Using AWS Network Firewall
AWS Network Firewall is a stateful, managed service that provides a high level of control over network traffic, allowing advanced traffic filtering capabilities at the perimeter of your VPCs and optionally between subnets. This includes traffic going to and coming from an IGW, NAT gateway, VPN, or between VPC’s subnets.
Significant aspects
Let’s take a closer look at the advanced features that make AWS Network Firewall a compelling option for enhancing VPC security:
- Internet content screening: AWS Network Firewall offers internet content screening for both incoming and outgoing traffic, including encrypted web traffic. For HTTPS, it utilizes the unencrypted server name indication (SNI) extension of TLS to identify and scrutinize the destination fully qualified domain name (FQDN) a client is trying to access.
- Active threat mitigation: AWS Network Firewall incorporates active threat mitigation capabilities, functioning similarly to an IPS. This helps in identifying harmful network traffic that matches known threat signatures. AWS offers various managed rules that can be activated either in a monitor-only mode or a blocking mode. These rules encompass a broad spectrum of threats, including botnets, DoS attacks, and web attacks, and are continuously updated by AWS.
- Inspection of encrypted traffic: A notable feature of AWS Network Firewall is its capability to inspect inbound encrypted traffic. Coupled with threat mitigation capability, this feature enables the inspection of encrypted traffic getting into your VPCs by decrypting TLS traffic to block malicious content on the fly.
Use cases
AWS Network Firewall shines in environments that require precise control over network traffic. It is capable of filtering traffic based on complex rules and can scrutinize traffic entering or leaving your VPCs through deep packet inspection. This level of scrutiny enables identifying and blocking sophisticated threats that may not be detected through standard header-based inspection methods.
The decision to use AWS Network Firewall in conjunction with or as a replacement for NACLs and security groups hinges on your unique needs and the complexity of your network traffic. NACLs and security groups offer a fundamental level of security, but AWS Network Firewall provides a more nuanced control level and advanced features like encrypted traffic inspection. However, managing three security layers can be complex and may not be necessary for all use cases. Hence, it is generally considered suitable to substitute NACLs with AWS Network Firewall, while concurrently ensuring that security groups are kept stringent for adequate protection at the individual resource level.
For environments with straightforward, predictable network traffic where security needs are met with NACLs and security groups, incorporating AWS Network Firewall may not yield significant additional benefits. However, for environments with complex network traffic, a need to inspect encrypted traffic, or a requirement for high-level network traffic control, AWS Network Firewall can be a valuable enhancement to your security infrastructure.
Furthermore, AWS Network Firewall is engineered to scale automatically with your network traffic, making it particularly suitable for large environments with multiple VPCs and accounts. AWS Network Firewall integrates with AWS Firewall Manager, enabling you to manage security policies centrally and automatically enforce mandatory security policies across existing and new AWS accounts and VPCs.
In conclusion, AWS Network Firewall is a potent tool for managing and tightly controlling network traffic in your VPCs. It offers a high level of control and a range of advanced features, making it a valuable addition to infrastructures requiring an advanced level of network security.
Shifting from foundational security mechanisms to advanced shields, let’s explore AWS Shield and AWS Web Application Firewall (WAF) implementation.