After configuring an explicit deny rule (TCP Deny Any Any) in AWS Network Firewall, I noticed that the Suricata and domain list rules became ineffective due to their dependency on the TLS handshake over TCP ports.
I then configured AWS Network Firewall with Suricata to allow traffic only to specific whitelisted FQDNs and block all other public IP addresses. The configuration is as follows:
########## Suricata Allowed Domain - Priority: 1 ##########
EXTERNAL_NET -> any
HOME_NET -> 10.0.0.0/8
pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:"securityhub.me-central-1.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS whitelisted FQDNs"; flow:to_server, established; sid:1; rev:1;)
########## Suricata Explicite Deny Rule - Priority: 12 ##########
drop tcp $HOME_NET any -> $EXTERNAL_NET ![80,443] (msg:"Drop all outgoing traffic except TCP port 80 and 443"; sid:278963;)
drop tcp $EXTERNAL_NET ![80,443] -> $HOME_NET any (msg:"Drop all incoming traffic except return traffic on ports 80 and 443"; sid:27894;)
Despite these configurations, TLS inspection was successful. However, I discovered a security concern: I was able to establish connections to non-whitelisted public IPs (e.g., using telnet to 154.44.33.XX) instead of the intended curl command to the whitelisted FQDN. This allows unauthorized IP connections, which is against our security policy.
I seek assistance in clarifying if there is a limitation within AWS Network Firewall that prevents blocking all public IP connections unless they match whitelisted FQDNs. Specifically, I need to ensure that only whitelisted URLs are accessible and that direct IP connections are blocked.
Reference: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-examples.html