusted IP Lists and Threat Lists in Amazon GuardDuty
      • Remediation Recommendations
      • GuardDuty API Reference
      • GuardDuty Quotas
    • Access Analyzer
      • Setup
      • External Access and Unused Access Analyzer Findings
      • Review Findings
      • Access Analyzer Resources
      • Access Analyzer API Reference
    • AWS Network Firewall
      • Permissions
      • Firewall Log Contents
      • Logging Destinations
      • CloudWatch Firewall Metrics
    • AWS Config
      • Resource Management in AWS Config
      • AWS Config Integrations
      • AWS Config Resources
      • Configuration Item
      • Config Rules
        • Evaluation Modes
  • CloudWatch
    • Amazon CloudWatch
      • CloudWatch Concepts
      • CloudWatch Metrics
        • Filter Pattern Syntax
      • CloudWatch Alarms
        • Alarm Recommendations
      • Subscriptions
      • CloudWatch Agent
      • CloudWatch Insights
        • Supported Logs and Discovered Fields
        • CloudWatch Insights Query Syntax
      • Anomaly Detection
        • Create Anomaly Detector
        • Alarms for Anomaly Detections
      • CloudWatch Filter Syntax
      • CloudWatch Service Quota
  • Athena For Threat Hunting
    • Introduction to Athena
    • Setting Up Athena
    • SQL For Threat Hunters
    • Automated Response
    • Query Best Practices
  • AWS Security Research and Resources
    • AWS Security Blog
    • AWS Goat
    • Cloud Goat
    • Pacu
    • Prowler
    • Scout Suite
  • Threat Hunting in AWS
    • Threat Hunting in AWS
    • Threat Hunting Introduction
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • MITRE Att&ck
      • MITRE Att&ck Concepts
      • MITRE Att&CK Data Sources
      • MITRE Att&CK Mitigations
    • MITRE Att&ck: AWS
      • MITRE Att&CK Matrix
      • Amazon Web Services Security Control Mappings
    • AWS Threat Hunting Ideas
      • AWS Threat Hunting Ideas: EC2
      • AWS Threat Hunting Ideas: Lambda
      • AWS Threat Hunting Ideas: SQS
      • AWS Threat Hunting Ideas: SNS
      • AWS Threat Hunting Ideas: RDS
Powered by GitBook
On this page
  • Key Features of AWS Network Firewall
  • How AWS Network Firewall Works
  • Use Cases for AWS Network Firewall
  • Logging and Monitoring with AWS Network Firewall
  • Comparison: AWS Network Firewall vs. Security Groups vs. NACLs
  • Benefits of AWS Network Firewall
  • Limitations of AWS Network Firewall
  1. Logging Reference

AWS Network Firewall

AWS Network Firewall is a managed network security service that helps secure your Amazon Virtual Private Cloud (VPC) environments by providing advanced network traffic filtering. It enables deep packet inspection, intrusion detection, and prevention through integration with stateful firewall rules and Suricata, an open-source threat detection engine. AWS Network Firewall can be used to detect, filter, log, and block suspicious or malicious network activity.

Key Features of AWS Network Firewall

  1. Managed Service

    • No need to manage infrastructure—AWS handles firewall scaling, availability, and updates.

  2. Stateful and Stateless Packet Filtering

    • Stateless rules: Evaluate individual packets without keeping session state (for high-performance filtering).

    • Stateful rules: Monitor traffic flows and maintain context about sessions (e.g., TCP connections).

  3. Suricata Integration

    • Supports deep packet inspection and intrusion detection/prevention with Suricata rules.

  4. TLS Inspection

    • Inspects encrypted traffic for anomalies using TLS inspection rules.

    • Supports certificate revocation checks for outbound traffic.

  5. Centralized Management

    • Integrates with AWS Firewall Manager to manage firewall policies across multiple accounts and VPCs.

  6. Logging and Monitoring

    • Provides detailed logs for traffic analysis and threat detection.

    • Logs can be sent to Amazon S3, CloudWatch Logs, or Kinesis Data Firehose for further analysis.

  7. Flexible Rule Management

    • Define custom rules, use pre-built rule groups, or integrate with third-party threat intelligence feeds.

How AWS Network Firewall Works

1. Deployment in VPCs

AWS Network Firewall deploys firewalls at the VPC level, acting as a perimeter defense for incoming and outgoing traffic. Firewalls are associated with subnets within a VPC, and each firewall endpoint is deployed within an Availability Zone for redundancy.

2. Rule Engine

  • Stateless rules: Fast evaluation of individual packets, suitable for rate-limiting or dropping traffic based on specific criteria.

  • Stateful rules: Maintain session context, enabling more advanced capabilities like:

    • Intrusion detection

    • Blocking known malicious IP addresses

    • Detecting command-and-control (C2) traffic patterns

3. Traffic Flow

  • Inbound/Outbound Traffic: Firewalls analyze both ingress (inbound) and egress (outbound) traffic.

  • VPC Peering and Transit Gateway: You can inspect traffic across VPC peers or routed through AWS Transit Gateway.

Use Cases for AWS Network Firewall

  1. Intrusion Detection and Prevention (IDS/IPS)

    • Identify and block malicious activities using Suricata rules.

    • Detect command-and-control (C2) traffic or port scanning attempts.

  2. Monitoring and Blocking SSL/TLS Traffic

    • Perform TLS inspection to detect encrypted malware communications.

    • Enforce certificate revocation for outbound SSL/TLS traffic to prevent connections to compromised sites.

  3. Segmentation and Access Control

    • Segment network traffic by creating firewall rules to allow or block specific IP ranges, ports, or protocols.

  4. Data Exfiltration Prevention

    • Monitor outbound traffic for large data transfers or connections to suspicious destinations.

  5. Compliance Enforcement

    • Enforce security policies required for regulatory compliance (e.g., PCI-DSS, HIPAA).

Logging and Monitoring with AWS Network Firewall

Network Firewall generates detailed logs for:

  • Alert and flow events using Suricata's EVE JSON format.

  • TLS events: Capture traffic inspection data, including certificate errors and revocation checks.

Logs can be sent to:

  • Amazon S3: For long-term storage.

  • Amazon CloudWatch Logs: For monitoring and creating real-time alerts.

  • Amazon Kinesis Data Firehose: For streaming to external analysis tools or SIEM platforms.

Comparison: AWS Network Firewall vs. Security Groups vs. NACLs

Feature

Network Firewall

Security Groups

NACLs (Network ACLs)

Packet Inspection

Deep packet inspection (stateful)

Basic allow/deny rules (stateful)

Packet filtering only (stateless)

Intrusion Detection

Yes (Suricata-based)

No

No

TLS Inspection

Yes

No

No

Management Scope

Centralized policy for multiple VPCs

VPC-level or instance-level

Subnet-level

Use Case

Advanced threat detection and prevention

Controlling instance-level access

Basic subnet-level filtering

Benefits of AWS Network Firewall

  1. Scalable and High Availability

    • Firewalls are deployed across multiple Availability Zones and scale automatically with traffic.

  2. Integration with AWS Services

    • Works with AWS Firewall Manager to enforce consistent security policies across accounts.

    • Compatible with AWS Transit Gateway for central traffic inspection.

  3. Cost-Effective Security

    • Pay only for the firewall capacity and logging data consumed.

  4. Compliance Readiness

    • Simplifies compliance with regulations by monitoring and controlling network traffic.

Limitations of AWS Network Firewall

  1. Latency Impact

    • TLS inspection and deep packet inspection may add slight latency to network traffic.

  2. Complex Configuration

    • Requires understanding of firewall policies, rule groups, and Suricata rules for effective deployment.

  3. No Direct Integration with Security Groups

    • Network Firewall complements, but does not replace, security groups or NACLs.

PreviousAccess Analyzer API ReferenceNextPermissions

Last updated 8 months ago