AWS Network Firewall

--- tags: AWS Network Firewall, Networking, AWS, Workshop --- # AWS Network Firewall This is our list of hints and tips for this workshop. **JOIN EVENT:** https://catalog.workshops.aws/join 1. Complete OTP to an email address (Any that you can access over public internet) 2. **Code will be on the TV** screen for you to type. 3. Read "Terms and Conditions", select "**I agree with the Terms and Conditions**" and click "**Join event**". 4. On the next page, click "**Open AWS Console**" URL link. ![](https://hackmd.io/_uploads/SycdQF8P3.png) 3. **Skip the entire sections**: "Introduction" & "Setup" *this is already done!* 4. Go straight to the first lab [**Deploy With AWS Console**](https://catalog.workshops.aws/networkfirewall/en-US/labs/lab1) :::info :warning: **For this workshop resources are deployed in North Virginia / us-east-1** ::: # Key Concepts There are 3 key components of AWS Network Firewall. 1. **Rule Groups**: Holds a reusable collection of criteria for inspecting traffic and for handling packets and traffic flows that match the inspection criteria. 1. **Policy**: Defines a reusable set of stateless and stateful rule groups, along with some policy-level behavior settings. 1. **Firewall**: Enforces the inspection rules in the firewall policy to the VPC that the rules protect. Each firewall requires one firewall policy. The firewall additionally defines settings like how to log information about your network traffic and the firewall's stateful traffic filtering. ## Stateless vs Stateful ### Stateless A stateless rule examines individual packets independently, without considering factors such as traffic direction or existing connections. Its focus is on quick evaluation, prioritizing speed. The engine follows rules based on standard network connection attributes, processing them in the specified order and halting when a match is found. This stateless approach is comparable to the behavior of Amazon VPC network access control lists (ACLs). ### Stateful A stateful rule evaluates packets within the context of their traffic flow, enabling the use of more intricate rules and facilitating logging of network traffic and firewall alerts. Unlike stateless engines, **stateful rules consider traffic direction and may delay packet delivery to examine packets as a group**. By default, this engine processes rules based on their action setting order, giving priority to pass rules, followed by drop rules and then alert rules. The processing stops upon finding a match. ![image](https://hackmd.io/_uploads/HypGuxPN6.png) See more https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-rules-engines.html ## How DNS Firewall work with AWS Network Firewall DNS Firewall and AWS Network Firewall both support domain name filtering, but they cater to different types of traffic. DNS Firewall focuses on outbound DNS queries passing through the Route 53 Resolver within VPCs, allowing for custom responses to blocked domain names. On the other hand, AWS Network Firewall provides filtering for both network and application layer traffic, but lacks visibility into queries made to the Route 53 Resolver. Combining both solutions enables domain-based filtering for application layer traffic across distinct network paths. ## What is Suricata? Suricata is an open-source network threat detection engine and intrusion detection system (IDS). It is designed to monitor network traffic and detect malicious activities, such as intrusion attempts, malware infections, and other security threats. Suricata is capable of inspecting network packets in real-time and can be used for both signature-based and anomaly-based detection. more info [here](https://suricata.io/) # AWS Network Firewall Workshop Labs Refer to the following headings when working through the content and getting stuck. I recommend having these web console tabs up perminently in your browser as you will be using them frequently: 1. **EC2** - To connect to our instances to perform testing 2. **VPC** - Contains our Network Filewall resources 3. **Route53** - Contains our DNS Firewall logging 4. **CloudWatch** - Contains our event logs ## Getting Started > AWS Hosted Event - Event Engine Only complete this step once, to get your login MFA code to join the workshop ## Getting Started > In Your Own AWS Account **SKIP** We are not running this in our own accounts. ## Setup We are participating in a workshop at an AWS sponsored event, pre requisite: Distributed Deployment Model or Centralized Deployment Model **is already provisioned for you**. We are running **[Centralized Deployment Model](https://catalog.us-east-1.prod.workshops.aws/event/dashboard/en-US/workshop/setup/centralmodel)** :::info :warning: **You do NOT need to provision resource or manually run the cloudformation stack** ::: You can read the setup steps for information only, otherwise proceed to **Lab 1**. ![image](https://hackmd.io/_uploads/Bya6jfEVa.png) ## Labs > Lab 1 Verify Firewall Resources We are using Region: [us-east-1](https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#NetworkFirewalls:) ## Labs > Lab 2 - Egress Web Filtering N/A ## Labs > Lab 3 - Using Open Source rules with AWS Network Firewall ### Step 4. Test & monitor You need to replace the IP of your testing instance in replace of the "10.2.1.176" used in the example. ``` {$.event.src_ip = "10.2.1.176" && $.event.http.http_user_agent = "easyhttp client" && $.event.alert.signature_id = 2029569} ``` Inside your session manager window at the command prompt type: ``` ifconfig eth0 | grep 'inet ' | awk '{print $2}' ``` Or, inside the AWS Console go to your EC2 Console, select the instance ID and under the details tab you will find ```Private IPv4 addresses``` ![image](https://hackmd.io/_uploads/Sy3ga4E46.png) :::info :warning: **Alternative to using CloudWatch for event analysis** https://aws.amazon.com/blogs/networking-and-content-delivery/how-to-analyze-aws-network-firewall-logs-using-amazon-opensearch-service-part-1/ ::: ## Labs > Lab 4: Custom Surricata rules with Strict Rule ordering N/A ## Labs > Lab 5 - Threat Hunting with AWS Network Firewall N/A ## Labs > Lab 6 - Ingress Web Filtering using TLS Inspection The overview of this section is that you will that you have the following: * ALB - Fronting two web instances. * Certificate - HTTPS listener on the ALB bound with ACM cert. :::info :warning: **You'll have a TLS cert created** There will be a [ALB that exists in us-east-1 region](https://us-east-1.console.aws.amazon.com/ec2/home?region=us-east-1#LoadBalancers:name=AnfwDemo-ExternalAlb;v=3;$case=tags:false%5C,client:false;$regex=tags:false%5C,client:false) There will be a [Certificate that exists in us-east-1 region](https://us-east-1.console.aws.amazon.com/acm/home?region=us-east-1#/certificates/list) ::: As a part of the Setup we have already created public ACM certificate for test domain `*.workshophub.network`. You can verify the public certificate exists by navigating [here](https://us-east-1.console.aws.amazon.com/acm/home?region=us-east-1#/certificates/list) ![image](https://hackmd.io/_uploads/S1sbuDN4p.png) After `Figure 10`, you'll need to update routes to make sure return traffic from the firewall endpoint is routed back to the Internet Gateway. To do this we make changes to the routing tables associated with firewall endpoint subnets in both subnets; 1. [Route Table A](https://us-east-1.console.aws.amazon.com/vpcconsole/home?region=us-east-1#RouteTables:v=3;search=:AnfwDemo-InspectionVPCC-FirewallRouteTableA). 1. [Route Table B](https://us-east-1.console.aws.amazon.com/vpcconsole/home?region=us-east-1#RouteTables:v=3;search=:AnfwDemo-InspectionVPCC-FirewallRouteTableB). **Update** the **default route** (0.0.0.0/0) target **from** NAT GATEWAY **to** INTERNET GATEWAY # Post-Workshop Follow Up Items This section has specific follow up items. TBA **AWS Network Firewall** * [Deployment models for AWS Network Firewall](https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/) * [Examples - Suricata compatible stateful rules for Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html) * [Decrypt, inspect, & re-encrypt TLS traffic at scale with AWS Network Firewall ](https://www.youtube.com/watch?v=j2pLuHdAj0A) :movie_camera: (20mins) * [AWS re:Inforce 2023 - Policy and Suricata compatible rule creation for AWS Network Firewall (NIS308) ](https://youtu.be/67pVOv3lPlk?si=K8ai6j40QRWYkiJE&t=1777):movie_camera: (50mins - Examples at 29mins) **Log Management** * [Send AWS WAF logs to Splunk by using AWS Firewall Manager and Amazon Kinesis Data Firehose](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/send-aws-waf-logs-to-splunk-by-using-aws-firewall-manager-and-amazon-kinesis-data-firehose.html)) * [Build a centralized log analytics platform with Amazon OpenSearch Service on AWS in 20 minutes](https://aws.amazon.com/solutions/implementations/centralized-logging-with-opensearch/) * [How to analyze AWS Network Firewall logs using Amazon OpenSearch Service – Part 1](https://aws.amazon.com/blogs/networking-and-content-delivery/how-to-analyze-aws-network-firewall-logs-using-amazon-opensearch-service-part-1/) **Firewall Management** * [AWS Network Firewall automation examples](https://github.com/aws-samples/aws-network-firewall-automation-examples) * [Ingest Proofpoint emerging threat rule sets into AWS Network Firewall Rulegroups](https://github.com/aws-samples/aws-network-firewall-rulegroups-with-proofpoints-emerging-threats-open-ruleset) **DNS Firewall** * [Resolve Domain Name System (DNS) queries in hybrid cloud environments](https://aws.amazon.com/route53/resolver/) * [Integrating your Directory Service’s DNS resolution with Amazon Route 53 Resolvers](https://aws.amazon.com/blogs/networking-and-content-delivery/integrating-your-directory-services-dns-resolution-with-amazon-route-53-resolvers/) **Firewall Manager** * [Getting Started with AWS Firewall Manager](https://www.youtube.com/watch?v=FGhKpPDBvXc):movie_camera: (3mins) * [How to deploy AWS Network Firewall by using AWS Firewall Manager](https://aws.amazon.com/blogs/security/how-to-deploy-aws-network-firewall-by-using-aws-firewall-manager/) * [How to continuously audit and limit security groups with AWS Firewall Manager](https://aws.amazon.com/blogs/security/how-to-continuously-audit-and-limit-security-groups-with-aws-firewall-manager/) # Case Study * [Strengthening Security Posture While Saving on Inspection Costs Using AWS Security Services with athenahealth](https://aws.amazon.com/solutions/case-studies/athenahealth-case-study/?did=cr_card&trk=cr_card) * [PayU Helps Customers Make Secure Online Payments Faster by Streamlining Firewall Management on AWS](https://aws.amazon.com/solutions/case-studies/payu-case-study/?did=cr_card&trk=cr_card) # Self Paced Learning **AWS Ramp-Up Guide - Networking & Content Delivery** https://d1.awsstatic.com/training-and-certification/ramp-up_guides/Ramp-Up_Guide_Networking-Content-Delivery.pdf **AWS Skill Builder - Network Learning Path (42 hours)** https://explore.skillbuilder.aws/learn/learning_plan/view/125/networking-core-knowledge-badge-readiness-path-amazon ![image](https://hackmd.io/_uploads/ryiAfkw4p.png "Earn a badge" =100x100) This Learning Path helps you build knowledge on AWS networking concepts and services with a focus on Amazon VPC, AWS Cloud WAN, and Amazon Route 53. This Learning Path presents domain-specific content and includes courses, knowledge checks, hands-on labs, a pre-assessment and a knowledge badge assessment. This path is a guide and presents learning in a structured order, it can be used as presented or you can select the content that is most beneficial.