Use the Conformity Knowledge Base AI to help improve your Cloud Posture

AWS Network Firewall in Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that AWS Network Firewall service is used to deploy essential network protection for your Amazon Virtual Private Clouds (VPCs). AWS Network Firewall is a stateful, managed network firewall and intrusion detection service that enables you to inspect and filter traffic to, from, or between your Amazon VPCs.

You can manage AWS Network Firewall with the following main components:

Firewall – a network firewall connects the Amazon VPC that you want to protect to the protection behavior that is defined in a firewall policy. For each Availability Zone (AZ) where you want protection, you provide the network firewall with a public subnet that's dedicated to the firewall endpoint. To use the network firewall, you simply update the VPC route tables to send incoming and outgoing traffic through the firewall endpoints.

Firewall policy – a firewall policy defines the behavior of the network firewall inside a collection of stateless and stateful rule groups. You can associate each network firewall with only one firewall policy, but you can use a firewall policy for more than one firewall.

Rule group – a rule group represents a collection of stateless or stateful rules that define how to inspect and handle network traffic. The rules configuration includes 5-tuple, domain name, and Suricata-based filtering. Suricata is an open-source network IPS that includes a standard rule-based language for traffic inspection.

This rule can help you work with the AWS Well-Architected Framework.

Security

With AWS Network Firewall it's easy to deploy network protection (including protection from common network threats) for your Amazon Virtual Private Clouds (VPCs). AWS Network Firewall's stateful firewall can incorporate context from traffic flows, like tracking connections and protocol identification, to enforce firewall policies such as preventing your VPCs from accessing domains using unauthorized protocols. AWS Network Firewall's intrusion prevention system (IPS) provides active traffic flow inspection so you can identify and block vulnerability exploits using signature-based detection. Also, AWS Network Firewall provides web filtering that can stop traffic to known bad URLs and monitor fully qualified domain names (FQDNs). Ultimately, AWS Network Firewall allows you to control your Virtual Private Cloud (VPC) traffic in order to stop possible data loss, help meet compliance requirements, and secure Amazon Direct Connect and VPN connections.


Audit

To determine if AWS Network Firewall service is enabled for your Amazon Virtual Private Clouds (VPCs), perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 Select the Virtual Private Cloud (VPC) that you want to examine from the Filter by VPC dropdown list.

04 In the left navigation panel, under AWS NETWORK FIREWALL, choose Firewalls.

05 On the Firewalls page, check for any network firewalls created for the specified VPC. If there are no firewalls listed on this page, the AWS Network Firewall service is not implemented for the selected Amazon Virtual Private Cloud (VPC).

06 Repeat steps no. 3 – 5 to check the AWS Network Firewall integration for other VPC networks created within the current AWS region.

07 Change the AWS region from the navigation bar and repeat the audit process for other cloud regions.

Using AWS CLI

01 Run describe-vpcs command (OSX/Linux/UNIX) to list the IDs of all the Amazon Virtual Private Cloud (VPCs) available in the selected AWS cloud region:

aws ec2 describe-vpcs
    --region us-east-1
    --output table
    --query 'Vpcs[*].VpcId'

02 The command output should return the requested VPC identifiers (IDs):

------------------
|  DescribeVpcs  |
+----------------+
|  vpc-abcdabcd  |
|  vpc-abcd1234  |
|  vpc-1234abcd  |
+----------------+

03 Run list-firewalls command (OSX/Linux/UNIX) using the ID of the Amazon VPC that you want to examine as identifier parameter and custom query filters to describe the metadata available for the network firewall(s) that you have defined for the selected VPC:

aws network-firewall list-firewalls
    --region us-east-1
    --vpc-ids vpc-abcdabcd
    --query 'Firewalls'

04 The command output should return the requested configuration metadata:

[]

If the list-firewalls command output returns an empty array (i.e. []), as shown in the example above, there are no network firewalls defined for the specified VPC, therefore the AWS Network Firewall service is not implemented for the selected Amazon Virtual Private Cloud (VPC).

05 Repeat step no. 3 and 4 to verify the AWS Network Firewall integration for other VPC networks available in the selected AWS region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other cloud regions.

Remediation / Resolution

AWS Network Firewall provides network traffic filtering protection for your Virtual Private Cloud (VPCs). To enable and configure AWS Network Firewall for your Amazon VPCs, perform the following actions:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 Select the Virtual Private Cloud (VPC) that you want to reconfigure from the Filter by VPC dropdown list.

04 In the left navigation panel, under AWS NETWORK FIREWALL, choose Network Firewall rule groups.

05 Choose Create Network Firewall rule group from the console top menu to create a new Network Firewall rule group. A rule group is a reusable collection of network filtering rules that you use to configure firewall behavior. You can add one or more rule groups to a firewall policy as part of the policy configuration.

06 On the Create Network Firewall rule group setup page, perform the following operations:

  1. To create a stateless rule group, provide the following information:
    • For Rule group type, select Stateless rule group.
    • For Name, type a unique name for your new stateless rule group.
    • (Optional) For Description, provide a short description for the resource.
    • For Capacity, specify the maximum processing capacity required for the stateless rule group (e.g. 10). When you reference a rule group from a firewall policy, this capacity is reserved for the rule group within the policy. You can't change or exceed the capacity if you want to update the rule group, so leave room for your rule group to grow. You can use a value between 1 and 10000.
    • Use the Add rule configuration form to add the stateless rule(s) that you need in your rule group. For example, provide the following rule specifications to create a stateless rule that blocks all packets coming from the source IP address range 192.0.5.0/24:
      • Set the Priority to 10. Rules with lower priority are evaluated first. Each rule within a rule group must have a unique priority setting.
      • For Protocol, choose All to inspect all supported transport protocols.
      • For Source, select Custom, and specify 192.0.5.0/24.
      • Leave the Source port range at Any port.
      • For Destination, choose Any IPv4 address.
      • Leave the Destination port range at Any port.
      • For Action, choose how you want the firewall to handle packets that match the rule criteria. In this case, set Action to Drop.
      • Choose Add rule to add the new rule to the Rules list.
    • Review the configuration settings for your rule group, then choose Create stateless rule group.
  2. To create a stateful rule group, provide the following information:
    • For Rule group type, select Stateful rule group.
    • For Name, type a unique name for your new stateful rule group.
    • (Optional) For Description, provide a short description for the group.
    • For Capacity, specify the maximum processing capacity required for the stateful rule group (e.g. 10). You can provide a value between 1 and 10000.
    • For Stateful rule group options, choose one of the following options:
      • 5-tuple – to use the 5-tuple format, specify the source IP, source port, destination IP, destination port, and protocol, and specify the action to take for matching traffic, in the Add rule configuration form.
      • Domain list – to provide a list of domain names and the action to take for traffic that tries to access one of the domains. Enter the domain names that you want to take action on, in the Domain name source box.
      • Suricata compatible IPS rules (Intrusion Prevention System – IPS rules) – to provide advanced firewall rules using Suricata rule syntax. For example, paste the following Suricata rule into the Suricata compatible IPS rules box, to detect SSH protocol anomalies: alert tcp any any -> any 22 (msg:"ALERT TCP port 22 but not SSH"; app-layer-protocol:!ssh; sid:2271009; rev:1;).
    • Review the rule group configuration settings, then choose Create stateful rule group.

07 In the left navigation panel, under AWS NETWORK FIREWALL, choose Firewall policies.

08 Choose Create firewall policy to create a new firewall policy. Firewall policies use rule groups and other settings to define the traffic filtering behavior for a firewall.

09 On the Create firewall policy setup page, perform the following operations:

  1. For Name, type a unique name for your new firewall policy. You can't change the name of a firewall policy after you create it.
  2. (Optional) For Description, provide a short description for the policy.
  3. Choose Next to continue the setup process.
  4. In the Stateless rule groups section, choose Add rule groups, and select the stateless rule group created at step no. 6. In the Stateless default actions section, the firewall policy allows you to specify different default settings for full packets and packet fragments. The Action options are the same as for the stateless rule that you have used in the firewall policy's stateless rule groups. In the Stateful rule groups section, choose Add rule groups, and select the stateful rule group created at step no. 6. Choose Next to continue.
  5. In the Firewall policy tags section, use the Add tag button to attach one or more tag sets to the resource. Choose Next to continue.
  6. Review the policy configuration settings, then choose Create firewall policy.

10 In the left navigation panel, under AWS NETWORK FIREWALL, choose Firewalls.

11 Choose Create firewall to create a new network firewall. Network firewalls associate the traffic filtering behavior of a firewall policy with the VPC where you want to filter traffic.

12 On the Create firewall setup page, perform the following operations:

  1. For Name, enter the unique name that you want to use to identify this firewall.
  2. (Optional) For Description, provide a short description for the new firewall.
  3. For VPC, choose the VPC where you want to create this firewall.
  4. For Firewall subnets, select the Availability Zone and the subnet that you want to use as the firewall subnet. This subnet must not be used for other purposes and must have at least one available IP address.
  5. For Associated firewall policy, choose Associate an existing firewall policy, then select the firewall policy created at step no. 9.
  6. (Optional) In the Firewall tags section, you can define tags for the resource.
  7. Choose Create firewall to deploy your new network firewall.

13 Once your network firewall is successfully created, to include the firewall within your Amazon VPC, you need to modify the VPC route tables so that the traffic that you want the firewall to filter passes through the firewall endpoint. This process depends on your VPC network architecture and the traffic that you want to filter. For example, to filter all traffic between your Internet Gateway (IGW) and your customer subnet(s), you have to redirect incoming traffic from the Internet Gateway and outgoing traffic from the customer subnet(s) through the firewall endpoint.

14 Repeat step no. 3 – 13 to enable and configure AWS Network Firewall service for other VPC networks available within the current AWS region.

15 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run create-rule-group command (OSX/Linux/UNIX) to create a new AWS Network Firewall rule group, which includes the rules for network traffic inspection and the capacity settings. The following command request example creates a stateless rule group that blocks all packets coming from the source IP address range 192.0.5.0/24:

aws network-firewall create-rule-group
    --region us-east-1
    --rule-group-name cc-prod-stateless-rule-group
    --type STATELESS
    --capacity 10
    --rule-group '{
    "RulesSource": {
        "StatelessRulesAndCustomActions": {
            "StatelessRules": [
                {
                    "RuleDefinition": {
                        "MatchAttributes": {
                            "Sources": [
                                {
                                    "AddressDefinition": "192.0.5.0/24"
                                }
                            ],
                            "Destinations": [
                                {
                                    "AddressDefinition": "0.0.0.0/0"
                                }
                            ]
                        },
                        "Actions": [
                            "aws:drop"
                        ]
                    },
                    "Priority": 10
                }
            ]
        }
    }
}'

02 The command output should return the metadata for the new AWS Network Firewall rule group:

{
    "RuleGroupResponse": {
        "RuleGroupArn": "arn:aws:network-firewall:us-east-1:123456789012:stateless-rulegroup/cc-prod-stateless-rule-group",
        "RuleGroupName": "cc-prod-stateless-rule-group",
        "RuleGroupId": "abcdabcd-1234-abcd-1234-abcd1234abcd",
        "Type": "STATELESS",
        "Capacity": 10,
        "RuleGroupStatus": "ACTIVE"
    }
}

03 Run create-firewall-policy command (OSX/Linux/UNIX) to create the firewall policy for your network firewall, using the stateless rule group created in the previous steps. A firewall policy defines the behavior of a network firewall, in a collection of stateless and stateful rule groups and other settings:

aws network-firewall create-firewall-policy
    --region us-east-1
    --firewall-policy-name cc-prod-vpc-firewall-policy
    --firewall-policy '{
    "StatelessRuleGroupReferences": [
        {
            "ResourceArn": "arn:aws:network-firewall:us-east-1:123456789012:stateless-rulegroup/cc-prod-stateless-rule-group",
            "Priority": 1
        }
    ],
    "StatelessDefaultActions": [
        "aws:forward_to_sfe"
    ],
    "StatelessFragmentDefaultActions": [
        "aws:forward_to_sfe"
    ]
}'

04 The command output should return the metadata for the newly created firewall policy:

{
    "FirewallPolicyResponse": {
        "FirewallPolicyName": "cc-prod-vpc-firewall-policy",
        "FirewallPolicyArn": "arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/cc-prod-vpc-firewall-policy",
        "FirewallPolicyId": "abcd1234-abcd-1234-abcd-1234abcd1234",
        "FirewallPolicyStatus": "ACTIVE"
    }
}

05 Run create-firewall command (OSX/Linux/UNIX) to create your new AWS Network Firewall firewall. The parameters that you can define at creation include the network firewall policy created earlier, the Virtual Private Cloud (VPC) where AWS Network Firewall should create the new firewall, and the VPC subnet(s) to use for the firewall endpoint(s):

aws network-firewall create-firewall
    --region us-east-1
    --firewall-name cc-prod-vpc-network-firewall
    --firewall-policy-arn arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/cc-prod-vpc-firewall-policy
    --vpc-id vpc-1234abcd
    --subnet-mappings SubnetId=subnet-abcd1234

06 The command output should return the new firewall configuration metadata:

{
    "Firewall": {
        "FirewallName": "cc-prod-vpc-network-firewall",
        "FirewallArn": "arn:aws:network-firewall:us-east-1:123456789012:firewall/cc-prod-vpc-network-firewall",
        "FirewallPolicyArn": "arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/cc-prod-vpc-firewall-policy",
        "VpcId": "vpc-1234abcd",
        "SubnetMappings": [
            {
                "SubnetId": "subnet-abcd1234"
            }
        ],
        "DeleteProtection": false,
        "SubnetChangeProtection": false,
        "FirewallPolicyChangeProtection": false,
        "FirewallId": "1234abcd-1234-abcd-1234-abcd1234abcd"
    },
    "FirewallStatus": {
        "Status": "PROVISIONING",
        "ConfigurationSyncStateSummary": "PENDING"
    }
}

07 To include the firewall within your Amazon VPC, you need to modify the VPC route tables so that the traffic that you want the firewall to filter passes through the firewall endpoint. This process depends on your VPC network architecture and the traffic that you want to filter. For example, to filter all traffic between your Internet Gateway (IGW) and your customer subnet(s), you have to redirect incoming traffic from the Internet Gateway and outgoing traffic from the customer subnet(s) through the firewall endpoint.

08 Repeat steps no. 1 – 7 to enable and configure AWS Network Firewall service for other VPC networks available in the selected AWS region.

09 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 8 to perform the entire remediation process for other regions.

References

Publication date Jan 14, 2021