aws network firewall
How does AWS Network Firewall compare with discrimiNAT for egress filtering
Egress filtering has long been a challenge in AWS environments. In Nov 2020, AWS introduced the Network Firewall, which promised to address this gap. The documentation discloses upfront that it's built upon a well-regarded IPS.
info
Network Firewall uses the open source intrusion prevention system (IPS), Suricata, for stateful inspection.
Source: https://docs.aws.amazon.com/network-firewall/.../what-is-aws-network-firewall
tip
An article that covers the "idiosyncrasies" and "gotchas" as a result of this repurposing is Secure Internet Access (Egress Filtering) with AWS Network Firewall by Karl Maier.
COMPARISON
So, how does discrimiNAT compare to AWS Network Firewall then?
AWS Network Firewall | discrimiNAT | |
---|---|---|
Sufficient Depth of Checks | 🔴 no trivial to bypass – see example †. By AWS' own admission, it does not conduct "out-of-band DNS lookups", so clients can present an allowed hostname in the headers while making the connection to an arbitrary IP address | 🟢 yes inspects raw packets for protocol-level anomalies and also conducts asynchronous, out-of-band DNS checks to verify client-presented hostnames against IP addresses in the connections |
Per-Application Policies | 🔴 no policies can only be applied at a VPC-level and with a workaround to CIDR blocks of other VPCs. Supported topology can only place it after AWS NAT so the true private IP of the client will never be known for granular policies | 🟢 yes integrates with the Cloud providers' native application-level firewall constructs such as Security Groups in AWS and Firewall Rules in GCP, deriving policies from these resources' built-in description fields |
Protocol Downgrade Protection | 🟠 maybe such a capability must be explicitly configured in Suricata-compatible language for TLS v1.2 or better and SSH v2 | 🟢 yes enforces minimum protocol level versions (such as 1.2 for TLS), as per contemporary standards, for both sides of a handshake |
Monitor Flows | 🟠 maybe per-application policies cannot be made to work as discussed, therefore, any relaxation of enforcement (so logs can be collected) puts the entire VPC at risk. Also, because traffic arrives after NAT, impossible to tell which application or client sent it | 🟢 yes the see-thru mode is able to capture and generate filterable logs for specific applications, therefore, keeping policies enforced for the rest of the VPC. Logs also indicate whether current rules would cover the traffic seen or not and can be filtered on this criteria too |
SSH (or SFTP) Protocol Support | 🟠 maybe FQDNs are not supported for this protocol but the validity of this protocol on a given port may be checked with some Suricata syntax | 🟢 yes FQDNs are supported and determination of which protocol and at what version is carried out regardless of port numbers |
TLS (or HTTPS) Protocol Support | 🟢 yes a rudimentary support is provided through 'Stateful domain list rule groups' but protocol version level checks would have to be written in Suricata syntax | 🟢 yes TLS v1.2 or better bidirectional enforcement, alongwith SNI, ESNI/ECH and IP Address checks are built-in with nothing to configure |
TLS Decryption | 🔴 no but in the FAQ, the question is at Can AWS Network Firewall inspect encrypted traffic? and a workaround that would only work in very few cases is suggested | 🔴 no at this time, discrimiNAT does not implement decryption of the full payload or installation of CA keys; the boundary of unencrypted data does not move to this gateway at the internet/public edge of your network |
Plaintext HTTP Support | 🟢 yes HTTP Host Header (client-settable) is checked on unencrypted connections for compliance | 🔴 no unsafe protocols are simply not implemented – encouraging teams to fix the root cause and upgrade to encrypted protocols (HTTP over TLS, i.e. HTTPS) instead in their application configs |
Cloud-Native Rules Management | 🟢 yes AWS Network Firewall has a dedicated API and web console presence for rule management, and recently support in Terraform and CloudFormation as well | 🟢 yes config is pulled from fields in Security Groups therefore enabling the use of web consoles, and any existing infrastructure as code tools such as Terraform and CloudFormation |
Stateless Rules | 🟢 yes for a very large number of stateless rules, this could be useful | 🔴 no we recommend the use of the free Network ACLs in any VPC for this, unless the list won't fit in that |
Stateful Rules | 🟢 yes for very complex protocol-level detail rules, and for SNI in TLS and the Host Header in HTTP, this is useful. Otherwise, Security Groups should suffice for simpler specifications | 🟢 yes for SSH and TLS connections to FQDNs. Otherwise, native Security Groups should suffice for Protocol, IP and Port based rules |
Cloud-Native Logging | 🟢 yes CloudWatch, S3 and Kinesis are supported directly with structured logs that have a whole lot of protocol-level detail | 🟢 yes CloudWatch is supported directly with structured logs that make more sense for human-operability. If you'd like to see more supported logging destinations, get in touch with our DevSecOps Support |
Application Config Required | 🟢 no zero config change required on the applications no matter which application-layer protocol is involved; all routing is carried out as natively defined on the Cloud platform's route tables and firewall rules | 🟢 no zero config change required on the applications no matter which application-layer protocol is involved; all routing is carried out as natively defined on the Cloud platform's route tables and firewall rules |
Transparent Operation | 🟢 yes since this is an additional hop in the routing between AWS NAT and AWS Internet Gateway, it's transparent to clients | 🟢 yes since this replaces the NAT, packets are naturally routed via it at an IP level, and the routing is simpler than AWS Network Firewall's |
Indicators Of Compromise (IoC) Support | 🟢 yes since this is actually an IPS under the hood, this feature is supported and to a reasonable number of indicators | 🔴 no since this is not an IPS but a NAT gateway with only an allowlist mode and a default of deny, it does not support general IoC monitoring |
Price per Hour | 🟢 yes and when used with AWS NAT, the price for only NAT is completely discounted | 🟢 yes simple hourly pricing with NAT functionality built-in, no need for AWS NAT |
Free data processing | 🔴 no there are data processing charges and when used with AWS NAT, the charge for only NAT is discounted | 🟢 yes there is no data processing charge |
High Availability | 🟢 yes built on the GWLB technology, these Suricata "appliances" should have cross-zone load balancing and if a target fails, there will be at least 70 seconds ‡ of intermittent failures before the traffic is entirely sent to a stable AZ | 🟢 yes RTO as of today is just under 120 seconds since each instance is wrapped in an Auto Scaling Group. Egress data is buffered by monitoring & logging clients, general EC2 failures are quite rare, and if an AZ fails altogether – you're not likely to need egress! We are working on lowering this substantially and if you are interested in knowing more, get in touch with our DevSecOps Support |
Hops to the Internet | 🟠 at least two this can only be inserted after AWS NAT and before the Internet Gateway for filtering egress traffic. It is unclear what additional network delay/hops does the GWLB VPC Endpoint that this runs behind ensue | 🟢 one NAT is built-in like most firewalls. The routing is simple and direct |
Instant Connection Denied Feedback | 🔴 no due to the use of Suricata's packet dropping capabilities, applications need to wait for connections to timeout. This leads to poorer experience when setting things up | 🟢 yes connections are terminated gracefully when denied, so applications have instant feedback |
Safe To Operate | 🔴 no with complex evaluation order among the stateless and stateful rules, within the stateful rules with overlapping domain names, complex routing and default stance of 'allow', it is difficult to imagine this can be configured safely without expert help | 🟢 yes has been designed upfront to not have features that can downgrade the security stance expected of an internet gateway, has simple routing, safe defaults and allowlist contents map to application configs directly – no specialised knowledge is required to configure and operate it, and the security champions can confidently hand it over for self-service operation |
‡ The minimum duration to start re-routing new flow is up to 70 seconds. It is a sum of 20 seconds for health checks (Min. Interval: 10s, Min. threshold: 2) and 50 seconds for GWLB backend to detect and re-route. Source: https://aws.amazon.com/.../best-practices-for-deploying-gateway-load-balancer/
LITMUS TEST
Generally, is your FQDN egress firewall effective at all?
You can test with these curl
commands, inspired by the infamous line 525 of the Codecov breach.
Say your firewall allows HTTPS connections to api.github.com
, then this curl
command, unsurprisingly, should work:
curl -v https://api.github.com/
† However, the following should not work, since it tries to connect to an arbitrary IP address under the guise of connecting to api.github.com
:
curl -v --connect-to "api.github.com:443:1.1.1.1:443" \
-k -H "Host: 1.1.1.1" https://api.github.com/
The AWS Network Firewall nevertheless allows it 🤦. And its documentation explains why it does.
For HTTPS traffic, Network Firewall uses the Server Name Indication (SNI) extension in the TLS handshake to determine the hostname, or domain name, that the client is trying to connect to. For HTTP traffic, Network Firewall uses the HTTP host header to get the name. In both cases, Network Firewall doesn't pause connections to do out-of-band DNS lookups. It uses the SNI or host header, not the IP addresses, when evaluating domain list rule groups. If you want to inspect IP addresses, to mitigate situations where the SNI or host headers have been manipulated, write separate rules for that and use them in conjunction with or in place of your domain list rules.
Source: https://docs.aws.amazon.com/network-firewall/...domain-names