By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Network Firewall sometimes misses L7

0

Using AWS Network Firewall with one Suricata rule group in strict rule order, dropping established connections.

The firewall is in another VPC connected to main VPC using TGW (firewall VPC attachment is set to appliance mode)

Allowing TLS and HTTP towards the Internet is not enough as sometimes it misses the layer 7, seeing only TCP/443 or TCP/80.

rule group looks like this:

pass http 10.10.0.0/16 any -> any 80 (sid:1;)

pass tcp 10.10.0.0/16 any -> any 80 (sid:2;)

pass tls 10.10.0.0/16 any -> any 443 (sid:3;)

pass tcp 10.10.0.0/16 any -> any 443 (sid:4;)

If I'm not using rules 2 and 4 I get occasional drops and logs show no "app_proto" only TCP port.

This is just an example, this happens not only towards the Internet and not only for these L7 protocols also SSH for example.

  • Tal Luzon
    2 years ago

    it sometimes looks like this in the logs, when it seem to be the same session, when one record shows no app_proto, mostly the most recent log timestamp src_ip src_port dest_ip proto dest_port app_proto az 2022-02-20T11:15:24.000 10.10.0.225 45214 32.24.176.158 TCP 443 eu-west-1a 2022-02-20T11:15:24.000 10.10.0.225 45214 32.24.176.158 TCP 443 tls eu-west-1a 2022-02-20T11:15:24.000 10.10.0.225 45214 32.24.176.158 TCP 443 tls eu-west-1a 2022-02-20T11:15:24.000 10.10.0.225 45214 32.24.176.158 TCP 443 tls eu-west-1a and for some destinations it never gets the L7 protocol

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS Network FirewallAWS Transit Gateway
Language
English
Tal Luzon
asked 2 years ago488 views
1 Answer
0

Hi,

Currently AWS Network Firewall does not support TLS decryption. This is why you cannot identify what app is running on port 443.

Reference: https://aws.amazon.com/network-firewall/faqs/

** Q: Can AWS Network Firewall inspect encrypted traffic? **

AWS Network Firewall does not currently support deep packet inspection for encrypted traffic. To work around this limitation, you can decrypt traffic using a Network Load Balancer (NLB) before sending it to an AWS Network Firewall endpoint. Also, for HTTPS traffic, AWS Network Firewall can inspect the domain name provided by the Server Name Indicator (SNI) during the TLS handshake.

Best, Diego

AWS
EXPERT
Diego Soares
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content