Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Network Firewall : Suricata to filter on tls protocol for specific domain doesn't work

0

Do I need TLS inspection enabled to block HTTPS domains with Suricata rules in AWS Network Firewall?

Hi AWS Networking community,

I’m running an architecture where all outbound Internet traffic from my workloads is centralized through an EGRESS VPC, and before reaching the Internet, it must traverse an INSPECTION VPC hosting AWS Network Firewall (ANFW) across three Availability Zones.

I’ve created a stateful Suricata rule group in strict order, with a rule intended to block HTTPS traffic based on the TLS SNI field, for example:

drop tls $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"Block TLS to google.com"; tls.sni; dotprefix; content:".google.com"; endswith; nocase; flow:to_server; sid:1001; rev:1; ) However, when I test by initiating a TLS connection to google.com (using curl from a EC2 Instance), the traffic is still allowed and no drop/reject events appear in my CloudWatch logs.

My questions are:

Does AWS Network Firewall require a TLS inspection configuration (i.e. MITM with ACM certificates) in order for Suricata rules using tls.sni to match and block HTTPS domains?

If TLS inspection is required, what are the minimum configuration steps to enable it for outbound-only decryption and inspection?

If TLS inspection is not required, what else could prevent my Suricata drop tls … tls.sni rule from ever matching?

Thanks in advance for any guidance or pointers to relevant documentation!

Topics
Management & GovernanceNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon CloudWatch LogsAWS Network FirewallNetworking & Content Delivery
Language
English
asked 10 months ago733 views
2 Answers
0

If all of the checks in the answer above have validated, there are two main scenarios where an SNI will fail to match. Firstly, the request may not have an SNI within it. This is an unusual scenario that typically only occurs with old versions of OpenSSL. The other possibility is down to a fragmented Client Hello request. To allow Suricata to correctly detect the SNI in this event, add the keyword of ssl_state:client_hello to your "drop tls" rule and give it another test.

AWS
answered 9 months ago
  • Samuel
    9 months ago

    Hello, Before using the drop i start to analyze if i get the log provided by alert rule in my CW alert loggroup.

    I have also enable on my firewall policy default actions Alert established Alert all Drop established

    My alerting rule in suricata format are the following

    Log all HTTP traffic

    alert http any any -> any any (msg:"ALERT: HTTP Traffic Logged"; sid:9999995;) alert http any any -> any any (msg:"ALERT: HTTP Traffic Detected"; flow:to_server; sid:9999997;)

    Log all TLS (HTTPS) traffic

    alert tls any any -> any any (ssl_state:client_hello;msg:"ALERT: TLS Traffic Logged"; sid:9999996;)

    My architecture is similar to this -> https://d2908q01vomqb2.cloudfront.net/5b384ce32d8cdef02bc3a139d4cac0a22bb029e8/2020/11/19/index.png

    But i update the Transit Gateway Firewall Route Table to send the return traffic to the ANFW relates to this post (https://repost.aws/questions/QUuPzaGCjyQ8CHC9XjVZfk6Q/unable-to-see-http-logs-in-aws-network-firewall-cloudwatch-only-udp-logs).

    So in my log actually i didn't get the trigger of my suricata rules and i have the following log due to default actions (from alert logroup):

    "event": {
    "src_ip": "10.20.0.136",
    "src_port": 37002,
    "event_type": "alert",
    "alert": {
        "severity": 3,
        "signature_id": 2,
        "rev": 0,
        "signature": "aws:alert_strict action",
        "action": "allowed",
        "category": ""
    }
  • mofaized-AWS
    9 months ago

    This sounds very much like you have asymmetric routing occurring in your architecture. I would carefully validate every routing hop between your client and the firewall, not forgetting to check the return route and validate that traffic is remaining in the correct AZ.

0

No, you do not need TLS inspection enabled to block HTTPS domains with Suricata rules in AWS Network Firewall.

For HTTPS traffic, AWS Network Firewall can use the Server Name Indication (SNI) extension in the TLS handshake to determine the domain name that the client is trying to connect to, without requiring TLS inspection. The tls.sni keyword in Suricata rules works without decrypting the traffic because the SNI is part of the TLS handshake and is sent in plaintext.

When TLS inspection is enabled, Network Firewall actually ends the TLS connection initiated by the client and decrypts traffic before it reaches the stateful inspection engine. In this case, most TLS-based keywords won't match except for TLS.SNI, which still works.

For your specific issue, there could be several reasons why your rule isn't matching:

  1. Check that your rule syntax is correct. The example you provided looks generally correct, but ensure there are no typos.

  2. Verify that the traffic is actually flowing through the Network Firewall. Check your route tables to ensure traffic is being directed to the firewall endpoints.

  3. Ensure that your rule group is properly associated with your firewall policy, and that the firewall policy is associated with your firewall.

  4. Check the priority of your rules. If you have other rules with higher priority that are allowing the traffic, your block rule might never be evaluated.

  5. Verify that your HOME_NET and EXTERNAL_NET variables are correctly defined for your network architecture.

  6. Make sure you're using the correct protocol (443) and that the traffic is actually using TLS with SNI.

If all these are correct, you might want to try using "reject" instead of "drop" to see if that makes a difference, as suggested in some troubleshooting scenarios.
Sources
Considerations when working with TLS inspection configurations in AWS Network Firewall - AWS Network Firewall
Issue with AWS Network Firewall - Suricata Rules Allowing Connections to Non-Whitelisted Public IPs | AWS re:Post
Stateful domain list rule groups in AWS Network Firewall - AWS Network Firewall

answered 10 months ago
AWS
SUPPORT ENGINEER
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content