AWS Network Firewall

AWS Network Firewall is a managed network security service that provides protection for your Amazon VPC networks. It allows you to deploy network security across your VPCs with just a few clicks, without the need to provision or manage any infrastructure.

Network Firewall provides fine-grained control over network traffic, allowing you to create firewall rules that provide protections like blocking outbound Server Message Block (SMB) requests to prevent the spread of malware, or disallowing domains and IP addresses that pose threats. AWS Network Firewall includes stateful inspection, intrusion prevention, and web filtering. The service uses rule groups to define network traffic inspection and filtering behaviors. These rule groups can be shared and reused across multiple firewalls, simplifying management for large or complex networks. Network Firewall integrates with other AWS services like CloudWatch for logging and monitoring, and AWS Firewall Manager for centralized management of the firewalls across your accounts and VPCs.

When implementing AWS Network Firewall, it is crucial to consider your network architecture and traffic flow patterns. The service is designed to protect traffic at the perimeter of your VPC, so proper placement within your network topology is essential. You’ll need to update your VPC route tables to direct traffic through the firewall endpoints (based in AWS gateway load balancer endpoints).

AWS Network Firewall can be integrated into various network designs. In a simple single-AZ Internet gateway setup, you can place the firewall between your VPC and the Internet gateway, inspecting all inbound and outbound traffic.  See Figure 1.

Figure 1 - AWS Network Firewall deployed in a single AZ and traffic flow for a workload in a public subnet

For multi-zone architectures, you can deploy firewall endpoints in multiple AZs for high availability and fault tolerance. In more complex setups involving NAT gateways, you can position the firewall to inspect traffic both before and after NAT translation, providing a comprehensive protection. Another common architecture involves using AWS Network Firewall with a TGW. In this design, the firewall can be placed between the transit gateway and the Internet gateway, allowing it to inspect traffic from multiple VPCs that are connected via the TGW. This centralized approach can simplify management and provide consistent security policies across your entire network infrastructure.

In Figure 2, you can see a partial view of the configuration parameters for creating this element; the complete set of parameters is described here:

• Name: NFW1 string.
• VPC and Subnets: Associated VPC and subnets to create the firewall endpoints.
• Advanced settings: Enable protection against changes and configure a customer-managed key (using AWS KMS) to encrypt and decrypt your resources.
• Associated Firewall policy: The firewall policy contains a list of rule groups that define how the firewall inspects and manages web traffic. You can configure the associated firewall policy after you create the firewall.
  • Firewall Policy: Create and associate an empty firewall policy or associate an existing firewall policy.
  • New Firewall Policy Name: NFW1-Policy.
  • Rule Evaluation Order: Strict order recommended. Rules are processed in the order that you define, starting with the first rule.
  • Drop Action: Set to Drop established, which means that you are only allowing the traffic that you explicitly allow via your firewall rules, and everything else is denied/dropped.
  • Alert Action: Selected All and Established, which generates alert messages for each matching rule. To send the alert messages to the firewall logs, add a logging configuration to the firewall after creation.
• Tags

Figure 2 - AWS Network Firewall creation

Figure 3, displays the overview after AWS Network Firewall creation is complete. From here, you can implement your security requirements by creating rule groups, which come in two types: AWS-managed rule groups (provided and maintained by AWS) or custom rule groups (created and maintained by you).

Figure 3 - AWS Network Firewall overview

In Figure 4, you could create different rules inside the NFW1-Policy that were added in the Network Firewall creation process. In the Stateful rule group you can add unmanaged rules (Custom) or Managed stateful Rule groups (BotNetCommandAndControlDomainsStrictOrder, AbusedLegitBotNetCommandAndControlDomainsStrictOrder,MalwareDomainsStrictOrder). Click in the managed rules to add new rules.This will open the screen shown in Figure 5. More information is available at 

https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html.

Figure 4 - Managed Rules overview

Figure 5 - Managed Rules to add at NFW1-Policy

Thant Zin Phyo@Cracky (MCT, MCE, MVP, AWS CB)