Prevent AWS Network Firewall host header spoofing

0

I was thinking of replacing my Squid proxy with AWS Network Firewall to restrict outbound FQDN connections with allowlist domains, since AWS itself provides multiple samples in blogs and github code. However, I noticed that you can still bypass outbound restrictions if you spoof the host header.

Example: Given that outbound egress is allowed only for aws.amazon.com,

The following shows how you could bypass this restriction to access external resources.

This is true regardless of using domain lists or Suricata rules.

According to the AWS docs, perhaps this is a known issue.

For HTTPS traffic, Network Firewall uses the Server Name Indication (SNI) extension in the TLS handshake to determine the hostname, or domain name, that the client is trying to connect to. For HTTP traffic, Network Firewall uses the HTTP host header to get the name. In both cases, Network Firewall doesn't pause connections to do out-of-band DNS lookups. It uses the SNI or host header, not the IP addresses, when evaluating domain list rule groups. If you want to inspect IP addresses, to mitigate situations where the SNI or host headers have been manipulated, write separate rules for that and use them in conjunction with or in place of your domain list rules.

How could I "write separate rules" to mitigate this problem?

It seams to me as if all the information promoting the migration of Squid to Network Firewall encourages a false sense of security. Maybe I am missing something? Perhaps the docs should be more clear about it?

1 Answer
1

Here AWS guides to Write separate rules.

**Suricata rule **that simultaneously matches both the IP address and the SNI (Server Name Indication) within a single rule presents a complex challenge due to Suricata's inherent packet-based inspection nature. Suricata is inherently designed for analyzing individual packets and lacks native support for correlating data across multiple packets to effectively validate both IP addresses and SNI values in unison.

While Suricata isn't inherently tailored for combined IP address and SNI matching, a robust security approach can still be achieved by employing a multipart rule strategy, each rule concentrating on specific part of the traffic.

Here's how to address the concern through distinct rules for IP address and SNI checks:

**

  1. IP Address Match Rule:** Generate a rule that Matches traffic based on IP addresses, ensuring traffic is routed to designated IP destinations, Where you can Specify the IP Address of the Allowed domains
alert ip any any -> 172.217.31.131 any (msg:"Outbound traffic to AWS IP"; sid:100002; rev:1;)

** 2.SNI Match Rule:** Develop a rule that examines the SNI field within the TLS handshake. This rule aids in detecting traffic where the SNI deviates from the anticipated domain.

alert tls any any -> any any (msg:"Possible SNI Mismatch"; tls_sni; content:"aws.amazon.com"; nocase; sid:100001; rev:1;)

While these rules function independently, collectively, they contribute to an encompassing inspection strategy by addressing distinct IP address and SNI aspects. This approach adheres to the established practice of employing layered defense mechanisms in network security.

By utilizing multiple rules that target specific components of network traffic, you can attain a heightened level of security and acquire insights into potential threats like IP address spoofing or SNI manipulation. Although these rules do not explicitly link IP addresses and SNI values, they enhance overall network monitoring capabilities, thus contributing to a more resilient security landscape.

It's worth noting that the functionalities of Suricata may evolve over time, so it remains prudent to stay informed about the latest enhancements and best practices through official documentation and community resources.

AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions