DEV Community

Vivesh
Vivesh

Posted on

Network Security Groups (NSGs) and Firewalls

#networking #cloud #security #devops

Network Security Groups (NSGs) and firewalls are critical components of modern network security. They protect resources from unauthorized access, mitigate threats, and ensure compliance with security policies.

1. What are Network Security Groups (NSGs)?

NSGs are a feature in cloud platforms like AWS, Azure, and Google Cloud that act as virtual firewalls. They control inbound and outbound traffic to resources like virtual machines (VMs) based on rules.

Key Features:

  • Stateful Rules: NSGs remember the state of traffic (e.g., if inbound traffic is allowed, corresponding outbound traffic is automatically allowed).
  • Rule-Based Control: Allow or deny traffic based on parameters like source/destination IP, port number, and protocol.
  • Resource-Specific: NSGs can be associated with individual resources or subnets.

2. What are Firewalls?

A firewall is a network security system that monitors and controls incoming and outgoing traffic based on predetermined rules. It can be hardware-based, software-based, or cloud-native.

Types of Firewalls:

  1. Packet-Filtering Firewalls: Analyze packets based on headers (source/destination IP, port).
  2. Stateful Firewalls: Track traffic sessions and determine whether packets belong to an established connection.
  3. Next-Generation Firewalls (NGFWs): Incorporate advanced features like deep packet inspection (DPI), intrusion detection, and application filtering.

3. Importance of NSGs and Firewalls

a. Protect Resources

  • NSGs and firewalls prevent unauthorized access by filtering traffic at the network or resource level.
  • Example: Denying SSH (port 22) access to all IPs except a trusted one.

b. Mitigate Security Threats

  • Block malicious traffic such as DDoS attacks, port scans, and brute force attacks.
  • Use firewalls with intrusion detection/prevention systems (IDS/IPS) for advanced threat protection.

c. Ensure Network Segmentation

  • NSGs enable micro-segmentation by isolating resources within a virtual network.
  • Firewalls enforce segmentation across different networks or environments (e.g., on-premises to cloud).

d. Meet Compliance Requirements

  • Many regulations (e.g., PCI-DSS, GDPR) mandate network-level security controls to protect sensitive data.
  • Properly configured NSGs and firewalls help demonstrate compliance during audits.

e. Enable Granular Access Control

  • Define specific rules for traffic flow.
  • Example: Allow HTTPS traffic (port 443) to a web server but block other ports.

f. Simplify Security Management

  • Cloud-native NSGs provide centralized management for resource-specific security rules.
  • Firewalls offer visibility and control over network traffic across an entire organization.

4. Key Differences: NSGs vs. Firewalls

Aspect Network Security Groups (NSGs) Firewalls
Scope Resource-specific or subnet-specific. Network-wide or application-wide.
Features Basic rule-based traffic filtering. Advanced features like IDS/IPS, DPI, etc.
Complexity Simple to configure and lightweight. More complex, suitable for layered security.
Use Case Securing individual VMs or subnets. Securing entire networks or hybrid setups.

5. Best Practices for NSGs and Firewalls

For NSGs:

  1. Follow the Principle of Least Privilege:
    • Allow only the necessary ports and protocols (e.g., allow SSH only from trusted IPs).
  2. Use Deny-All Rule:
    • Create a default rule to deny all traffic and explicitly allow necessary ones.
  3. Regular Audits:
    • Review and update NSG rules periodically to remove outdated ones.

For Firewalls:

  1. Enable Logging and Monitoring:
    • Track firewall activity to identify unusual patterns or breaches.
  2. Use Layered Security:
    • Combine firewalls with other tools like IDS/IPS for enhanced protection.
  3. Keep Firmware Updated:
    • Ensure firewalls are running the latest software to avoid vulnerabilities.

6. Real-Life Example

In a cloud environment, a web application might use:

  • An NSG to allow HTTP (port 80) and HTTPS (port 443) traffic to a web server, while blocking all other ports.
  • A firewall appliance to protect against threats like SQL injection and cross-site scripting (XSS) attacks.

Task: Configure Security Groups in AWS for Your Application

AWS Security Groups act as virtual firewalls for controlling inbound and outbound traffic to your AWS resources like EC2 instances. Here's how to configure them for a web application.

1. Identify Your Application's Traffic Requirements

For a typical web application:

  • Inbound Traffic:

    • Allow HTTP (port 80) and HTTPS (port 443) for web access.
    • Allow SSH (port 22) for administrative access from trusted IPs.
    • Allow database traffic (e.g., port 3306 for MySQL) if the application connects to a database.

  • Outbound Traffic:

    • Allow all outbound traffic (default) for accessing external services or APIs.

2. Steps to Configure Security Groups

Step 1: Log in to AWS Console

  • Navigate to the EC2 Dashboard.
  • Click on Security Groups under the Network & Security section.

Step 2: Create a New Security Group

  1. Click Create Security Group.
  2. Provide the following details:
    • Name: WebApp-SG
    • Description: Security group for web application.
    • VPC: Select the VPC where your application resources are deployed.

Step 3: Add Inbound Rules

  1. Click Add Rule and configure the following:

    • HTTP (port 80):
      • Type: HTTP
      • Protocol: TCP
      • Port Range: 80
      • Source: 0.0.0.0/0 (or restrict to specific IPs or ranges if necessary).
    • HTTPS (port 443):
      • Type: HTTPS
      • Protocol: TCP
      • Port Range: 443
      • Source: 0.0.0.0/0 (or restrict as needed).
    • SSH (port 22):
      • Type: SSH
      • Protocol: TCP
      • Port Range: 22
      • Source: Your trusted IP (e.g., 192.168.1.1/32).
    • Database Access (if required):
      • Type: Custom TCP Rule
      • Protocol: TCP
      • Port Range: 3306 (MySQL example)
      • Source: Security group of the application server (to limit access to only the app).

  2. Click Save Rules.

Step 4: Add Outbound Rules (Optional)

  • By default, all outbound traffic is allowed. If you want to restrict it:
    • Add specific rules for outgoing traffic, e.g., allowing traffic to a database or external APIs.

Step 5: Attach the Security Group to Resources

  1. Navigate to your EC2 instances or other AWS resources.
  2. Select the instance, click Actions > Networking > Change Security Groups.
  3. Add the newly created security group (WebApp-SG).

3. Best Practices for Security Groups

  1. Principle of Least Privilege:
    • Only allow the necessary ports and IP ranges.
  2. Use Security Group References:
    • Instead of IPs, reference other security groups (e.g., allow database traffic from the app server's security group).
  3. Regular Audits:
    • Periodically review security group rules and remove unused ones.
  4. Use Descriptive Names:
    • Make security groups easy to identify and manage.

Example Security Group Configuration

Rule Protocol Port Range Source Description
HTTP TCP 80 0.0.0.0/0 Allow public HTTP access.
HTTPS TCP 443 0.0.0.0/0 Allow public HTTPS access.
SSH TCP 22 192.168.1.1/32 Allow SSH from admin IP.
MySQL (Database) TCP 3306 sg-12345678 (App SG) Allow database access.

Happy Learning !!!

Top comments (0)

Read next

esproc_spl profile image

SPL: a database language featuring easy writing and fast running

Judy -

solitrix02 profile image

How to configure Free SSL Certificate on Nginx using Certbot

Sanchit Bajaj -

yayabobi profile image

Top 12 AI Test Automation Tools for Smarter Software Testing in 2025

yayabobi -

harshpandhe profile image

Day 02: Docker Installation: Setting Up Docker on Various Platforms

Harsh Pandhe -