Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I configure my Network Firewall rules to block or allow specific domains?

9 minute read
0

I want to use AWS Network Firewall to filter outbound web traffic from resources in my Amazon Virtual Private Cloud (Amazon VPC).

Short description

AWS Network Firewall uses either the action order or strict evaluation order to support domain-based filtering for outbound web traffic. To configure rules, use a stateful domain list rule group or Suricata-compatible strings. Domain inspection works for HTTP and HTTPS protocols.

For HTTP, the firewall inspects the host header. For HTTPS, the firewall uses the Server Name Indication (SNI) in the TLS handshake. When you use a domain allowlist, Network Firewall sends traffic only to specified domains and drops all other requests.

Understand domain list rule group actions

Avoid combining Reject or Alert domain list rule groups with Allow domain list rule groups in a firewall policy that uses default action ordering. The default drop rule added by the Allow rule group takes effect before the Reject and Alert rules.

For more information, see Suricata compatible rule strings in AWS Network Firewall and Stateful domain list rule groups in AWS Network Firewall.

Resolution

Configure a domain list group for a policy with the default action order

Complete the following steps:

  1. Create a firewall.
  2. Open the Amazon VPC console.
  3. In the navigation pane, under Network Firewall, choose Network Firewall rule groups.
  4. Choose Create rule group, and then choose Stateful rule group as the rule group type.
  5. For Stateful rule group format, choose Domain list.
    Note: You can't change the stateful rule order because it's inherited from the policy. The Rule order appears as Action order.
  6. Enter a unique rule group name.
  7. For Capacity reservation, enter an estimated number of domains to include in the list.
    Note: After you create the rule group, you can't change the value.
  8. Under Domain list, for Domain name source, enter the domain names that you want to match. You can define domains as an exact match, such as abc.example.com. You can also define them as a wildcard, such as .example.com.
  9. For CIDR ranges, choose one of the following options:
    For Default, choose this option when the source IP address exists in the same VPC as the firewall.
    For Custom, choose this option when the source IP address exists in a remote VPC. Enter the source subnets that you want the firewall to inspect under Source IP CIDR ranges.
  10. For Protocols, choose HTTP and HTTPS.
  11. For Action, choose Allow.
  12. (Optional) Configure Advanced settings and tags.
  13. Choose Create rule group.
  14. In the navigation pane, under Network Firewall, choose Firewall policies.
  15. Select the existing action order policy.
  16. Confirm that the default action is set to Pass.
  17. Under Stateful rule groups, choose Actions, and then choose Add unmanaged stateful rule groups.
  18. Select the rule group that you created in step 13.

Define a Suricata-compatible IPS rule for a policy with the action order evaluation

Complete the following steps:

  1. Create a firewall.
  2. Open the Amazon VPC console.
  3. In the navigation pane, under Network Firewall, choose Network Firewall rule groups.
  4. Choose Create rule group, and then choose Stateful rule group as the rule group type.
  5. For Stateful rule group format, choose Suricata Compatible rule string.
    Note: You can't change the stateful rule order because it's inherited from the policy. The Rule order appears as Action order.
  6. Enter a unique rule group name.
  7. For Capacity reservation, enter an estimated number of domains to include in the list.
    Note: After you create the rule group, you can't change the value.
  8. (Optional) Define custom rule variables to use in the Suricata signatures.
  9. (Optional) Define IP set references to use in the Suricata signatures.
  10. Under Suricata compatible rule string, enter the following rules: 
    pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; dotprefix; content:".amazonaws.com"; endswith; msg:"matching HTTP allowlisted FQDNs"; flow:to_server, established; sid:1; rev:1;)
pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"example.com"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; flow:to_server, established; sid:2; rev:1;)
pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; dotprefix; content:".amazonaws.com"; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:3; rev:1;)
pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:4; rev:1;)
drop http $HOME_NET any -> $EXTERNAL_NET any (http.header_names; content:"|0d 0a|"; startswith; msg:"not matching any HTTP allowlisted FQDNs"; flow:to_server, established; sid:5; rev:1;)
drop tls $HOME_NET any -> $EXTERNAL_NET any (msg:"not matching any TLS allowlisted FQDNs"; flow:to_server, established; sid:6; rev:1;)
    Note: In the preceding rules, replace the domains with the domains that you want to include.
  11. (Optional) Configure Advanced settings and tags.
  12. Choose Create rule group.
  13. In the navigation pane, under Network Firewall, choose Firewall policies.
  14. Select the existing action order policy.
  15. Confirm that the default action is set to Pass.
  16. Under Stateful rule groups, choose Actions, and then choose Add unmanaged stateful rule groups.
  17. Select the rule group that you created in step 12.

Note: Domain rules include the established flow keyword, but it might not account for all out-of-flow packet exchange edge cases. Before you use an example rule listing, test the rule to verify that it works as expected.

Configure a domain list rule group for a policy with the strict evaluation order

Complete the following steps:

  1. Create a firewall.
  2. Open the Amazon VPC console.
  3. In the navigation pane, under Network Firewall, choose Network Firewall rule groups.
  4. Choose Create rule group, and then choose Stateful rule group as the rule group type.
  5. For Stateful rule group format, choose Domain list.
    Note: You can't change the stateful rule order because it's inherited from the policy. The Rule order appears as Strict.
  6. Enter a unique rule group name.
  7. For Capacity reservation, enter an estimated number of domains to include in the list.
    Note: After you create the rule group, you can't change the value.
  8. Under Domain list, for Domain name source, enter the domain names that you want to match. You can define domains as an exact match, such as abc.example.com. You can also define them as a wildcard, such as .example.com.
  9. For CIDR ranges, choose one of the following options:
    For Default, choose this option when the source IP address exists in the same VPC as the firewall.
    For Custom, choose this option when the source IP address exists in a remote VPC. Enter the source subnets that you want the firewall to inspect under Source IP CIDR ranges.
  10. For Protocols, choose HTTP and HTTPS.
  11. For Action, choose Allow.
  12. Choose Create rule group.
  13. In the navigation pane, under Network Firewall, choose Firewall policies.
  14. Select the existing strict order policy.
  15. For Stateful rule evaluation order and default actions, choose Edit.
  16. For Default actions, choose Drop established.
  17. Choose Save.

Define a Suricata-compatible IPS rule for a policy with a strict evaluation order

Complete the following steps:

  1. Create a firewall.
  2. Open the Amazon VPC console.
  3. In the navigation pane, under Network Firewall, choose Network Firewall rule groups.
  4. Choose Create rule group, and then choose Stateful rule group as the rule group type.
  5. For Stateful rule group format, choose Suricata Compatible rule string.
    Note: You can't change the stateful rule order because it's inherited from the policy. The Rule order appears as Strict.
  6. Enter a unique rule group name.
  7. For Capacity reservation, enter an estimated number of domains to include in the list.
    Note: After you create the rule group, you can't change the value.
  8. (Optional) Define custom rule variables to use in the Suricata signatures that you define.
  9. (Optional) Define IP set references to use in the Suricata signatures that you define.
  10. Under Suricata compatible rule string, enter the following rules: 
    pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; dotprefix; content:".amazonaws.com"; endswith; msg:"matching HTTP allowlisted FQDNs"; flow:to_server, established; sid:1; rev:1;)
pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; content:"example.com"; startswith; endswith; msg:"matching HTTP allowlisted FQDNs"; flow:to_server, established; sid:2; rev:1;)
pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; dotprefix; content:".amazonaws.com"; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:3; rev:1;)
pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:4; rev:1;)
    Note: In the preceding rules, replace the domains with the domains that you want to include.
  11. (Optional) Configure Advanced settings and tags.
  12. Choose Create rule group.
  13. In the navigation pane, under Network Firewall, choose Firewall policies.
  14. Select your strict order policy.
  15. For Stateful rule evaluation order and default actions, choose Edit.
  16. For Default actions, choose Drop established.
  17. Choose Save.

Note: Domain rules include the established flow keyword. This keyword might not capture all edge cases where packets are exchanged outside of normal connection flows. Before you use an example rule listing, test the rule to verify that it works as expected.

Test your configurations

To test that your configurations work, run curl commands to the specified domains.

The following example command tests HTTPS access to the https://example.com domain:

curl -v --silent https://example.com --stderr - | grep 200

If access is allowed, then you receive the following output:

< HTTP/2 200

The following example command tests HTTP access to https://www.google.com:

curl -v http://www.google.com

The following example output shows that firewall rules are blocking HTTP traffic because the connection stops at the GET request:

* Trying [IP_ADDRESS]...
* Connected to www.google.com ([IP_ADDRESS]) port 80 (#0)
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.79.1
> Accept: */*

The following example command tests HTTPS access to https://www.google.com:

curl -v https://www.google.com

The following example output shows that HTTPS traffic is blocked because the connection stops during the TLS handshake:

* Trying [IP_ADDRESS]...
* Connected to www.google.com ([IP_ADDRESS]) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):

Related information

Firewall policies in AWS Network Firewall

Creating a stateful rule group

Examples of stateful rules for AWS Network Firewall

Stateful domain list rule groups in AWS Network Firewall

Suricata compatible rule strings in AWS Network Firewall

Topics
Security, Identity, & Compliance
Tags
AWS Network Firewall
Language
English
AWS OFFICIALUpdated 3 days ago
No comments

Relevant content