- Log in to the AWS console and go to the VPC services menu. Go to the section AWS Network firewall and choose Firewalls and choose create Firewall
2. The next step when creating the firewall is choose the name of the firewall and an optional description.
3. Choose the VPC required to create the AWS network firewall. The next step is to choose the required Availability zone and subnets. It is recommended to use multiple subnets. You add new subnets by clicking the Add new subnet and choose the other availability zones and subnets required.
4. All data is encrypted but if you wanted to encrypt the data using a specific key instead of the default one. Click customise encryption settings and either choose an existing KMS key or create a new KMS key
6. It is recommended to enable delete protection and any subnet change protection. It is also recommended to add tags by clicking Add new tag to identify the firewall properly.
7. The next step is to click Create firewall to start the provisioning of the AWS Network firewall
8. With the above steps, a Network firewall and an empty firewall policy are created. The next step is to create rules which will be associated with the firewall policy. To start the process to create rules click Add rule groups.
Creating a stateless rule group and rules
10. To create a stateless rule choose to create stateless rule group option and choose a Name and ideally put a description.
The capacity parameter is critical as it cannot be modified or changed later so try to use a good number. You can always create more rules groups but there is a limit (currently 20 for both stateless and stateful). For the current limit and quotes refer to the following link https://docs.aws.amazon.com/network-firewall/latest/developerguide/quotas.html. Putting a capacity of 5000 doesn’t mean 5000 rules but all the objects part of that rule group cannot exceed the limit of 5000 objects.
Similar to the previous option, If you want to use custom encryption settings click the customize encryption settings
11. The next step is to start building the rules needed, the rule priority is important to make sure that rules are processed properly. After choosing the rule priority, the protocol matching the traffic is needed. The traffic protocol could be TCP, UDP, ICMP or all protocols. To add specific protocols remove the all protocols option. As a security best practise try to choose specific protocols rather than all protocols.
12. Once the protocols are chosen, the next parameters are the source and destination criteria. Since TCP and UDP are chosen, we have the option to set source and destination ports. If the source and destination needs by ANY click the dropdown menu showing Custom and choose Any IPv4 address.
Warning: ANY means all IP ranges which include Internal and external IP addresses. If internal IP ranges need to be excluded create deny rule before the permitting rule.
13. The next step is to define the action of the matching traffic which could be allowed or denied or forwarded to stateful rules. There is also a custom action option which can be used to publish custom metrics in Cloudwatch. For more information about custom actions, refer to https://docs.aws.amazon.com/network-firewall/latest/developerguide/monitoring-cloudwatch.html
14. The next step is to create the actual rule by clicking the add rule button and the last setup is to attach the rule to the rule group by clicking the Create and add
An example to allow the 172.31.0.0/20 range to ANY address on port 80,443 is shown below:
Creating a stateful rule group and rules
15. To create a stateful rule group and rules, click on create stateful rule group
16. Similarly to the stateless rule group, a rule group name is needed,the rule group capacity, the custom encryption settings are needed.
17. For stateful rules there are three types of rules
18. 5-tuple is similar to the stateless option, where you need to specify the protocol, source IPs, destination IPs and the source/destination ports but there is an option to set labels which is optional.
Variables can be used to match IP or Ports to be used in the Suricata rules option
If variables are set, Variables can be used in the source and destination fields by choosing Custom
19. The next step is to define the action needed when the traffic matches which can be allowed, dropped or Alert. The alert option means traffic is allowed and a log is generated. You can also specify whether traffic is allowed in any direction or just forward. Forward means the source and destination criteria need to match exactly. The ANY traffic direction means the source and destination criteria can exactly match or be reversed i.e the source is the destination and the destination is the source. So any direction means traffic is allowed bi-directional. Once the traffic direction and action are chosen click the add rule button
20. The next step is to optionally add tags and click Create and add
21. If more rules are needed to be added, choose the required rule group and click edit rules.
Adding a domain rule
22. To create a domain list a new stateful rule group needs to be created since it cannot use the rule group used 5-tuple or Suricata IPS rules. From the menu click on network firewall rule groups
23. Click create network firewall rule group and choose Stateful rule group
24. Similarly to the previous 5-tuple configuration, a Name for the rule group and capacity limit is needed
25. To specify domain list configuration, choose domain list. In the Domain name source, enter the DNS domain or FQDN required (for example www.test.com or test.com). The next step is to specify the source IP ranges needed. Choose the protocols (leave both ideally) and define the action needed
26. The next step is add tags if needed and then create stateful rule group
28. Choose the firewall policy and click next
29. Choose the rule group needed and click next at the bottom of the page
30. Add tags if required and click next
31. The next step is to click the add rule group to firewall policy button
Adding a Suricata compatible IPS rules
32. A new rule group is needed and similarly to the previous rules groups, a Name for the rule group and the capacity is needed.
34. The next step is to choose the rule order whether it is strict or not
36. Enter the Suricata rules as needed
Important:
Each rule needs to contain the sid value as soon below as the end of each rule.
You can replace the any value with Variables configured in step 35
For more information refer to https://suricata.readthedocs.io/en/suricata-6.0.2/ (Note currently the latest suricata version supported by the network firewall is version 6.0.2) Refer to https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-ips.html to determine if newer version are supported.
37. Add tags if necessary and click create stateful rule group
38. The next step is to create AWS managed rules group by choosing the firewall policies
39. Click the Action button from stateful rule groups section and Choose Add managed stateful rule groups
39. Choose the required Managed rules available and check whether the traffic matches the rule is dropped or only in alert mode. The different rules consume different capacity metrics and the total capacity must not exceed the 30k value. Once all the managed rules are chosen click add to policy