Domain Allowlist AWS Network Firewall

0

I'm trying to test the viability of network firewall as an egress filter but having some trouble understanding the rule set implementation. I'd like the firewall to act as a filter for outbound web traffic for internal protected subnets. I've configured a specific subnet for the firewall to reside in. The protected private subnet's route table specifies the firewall VPC endpoint ID. The FW route table uses a NAT gateway as the next hop outbound. Traffic flow looks sane. It seems to be the rule sets which are causing me difficulty. I assumed I'd be able to use the domain lists as an allowlist to allow web traffic to specific domains only but when implementing via stateful rules, traffic to any domain is allowed to pass. Is there a requirement to implement a domain list in combination with a standard 5 tuple ruleset? Or is it something else required?

Dave
asked 2 years ago2417 views
2 Answers
1

Hi, just checking have you configured a source IP for the rule group? make sure you have the correct source IP address on the list as otherwise the rule won't apply to the traffic flow.

Also if you have access to AWS console then perhaps try the Lab here, run the cloudformation templates and compare what the Lab has provisioned to what your have configured --- the example in the Lab will only allow egress web traffic that is configured on the domain list. https://networkfirewall.workshop.aws/setup/centralmodel/_deploy.html

profile pictureAWS
EXPERT
answered 2 years ago
profile picture
EXPERT
reviewed 3 months ago
0

Thanks for your reply schen. My understanding wasn't quite up to par. With more playing around last night and this morning I'm in a better place.

I started from scratch and followed the following design guide to adjust the routing setup to match best practice (I previously had the NAT gateway as next hop for the firewall subnet): https://docs.aws.amazon.com/network-firewall/latest/developerguide/arch-igw-ngw.html

There are effectively two different ways to provision a firewall, default or strict. I have now tried both methods for both TLS and plain HTTP traffic using the sample rules provided here: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html

My preference is the strict firewall type as it allows for easier mixing of protocol types when creating the required suricata flow rules.

An example of a working strict suricata stateful rules permitting the explicit domains: pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; dotprefix; content:".example.com"; endswith; msg:"Allowed HTTP domain"; sid:892120; rev:1;) pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"example.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; sid:2; rev:1;) pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; dotprefix; content:".google.com"; endswith; msg:"Allowed HTTP domain"; sid:3; rev:1;) pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"www.google.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; sid:4; rev:1;) pass tcp $HOME_NET any <> $EXTERNAL_NET 80 (flow:not_established; sid:899998; rev:1;) pass tcp $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; sid:899999; rev:1;)

Dave
answered 2 years ago
profile picture
EXPERT
reviewed 3 months ago
  • Hi Dave, were you able to make this work? I'm running into a similar issues

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions