- Newest
- Most votes
- Most comments
Hi,
Can not speak for 3rd party firewalls but as far as AWS Network Firewall is concerned here is some useful information that you can go through:
- You can see the list of features supported here: AWS Network Firewall Features
- Compliance validation for Network Firewall
- Blog explaining Deployment models/design patterns
- If you want to try hands-on you can always try the workshop/lab
- AWS Network Firewall FAQs
Hope this helps
In sensitive environments, it's trivial bypass flaw is likely to be an issue. A client can set any allowed hostname in the TLS SNI handshake or the HTTP Host Header and connect to any IP address in the world and send data out. Most other 3rd party firewalls check FQDNs allowed for valid IP addresses (from DNS perhaps) as well.
Read more about it here: https://canglad.com/blog/2023/aws-network-firewall-egress-filtering-can-be-easily-bypassed/
Bypass example: curl -v --connect-to "api.github.com:443:1.1.1.1:443" -k -H "Host: one.one.one.one" https://api.github.com/
Example assumes you've allowed api.github.com but not one.one.one.one (Cloudflare), but is able to successfully connect to the latter via AWS Network Firewall. Example was taken from https://chasersystems.com/discriminat/comparison/aws-network-firewall/
Relevant content
- asked 3 years ago
asked 7 months ago- asked 10 months ago
- asked a year ago
- AWS OFFICIALUpdated 3 years ago
