Try   HackMD

AWS Network Firewall

This is our list of hints and tips for this workshop.

JOIN EVENT: https://catalog.workshops.aws/join

  1. Complete OTP to an email address (Any that you can access over public internet)
  2. Code will be on the TV screen for you to type.
  3. Read "Terms and Conditions", select "I agree with the Terms and Conditions" and click "Join event".
  4. On the next page, click "Open AWS Console" URL link.
    Image Not Showing Possible Reasons
    • The image was uploaded to a note which you don't have access to
    • The note which the image was originally uploaded to has been deleted
    Learn More →
  5. Skip the entire sections: "Introduction" & "Setup" this is already done!
  6. Go straight to the first lab Deploy With AWS Console

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
For this workshop resources are deployed in North Virginia / us-east-1

Key Concepts

There are 3 key components of AWS Network Firewall.

  1. Rule Groups: Holds a reusable collection of criteria for inspecting traffic and for handling packets and traffic flows that match the inspection criteria.
  2. Policy: Defines a reusable set of stateless and stateful rule groups, along with some policy-level behavior settings.
  3. Firewall: Enforces the inspection rules in the firewall policy to the VPC that the rules protect. Each firewall requires one firewall policy. The firewall additionally defines settings like how to log information about your network traffic and the firewall's stateful traffic filtering.

Stateless vs Stateful

Stateless

A stateless rule examines individual packets independently, without considering factors such as traffic direction or existing connections. Its focus is on quick evaluation, prioritizing speed. The engine follows rules based on standard network connection attributes, processing them in the specified order and halting when a match is found. This stateless approach is comparable to the behavior of Amazon VPC network access control lists (ACLs).

Stateful

A stateful rule evaluates packets within the context of their traffic flow, enabling the use of more intricate rules and facilitating logging of network traffic and firewall alerts. Unlike stateless engines, stateful rules consider traffic direction and may delay packet delivery to examine packets as a group. By default, this engine processes rules based on their action setting order, giving priority to pass rules, followed by drop rules and then alert rules. The processing stops upon finding a match.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

See more https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-rules-engines.html

How DNS Firewall work with AWS Network Firewall

DNS Firewall and AWS Network Firewall both support domain name filtering, but they cater to different types of traffic. DNS Firewall focuses on outbound DNS queries passing through the Route 53 Resolver within VPCs, allowing for custom responses to blocked domain names. On the other hand, AWS Network Firewall provides filtering for both network and application layer traffic, but lacks visibility into queries made to the Route 53 Resolver. Combining both solutions enables domain-based filtering for application layer traffic across distinct network paths.

What is Suricata?

Suricata is an open-source network threat detection engine and intrusion detection system (IDS). It is designed to monitor network traffic and detect malicious activities, such as intrusion attempts, malware infections, and other security threats. Suricata is capable of inspecting network packets in real-time and can be used for both signature-based and anomaly-based detection.

more info here

AWS Network Firewall Workshop Labs

Refer to the following headings when working through the content and getting stuck.

I recommend having these web console tabs up perminently in your browser as you will be using them frequently:

  1. EC2 - To connect to our instances to perform testing
  2. VPC - Contains our Network Filewall resources
  3. Route53 - Contains our DNS Firewall logging
  4. CloudWatch - Contains our event logs

Getting Started > AWS Hosted Event - Event Engine

Only complete this step once, to get your login MFA code to join the workshop

Getting Started > In Your Own AWS Account

SKIP We are not running this in our own accounts.

Setup

We are participating in a workshop at an AWS sponsored event, pre requisite: Distributed Deployment Model or Centralized Deployment Model is already provisioned for you.

We are running Centralized Deployment Model

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
You do NOT need to provision resource or manually run the cloudformation stack

You can read the setup steps for information only, otherwise proceed to Lab 1.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Labs > Lab 1 Verify Firewall Resources

We are using Region: us-east-1

Labs > Lab 2 - Egress Web Filtering

N/A

Labs > Lab 3 - Using Open Source rules with AWS Network Firewall

Step 4. Test & monitor

You need to replace the IP of your testing instance in replace of the "10.2.1.176" used in the example.

{$.event.src_ip = "10.2.1.176" && $.event.http.http_user_agent = "easyhttp client" && $.event.alert.signature_id = 2029569}

Inside your session manager window at the command prompt type:

ifconfig eth0 | grep 'inet ' | awk '{print $2}'

Or, inside the AWS Console go to your EC2 Console, select the instance ID and under the details tab you will find Private IPv4 addresses

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
Alternative to using CloudWatch for event analysis
https://aws.amazon.com/blogs/networking-and-content-delivery/how-to-analyze-aws-network-firewall-logs-using-amazon-opensearch-service-part-1/

Labs > Lab 4: Custom Surricata rules with Strict Rule ordering

N/A

Labs > Lab 5 - Threat Hunting with AWS Network Firewall

N/A

Labs > Lab 6 - Ingress Web Filtering using TLS Inspection

The overview of this section is that you will that you have the following:

  • ALB - Fronting two web instances.
  • Certificate - HTTPS listener on the ALB bound with ACM cert.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
You'll have a TLS cert created
There will be a ALB that exists in us-east-1 region
There will be a Certificate that exists in us-east-1 region

As a part of the Setup we have already created public ACM certificate for test domain *.workshophub.network. You can verify the public certificate exists by navigating here

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

After Figure 10, you'll need to update routes to make sure return traffic from the firewall endpoint is routed back to the Internet Gateway. To do this we make changes to the routing tables associated with firewall endpoint subnets in both subnets;

  1. Route Table A.
  2. Route Table B.

Update the default route (0.0.0.0/0) target from NAT GATEWAY to INTERNET GATEWAY

Post-Workshop Follow Up Items

This section has specific follow up items.

TBA

AWS Network Firewall

Log Management

Firewall Management

DNS Firewall

Firewall Manager

Case Study

Self Paced Learning

AWS Ramp-Up Guide - Networking & Content Delivery
https://d1.awsstatic.com/training-and-certification/ramp-up_guides/Ramp-Up_Guide_Networking-Content-Delivery.pdf

AWS Skill Builder - Network Learning Path (42 hours)
https://explore.skillbuilder.aws/learn/learning_plan/view/125/networking-core-knowledge-badge-readiness-path-amazon

image

This Learning Path helps you build knowledge on AWS networking concepts and services with a focus on Amazon VPC, AWS Cloud WAN, and Amazon Route 53. This Learning Path presents domain-specific content and includes courses, knowledge checks, hands-on labs, a pre-assessment and a knowledge badge assessment. This path is a guide and presents learning in a structured order, it can be used as presented or you can select the content that is most beneficial.