This is our list of hints and tips for this workshop.
JOIN EVENT: https://catalog.workshops.aws/join
There are 3 key components of AWS Network Firewall.
A stateless rule examines individual packets independently, without considering factors such as traffic direction or existing connections. Its focus is on quick evaluation, prioritizing speed. The engine follows rules based on standard network connection attributes, processing them in the specified order and halting when a match is found. This stateless approach is comparable to the behavior of Amazon VPC network access control lists (ACLs).
A stateful rule evaluates packets within the context of their traffic flow, enabling the use of more intricate rules and facilitating logging of network traffic and firewall alerts. Unlike stateless engines, stateful rules consider traffic direction and may delay packet delivery to examine packets as a group. By default, this engine processes rules based on their action setting order, giving priority to pass rules, followed by drop rules and then alert rules. The processing stops upon finding a match.
See more https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-rules-engines.html
DNS Firewall and AWS Network Firewall both support domain name filtering, but they cater to different types of traffic. DNS Firewall focuses on outbound DNS queries passing through the Route 53 Resolver within VPCs, allowing for custom responses to blocked domain names. On the other hand, AWS Network Firewall provides filtering for both network and application layer traffic, but lacks visibility into queries made to the Route 53 Resolver. Combining both solutions enables domain-based filtering for application layer traffic across distinct network paths.
Suricata is an open-source network threat detection engine and intrusion detection system (IDS). It is designed to monitor network traffic and detect malicious activities, such as intrusion attempts, malware infections, and other security threats. Suricata is capable of inspecting network packets in real-time and can be used for both signature-based and anomaly-based detection.
more info here
Refer to the following headings when working through the content and getting stuck.
I recommend having these web console tabs up perminently in your browser as you will be using them frequently:
Only complete this step once, to get your login MFA code to join the workshop
SKIP We are not running this in our own accounts.
We are participating in a workshop at an AWS sponsored event, pre requisite: Distributed Deployment Model or Centralized Deployment Model is already provisioned for you.
We are running Centralized Deployment Model
You can read the setup steps for information only, otherwise proceed to Lab 1.
We are using Region: us-east-1
N/A
You need to replace the IP of your testing instance in replace of the "10.2.1.176" used in the example.
Inside your session manager window at the command prompt type:
Or, inside the AWS Console go to your EC2 Console, select the instance ID and under the details tab you will find Private IPv4 addresses
N/A
N/A
The overview of this section is that you will that you have the following:
As a part of the Setup we have already created public ACM certificate for test domain *.workshophub.network
. You can verify the public certificate exists by navigating here
After Figure 10
, you'll need to update routes to make sure return traffic from the firewall endpoint is routed back to the Internet Gateway. To do this we make changes to the routing tables associated with firewall endpoint subnets in both subnets;
Update the default route (0.0.0.0/0) target from NAT GATEWAY to INTERNET GATEWAY
This section has specific follow up items.
TBA
AWS Network Firewall
Log Management
Firewall Management
DNS Firewall
Firewall Manager
AWS Ramp-Up Guide - Networking & Content Delivery
https://d1.awsstatic.com/training-and-certification/ramp-up_guides/Ramp-Up_Guide_Networking-Content-Delivery.pdf
AWS Skill Builder - Network Learning Path (42 hours)
https://explore.skillbuilder.aws/learn/learning_plan/view/125/networking-core-knowledge-badge-readiness-path-amazon
This Learning Path helps you build knowledge on AWS networking concepts and services with a focus on Amazon VPC, AWS Cloud WAN, and Amazon Route 53. This Learning Path presents domain-specific content and includes courses, knowledge checks, hands-on labs, a pre-assessment and a knowledge badge assessment. This path is a guide and presents learning in a structured order, it can be used as presented or you can select the content that is most beneficial.