Issue with AWS Network Firewall - Suricata Rules Allowing Connections to Non-Whitelisted Public IPs

0

After configuring an explicit deny rule (TCP Deny Any Any) in AWS Network Firewall, I noticed that the Suricata and domain list rules became ineffective due to their dependency on the TLS handshake over TCP ports.

I then configured AWS Network Firewall with Suricata to allow traffic only to specific whitelisted FQDNs and block all other public IP addresses. The configuration is as follows:

########## Suricata Allowed Domain - Priority: 1 ########## EXTERNAL_NET -> any HOME_NET -> 10.0.0.0/8

pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"securityhub.me-central-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS whitelisted FQDNs"; flow:to_server, established; sid:1; rev:1;)

########## Suricata Explicite Deny Rule - Priority: 12 ##########

drop tcp $HOME_NET any -> $EXTERNAL_NET ![80,443] (msg:"Drop all outgoing traffic except TCP port 80 and 443"; sid:278963;) drop tcp $EXTERNAL_NET ![80,443] -> $HOME_NET any (msg:"Drop all incoming traffic except return traffic on ports 80 and 443"; sid:27894;)


Despite these configurations, TLS inspection was successful. However, I discovered a security concern: I was able to establish connections to non-whitelisted public IPs (e.g., using telnet to 154.44.33.XX) instead of the intended curl command to the whitelisted FQDN. This allows unauthorized IP connections, which is against our security policy.

I seek assistance in clarifying if there is a limitation within AWS Network Firewall that prevents blocking all public IP connections unless they match whitelisted FQDNs. Specifically, I need to ensure that only whitelisted URLs are accessible and that direct IP connections are blocked.

Reference: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html

2 Answers
0

In order to block those connections that are directly using an IP address, you need to add a rule that inspects the SNI for IP addresses. There is one included in the examples page that you have linked:

reject tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; ssl_state:client_hello; content:"."; pcre:"/^(?:[0-9]{1,3}.){3}[0-9]{1,3}$/"; msg:"IP in TLS SNI (direct to IP, likely no DNS resolution first)"; flow:to_server; sid:1239848;)

AWS
answered 2 months ago
-1

Hi,

I think that your rule should start with reject instead of drop

See examples on this page: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html

Best,

Didier

profile pictureAWS
EXPERT
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions