AWS recently added AWS Network Firewall to its service offerings. AWS Network Firewall is a Layer 4 security device that complements network ACLs, and security groups, and that can do VPC to VPC traffic inspection. Priced at over $250 per month per interface, it is mostly aimed at large organizations with strict security requirements.
The network firewall is usually deployed in dedicated subnets in each availability zone inside a VPC (the “firewall subnets”). Similarly to a transit gateway, it deploys a network interface inside each subnet. The traffic to be inspected is then routed to those NICs before being routed to the internet gateway. The firewall endpoint does not perform network address translation, and can be deployed before or after a NAT gateway, depending on whether the traffic analyzed is internal or not.
In the scenario above, the traffic from the internal EC2 instances in the protected subnet is routed to the firewall endpoint in the firewall subnet, inspected with stateless and stateful inspections, and then routed to the internet gateway. Similarly, the traffic coming from the internet that wants to reach the protected subnet is routed first through the firewall endpoint.
Centralized vs Distributed Deployments
The scenario above demonstrates how to deploy a single firewall endpoint in a single availability zone. In a more realistic scenarios, we would want to protect multiple subnets in multiple AZs, and also analyze the traffic between VPCs, and with on-premise datacenters. The deployment architectures for those scenario are either distributed or centralized.
In a distributed deployment, a separate firewall endpoint is added in each availability zone, and an ingress route table is attached to the internet gateway to route the incoming traffic to the correct firewall endpoint for inspection. This configuration is relatively straightforward to implement, does not scale very well to complex requirements, and can get expensive at $250 per month per interface.
An alternative approach is to deploy the firewall endpoints inside a dedicated inspection VPC. Under this scenario, traffic from the protected VPCs are routed first to the transit gateway, which redirects all egress traffic to the inspection VPC. The traffic is then analyzed through the firewall endpoint and redirected back to the transit gateway. The transit gateway then routes inspected traffic (through a separate route table) to the correct destination. This scenario can be quite complex to setup, but allows for greater flexibility. It can inspect both internal traffic (VPC-to-VPC, VPC-to-VPN or Direct Connect), as well as ingress/egress internet traffic.
Configuring the AWS Network Firewall
When creating the Network Firewall, we must select the firewall subnets in which we want to deploy a firewall endpoint, and then associate a firewall policy with the endpoints. The firewall policy is composed of stateless rule groups and stateful rule groups.
Stateless Rule Groups
A stateless rule inspects the TCP/IP traffic using a 5-tuple rule (source IP, source port, destination IP, destination port, protocol). It can also match traffic based on TCP flags (ACK, SYN, FIN, URG, PSH, ECE, CWR, RST). It then decides to let the traffic pass, drop the traffic, or forward it to the stateful rule groups. An interesting option for stateless rules is using a custom action, where the metrics of traffic matching a rule can be used to populate a custom CloudWatch metrics dimension. The firewall has a stateless maximum capacity of 10,000 units.
Stateful Rule Groups
Stateful rule groups can also inspect traffic using a 5-tuple either in the forward or in both directions. They also support blocking traffic using a domain list. Finally, they also support Suricata compatible IPS rules. Suricata is an open-source network intrusion and prevention system.
A Suricata rule is a string like this that describe precisely what traffic to match.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ATTACK_RESPONSE python shell spawn attempt"; flow:established,to_client; content:"pty|2e|spawn|2822|/bin/sh|2229|"; depth:64; classtype:trojan-activity; sid:2017317; rev:2; metadata:created_at 2013_08_12, updated_at 2013_08_12;)
This rule logs an entry whenever a python shell spawn attempt is detected. The AWS Network Firewall has a stateful maximum capacity of 30,000 units.
The AWS Network Firewall can be configured to log stateful group rules that either are analyzed, or have an action of alert like the example above. The logs can be sent to a S3 bucket, to a Kinesis data firehose, or to a CloudWatch log group.
Comparison to other AWS Services
Web Application Firewall. WAF is a security product that can be placed at the edge of a network to analyze HTTP/HTTPS requests. It is usually deployed in front of a Cloudfront distribution, application load balancer, AppSync API, or API Gateway. It can detect common HTTP exploits (OWASP Top 10) such as cross-site forgery, cross-site scripting, and SQL injection. As opposed to network firewall, it does not reside inside a VPC and is not able to protect inter-VPC traffic, or analyze egress traffic.
Network ACL. Network access control lists are set of security rules that are configured on a subnet. Network ACLs are stateless, so both inbound and outbound rules have to be configured. You can configure a maximum of 20 NACL rules per subnet, so the filtering possible is quite coarse compared to the 10,000 stateless capacity units and 30,000 stateful capacity units of a AWS network firewall. NACLs should be used in conjunction with network firewalls, where NACLs provide the coarse rules to restrict access to a subnet, while network firewalls can further analyze traffic.
Security Groups. Security groups are a rules applied to a group of network interfaces. They are stateful, and act as a virtual firewall against the instances in that group. They can also be configured to allow traffic from other security groups, which can give a lot of flexibility. Security groups should also be used in conjunction with network firewalls, because they can restrict traffic to/from instances within a subnet. However, they do not have the advanced filtering capabilities present in AWS network firewall.
AWS Network Firewall is priced per interface provisioned ($0.395 /interface/hour) plus the cost of the bandwidth it analyzes, which can get expensive quite quickly. AWS also waives the fee of a NAT Gateway if the AWS Network Firewall is deployed with a NAT Gateway.
For every hour you have a Network Firewall interface provisioned, you receive a free NAT Gateway hour. Also, for every GB analyzed by the NAT Firewall, you are entitled to 1 free GB of NAT Gateway traffic.
In addition to the hourly charges and the throughput, you will also be charged for enabling logging in the AWS Network Firewall.
AWS Network Firewall is a great product for large organizations with very strict security requirements. It is generally available since November 2020, and is currently only available in selected regions (North Virginia, Oregon, and Ireland). Combined with the other AWS security services, AWS Network Firewall can be a good addition to your arsenal.