Network Firewall sometimes misses L7

Question

Using AWS Network Firewall with one Suricata rule group in strict rule order, dropping established connections.

The firewall is in another VPC connected to main VPC using TGW (firewall VPC attachment is set to appliance mode)

Allowing TLS and HTTP towards the Internet is not enough as sometimes it misses the layer 7, seeing only TCP/443 or TCP/80.

rule group looks like this:

pass http 10.10.0.0/16 any -> any 80 (sid:1;)

pass tcp 10.10.0.0/16 any -> any 80 (sid:2;)

pass tls 10.10.0.0/16 any -> any 443 (sid:3;)

pass tcp 10.10.0.0/16 any -> any 443 (sid:4;)

If I'm not using rules 2 and 4 I get occasional drops and logs show no "app_proto" only TCP port.

This is just an example, this happens not only towards the Internet and not only for these L7 protocols also SSH for example.

Answer

Hi,

Currently AWS Network Firewall does not support TLS decryption. This is why you cannot identify what app is running on port 443.

Reference: https://aws.amazon.com/network-firewall/faqs/

** Q: Can AWS Network Firewall inspect encrypted traffic? **

AWS Network Firewall does not currently support deep packet inspection for encrypted traffic. To work around this limitation, you can decrypt traffic using a Network Load Balancer (NLB) before sending it to an AWS Network Firewall endpoint. Also, for HTTPS traffic, AWS Network Firewall can inspect the domain name provided by the Server Name Indicator (SNI) during the TLS handshake.

Best,
Diego

Network Firewall sometimes misses L7

관련 콘텐츠