DEV Community

Esteban for AWS Community Builders

Posted on

AWS Network Firewall: A Simple Lab Setup Guide - ClickOps

AWS Network Firewall is a powerful tool that empowers organizations to secure their applications and infrastructure in the cloud. Understanding how to set up and configure the AWS Network Firewall is crucial for ensuring a robust and resilient network environment. In this hands-on lab, we will go through the process of setting up an AWS environment that optimally utilizes AWS Network Firewall.

Image description

Topology

Image description


Prerequisites

Before delving into the lab setup, ensure that you have the following prerequisites in place:

  1. An AWS account with the appropriate permissions to create and manage network resources.
  2. A foundational understanding of Amazon VPC concepts, EC2, and AWS services.
  3. Deployment of a VPC, public subnet, and internet gateway should be completed prior to commencing this lab.

Step 1: Setting up the environment.

Create a dedicated subnet for the Network Firewall

  • In your AWS Console go to VPC >> Subnets >> Create a Subnet

Note: A Network Firewall needs a dedicated subnet with a /28 or larger IP space.

Image description

Network Firewall — Rule Groups

Once the subnet is ready, we can move on to creating Network Firewall Rule Groups.

Think of a rule group as a set of rules that dictate how traffic is handled by AWS Network Firewall. These rules help us decide which network traffic is allowed or blocked based on specific criteria. Rule groups are vital for setting up and enforcing security policies for your AWS Network Firewall.

  • On you VPC Dashboard go to: Network Firewall >> Network Firewall rule groups.

Image description

Image description

In AWS Network Firewall, there are two main types of rule groups:

  1. Stateful: These are like smart rules that understand the context of network traffic. They can allow or block traffic based on things like source, destination, and more. Think of them as traffic cops that can make decisions based on what they see.
  2. Stateless: These are more like basic traffic filters. They follow simple rules to either allow or block traffic, without understanding the context. It’s like a list of specific traffic rules that are applied without considering the bigger picture.

Image description

We will create three type of rule groups:

  • Stateful group for Domain List
  • Stateful group standard
  • Stateless

Stateful group for Domain List

Domain List Rule Group is designed to filter and control network traffic based on domain names, which are like web addresses. You can create a list of domain names that you want to allow or block. This rule group is especially useful for managing access to specific websites or online services.

Image description

Note: Capacity is the number of rules you expect to have in this rule group during its lifetime. You can’t change capacity after rule group creation, so leave room to grow.

Image description

You can list all the domains that you would like to inspect to either allow or deny.

We will use the following examples:

For now, we will keep the Action to “Allow”.

Stateful groups Standard

This is a more general-purpose rule group that can be customized to match your specific network security needs. It allows us to define rules based on unique requirements, making it versatile for various use cases.

For example, we can specify the values for Layer 3 and Layer 4.

For our lab, we will create an ICMP group rule, and as before, we keep the action as “Pass”.

Image description

Image description

Stateless group

A stateless rule group in AWS Network Firewall is like a basic set of traffic rules. It decides what traffic can come in and go out of your network, but it doesn’t remember previous actions or understand the bigger picture of the traffic flow. It’s a bit like a gatekeeper checking each person’s ID at the door without knowing anything about them except what’s on the ID. Simple and effective for straightforward security needs.

For our lab, we will create a simple Stateless rule group for all the traffic in and out of our VPC.

Image description

After all the Rule groups are created, we should have a list simimar to:

Image description


Step 2: Creating a Network Firewall Policy

An AWS Network Firewall policy defines the monitoring and protection behavior for a firewall. The details of the behavior are defined in the rule groups that you add to your policy, and in some policy default settings. To use a firewall policy, you associate it with one or more firewalls.

  • On your VPC Dashboard go to: Network Firewall >> Firewall Policies and “Click” on create.

Image description

Image description

Select the Stateless rule group created previously.

Image description

Select both stateful rule group created previously.

Image description

Click on “Create Firewall Policy”


Step 3: Creating a Network Firewall

An AWS Network Firewall connects a firewall policy, which defines network traffic monitoring and filtering behavior, to the VPC that you want to protect.

The firewall configuration includes specifications for the Availability Zones and subnets where the firewall endpoints are placed. It also defines high-level settings like the firewall logging configuration and tagging on the AWS firewall resource.

  • On you VPC Dashboard go to: Network Firewall >> Firewalls and click on create.

Image description

Image description

Image description

  • We choose the VPC where we want our Firewall to inspect the traffic.

Image description

  • We associate the Firewall Policy created on the previous step with our Network Firewall.

Image description

Note: Once the firewall creation is completed, go to the details and take note of the Endpoint ID. We will use that value later.

Image description

Loggin

Network Firewall generates logs for stateful rule groups. You can configure different destinations for different log types.

Image description

Note: You can record alert logs and flow logs from your Network Firewall stateful engine.

  • Alert logs report traffic that matches your stateful rules that have an action that sends an alert. A stateful rule sends alerts for the rule actions DROP, ALERT, and REJECT.
  • Flow logs are standard network traffic flow logs. Each flow log record captures the network flow for a specific standard stateless rule group.

Keep any other value as default and go all the way to “Create Firewall”.


Step 4: Routing Configuration

Up to this point, we have created:

  • Subnet for our Firewall
  • Rule Groups (Stateful and Stateless)
  • Firewall Policy
  • Network Firewall

Before you begin testing out your firewall rules, you need to adjust routing to send traffic through the firewall.

We need to create two new Route Tables:

  • Internet gateway (IGW) ingress route table.
  • Firewall subnet route table.

Internet Gateway Route Table

  • On your VPC Dashboard go to: Route Tables >> Create Route Table

When creating this Route Table, make sure to select the right VPC. On the Edit edge associations section, click on edit and select the Internet gateway.

Image description

Now we need to create a route entry that will forward the incoming traffic to the Firewall.

  • For Destination, enter use the CIDR of your public subnet network. In our lab the address is: 10.0.0.0/24
  • For Target, select Gateway Load Balancer Endpoint and search for the VPC firewall endpoint that starts with vpce-.

Note: Use the Network Firewall Endpoint ID from step 3.

Image description

Firewall route table

We will create a new route table for our firewall and will direct all the outgoing traffic (0.0.0.0/0) to the internet gateway.

Image description

We associate this route table with the FirewallSubnet created on step 1.

Image description

Finally, we configure our Public Route table (part of the pre-requirement) to forward the outgoing traffic to the Firewall.

Note: Use the Network Firewall Endpoint ID from step 3.

Image description

At this point we should have the following three route tables:

  • Public Route table
  • Ingress Route table
  • Firewall Route table

Step 5: Testing

We will verify network connectivity between the EC2 instances and the internet to evaluate the firewall’s ability to block or allow traffic based on your defined rules.

Image description

Connecting to our EC2 via CLI we can perform the following:

  • Using “curl” we will check connectivity with the domains listed on the DomainList Rule Group
  • Using “ping” we will test the Stateful Standard Rule Group created for ICMP traffic.

At this point both Rule Groups are configured as Allow or Pass, then we should have the following behavior:



curl www.example.com
<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;

    }
    div {
        width: 600px;
        margin: 5em auto;
        padding: 2em;
        background-color: #fdfdff;
        border-radius: 0.5em;
        box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
    }
    a:link, a:visited {
        color: #38488f;
        text-decoration: none;
    }
    @media (max-width: 700px) {
        div {
            margin: 0 auto;
            width: auto;
        }
    }
    </style>
</head>

<body>
<div>
    <h1>Example Domain</h1>
    <p>This domain is for use in illustrative examples in documents. You may use this
    domain in literature without prior coordination or asking for permission.</p>
    <p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>


Enter fullscreen mode Exit fullscreen mode


ping 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=116 time=10.0 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=116 time=11.2 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=116 time=11.0 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=116 time=10.5 ms
^C
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 10.015/10.726/11.292/0.489 ms


Enter fullscreen mode Exit fullscreen mode

Everything seems to be working as expected. Now, we will modify the action on each of the Rule Groups to Deny or Drop.

curl www.example.com --max-time 5

— max-time 5 tell the curl command to only try for 5 connections.

As we can see, we are not able to connect to www.example.com



PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4088ms


Enter fullscreen mode Exit fullscreen mode

The same result when using ping.

This confirms that the Stateful Rule Groups are working as expected and traffic is denied.


Conclusion

In this simple lab, we have gained valuable insights into setting up an AWS environment that effectively utilizes AWS Network Firewall. This knowledge will enable us to design, implement, and manage secure networking infrastructures in the cloud, safeguarding our applications and data.

Top comments (0)