AWS Network Firewall is a powerful tool that empowers organizations to secure their applications and infrastructure in the cloud. Understanding how to set up and configure the AWS Network Firewall is crucial for ensuring a robust and resilient network environment. In this hands-on lab, we will go through the process of setting up an AWS environment that optimally utilizes AWS Network Firewall.
Topology
Prerequisites
Before delving into the lab setup, ensure that you have the following prerequisites in place:
- An AWS account with the appropriate permissions to create and manage network resources.
- A foundational understanding of Amazon VPC concepts, EC2, and AWS services.
- Deployment of a VPC, public subnet, and internet gateway should be completed prior to commencing this lab.
Step 1: Setting up the environment.
Create a dedicated subnet for the Network Firewall
- In your AWS Console go to VPC >> Subnets >> Create a Subnet
Note: A Network Firewall needs a dedicated subnet with a /28 or larger IP space.
Network Firewall — Rule Groups
Once the subnet is ready, we can move on to creating Network Firewall Rule Groups.
Think of a rule group as a set of rules that dictate how traffic is handled by AWS Network Firewall. These rules help us decide which network traffic is allowed or blocked based on specific criteria. Rule groups are vital for setting up and enforcing security policies for your AWS Network Firewall.
- On you VPC Dashboard go to: Network Firewall >> Network Firewall rule groups.
In AWS Network Firewall, there are two main types of rule groups:
- Stateful: These are like smart rules that understand the context of network traffic. They can allow or block traffic based on things like source, destination, and more. Think of them as traffic cops that can make decisions based on what they see.
- Stateless: These are more like basic traffic filters. They follow simple rules to either allow or block traffic, without understanding the context. It’s like a list of specific traffic rules that are applied without considering the bigger picture.
We will create three type of rule groups:
- Stateful group for Domain List
- Stateful group standard
- Stateless
Stateful group for Domain List
Domain List Rule Group is designed to filter and control network traffic based on domain names, which are like web addresses. You can create a list of domain names that you want to allow or block. This rule group is especially useful for managing access to specific websites or online services.
Note: Capacity is the number of rules you expect to have in this rule group during its lifetime. You can’t change capacity after rule group creation, so leave room to grow.
You can list all the domains that you would like to inspect to either allow or deny.
We will use the following examples:
For now, we will keep the Action to “Allow”.
Stateful groups Standard
This is a more general-purpose rule group that can be customized to match your specific network security needs. It allows us to define rules based on unique requirements, making it versatile for various use cases.
For example, we can specify the values for Layer 3 and Layer 4.
For our lab, we will create an ICMP group rule, and as before, we keep the action as “Pass”.
Stateless group
A stateless rule group in AWS Network Firewall is like a basic set of traffic rules. It decides what traffic can come in and go out of your network, but it doesn’t remember previous actions or understand the bigger picture of the traffic flow. It’s a bit like a gatekeeper checking each person’s ID at the door without knowing anything about them except what’s on the ID. Simple and effective for straightforward security needs.
For our lab, we will create a simple Stateless rule group for all the traffic in and out of our VPC.
After all the Rule groups are created, we should have a list simimar to:
Step 2: Creating a Network Firewall Policy
An AWS Network Firewall policy defines the monitoring and protection behavior for a firewall. The details of the behavior are defined in the rule groups that you add to your policy, and in some policy default settings. To use a firewall policy, you associate it with one or more firewalls.
- On your VPC Dashboard go to: Network Firewall >> Firewall Policies and “Click” on create.
Select the Stateless rule group created previously.
Select both stateful rule group created previously.
Click on “Create Firewall Policy”
Step 3: Creating a Network Firewall
An AWS Network Firewall connects a firewall policy, which defines network traffic monitoring and filtering behavior, to the VPC that you want to protect.
The firewall configuration includes specifications for the Availability Zones and subnets where the firewall endpoints are placed. It also defines high-level settings like the firewall logging configuration and tagging on the AWS firewall resource.
- On you VPC Dashboard go to: Network Firewall >> Firewalls and click on create.
- We choose the VPC where we want our Firewall to inspect the traffic.
- We associate the Firewall Policy created on the previous step with our Network Firewall.
Note: Once the firewall creation is completed, go to the details and take note of the Endpoint ID. We will use that value later.
Loggin
Network Firewall generates logs for stateful rule groups. You can configure different destinations for different log types.
Note: You can record alert logs and flow logs from your Network Firewall stateful engine.
- Alert logs report traffic that matches your stateful rules that have an action that sends an alert. A stateful rule sends alerts for the rule actions DROP, ALERT, and REJECT.
- Flow logs are standard network traffic flow logs. Each flow log record captures the network flow for a specific standard stateless rule group.
Keep any other value as default and go all the way to “Create Firewall”.
Step 4: Routing Configuration
Up to this point, we have created:
- Subnet for our Firewall
- Rule Groups (Stateful and Stateless)
- Firewall Policy
- Network Firewall
Before you begin testing out your firewall rules, you need to adjust routing to send traffic through the firewall.
We need to create two new Route Tables:
- Internet gateway (IGW) ingress route table.
- Firewall subnet route table.
Internet Gateway Route Table
- On your VPC Dashboard go to: Route Tables >> Create Route Table
When creating this Route Table, make sure to select the right VPC. On the Edit edge associations section, click on edit and select the Internet gateway.
Now we need to create a route entry that will forward the incoming traffic to the Firewall.
- For Destination, enter use the CIDR of your public subnet network. In our lab the address is: 10.0.0.0/24
- For Target, select Gateway Load Balancer Endpoint and search for the VPC firewall endpoint that starts with vpce-.
Note: Use the Network Firewall Endpoint ID from step 3.
Firewall route table
We will create a new route table for our firewall and will direct all the outgoing traffic (0.0.0.0/0) to the internet gateway.
We associate this route table with the FirewallSubnet created on step 1.
Finally, we configure our Public Route table (part of the pre-requirement) to forward the outgoing traffic to the Firewall.
Note: Use the Network Firewall Endpoint ID from step 3.
At this point we should have the following three route tables:
- Public Route table
- Ingress Route table
- Firewall Route table
Step 5: Testing
We will verify network connectivity between the EC2 instances and the internet to evaluate the firewall’s ability to block or allow traffic based on your defined rules.
Connecting to our EC2 via CLI we can perform the following:
- Using “curl” we will check connectivity with the domains listed on the DomainList Rule Group
- Using “ping” we will test the Stateful Standard Rule Group created for ICMP traffic.
At this point both Rule Groups are configured as Allow or Pass, then we should have the following behavior:
curl www.example.com
<!doctype html>
<html>
<head>
<title>Example Domain</title>
<meta charset="utf-8" />
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<style type="text/css">
body {
background-color: #f0f0f2;
margin: 0;
padding: 0;
font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
}
div {
width: 600px;
margin: 5em auto;
padding: 2em;
background-color: #fdfdff;
border-radius: 0.5em;
box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
}
a:link, a:visited {
color: #38488f;
text-decoration: none;
}
@media (max-width: 700px) {
div {
margin: 0 auto;
width: auto;
}
}
</style>
</head>
<body>
<div>
<h1>Example Domain</h1>
<p>This domain is for use in illustrative examples in documents. You may use this
domain in literature without prior coordination or asking for permission.</p>
<p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>
ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=10.0 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=11.2 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=11.0 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=116 time=10.5 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 10.015/10.726/11.292/0.489 ms
Everything seems to be working as expected. Now, we will modify the action on each of the Rule Groups to Deny or Drop.
curl www.example.com --max-time 5
— max-time 5 tell the curl command to only try for 5 connections.
As we can see, we are not able to connect to www.example.com
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4088ms
The same result when using ping.
This confirms that the Stateful Rule Groups are working as expected and traffic is denied.
Conclusion
In this simple lab, we have gained valuable insights into setting up an AWS environment that effectively utilizes AWS Network Firewall. This knowledge will enable us to design, implement, and manage secure networking infrastructures in the cloud, safeguarding our applications and data.
Top comments (0)