What is AWS Network Firewall?

Amazon Web Services (AWS) is a giant in the cloud networking space: its Virtual Private Network (VPN) service provides scalable network infrastructure for millions of organizations across the globe. This popularity also comes with risk, however; AWS cloud security demands a shared responsibility model, and AWS’ response to network threat is its AWS Network Firewall.

Integrating easily into pre-provisioned AWS networks, the AWS Network Firewall is a managed, scalable network security service that allows you to control a virtual network’s traffic with customizable rules.

Read the Security Report Request a Demo

What is AWS Network Firewall?

Why Use AWS Network Firewall?

A firewall acts as a barrier between a trusted internal network and untrusted external networks, like the internet. Its primary use case is to monitor and control incoming and outgoing network traffic based on predetermined security rules – called policies. These allow the firewall to identify possibly malicious network requests, therefore blocking malicious requests from external devices and the public internet.

While they’re commonly deployed at network perimeters, firewalls can also be stationed internally; this allows for the segmentation of an organization’s particularly sensitive environments. Cloud native firewalls are a popular choice for this, since their flexible architecture makes them easy to implement, manage, and scale up and down.

Since Infrastructure as a Service (IaaS) providers are already overwhelmingly popular, many of those same providers have chosen to offer firewalls as well as compute power. This way, clients can implement the firewall from the same dashboard as the rest of their network infrastructure. AWS Network Firewall is the firewall service that AWS offers to its Virtual Private Cloud (VPC) customers.

Since VPC customers already use AWS for their virtual network provisioning, an AWS network firewall can prove a highly logical step toward securing those resources.

How AWS Network Firewall Works

AWS Network Firewall works by deploying firewall endpoints within a VPC’s dedicated subnets; all incoming and outgoing traffic is routed to pass through these endpoints for inspection. When analyzing this traffic, the firewall employs both stateless and stateful rule engines.

The distinction between stateless and stateful rulesets lies in how traffic is evaluated and the depth of inspection applied.

Stateless Rulesets

Stateless rules operate independently on each packet, without regard to the context of previous or subsequent packets. These rules evaluate individual packet attributes, such as source and destination IP addresses, ports, protocols, and TCP flags. Since they do not maintain session context, stateless rules are ideal for high-speed filtering of simple conditions, such as blocking traffic from known malicious IPs or allowing specific protocols.

Stateful Rulesets

Stateful rules maintain awareness of traffic sessions by tracking connection states such as new, established, and related – and assessing how they change over time. This allows for policies to be implemented that focus on the session of each device, rather than individual packets. AWS Network Firewall is able to support complex rule logics, such as suspicious connection patterns and application-layer filtering.

In order to reduce latency and minimize unnecessary resource use, AWS’ firewall analyzes stateless rules first. If no match is found, traffic is then forwarded to the stateful engine for deeper analysis.

The types of rules that AWS firewalls can implement span vast swathes of security configurations. For instance, it’s possible to allow traffic from only known AWS service domains or endpoints, such as Amazon S3, to specific subnets that only need that level of access. Custom lists of known malicious domains can be implemented, allowing for VPC-hosted applications to automatically drop any connection linked to them.

Deep packet inspection can further help detect malware and suspicious behaviour within both incoming and outgoing network requests. To preserve any downstream logging and security analysis, the firewall also retains source and destination IP addresses, making it a bona fide option for organizations new to cloud security.

Key AWS Firewall Features

AWS Network Firewall is a popular choice for network security: the following features contribute significantly to its popularity.

Fully Managed, Highly Available

AWS Network Firewall is a fully managed service that simplifies the deployment and maintenance of AWS network protection across the provider’s VPCs. It automatically scales with your network traffic and offers built-in redundancies to ensure high availability, eliminating the need for manual infrastructure management.

Flexible, Fine-Grained Controls

The AWS firewall provides a flexible rules engine that allows you to define thousands of custom firewall rules for granular policy enforcement. These rules can be based on various traffic attributes, including IP addresses, ports, protocols, domain names, and specific patterns: collectively, these enable precise control over network traffic.

Centralized Policy Management

The corresponding AWS Firewall Manager allows for a centralized space to configure and manage the firewall rules across your AWS Organization. AWS network firewall integration allows for consistent security policy enforcement across multiple accounts and VPCs, streamlining administrative tasks and ensuring compliance.

Deep Packet Inspection and Intrusion Prevention

The service allows for deep packet inspection (DPI) and intrusion prevention capabilities. It utilizes Suricata-compatible rule groups to perform stateful inspection of traffic flows, enabling the detection and prevention of known threats such as malware and exploits. Additionally, AWS provides managed rule groups that offer predefined, regularly updated rules for common threat signatures, helping streamline management.

Outbound and Inbound Traffic Filtering

AWS Network Firewall enables filtering of both inbound and outbound traffic, helping organizations meet compliance requirements and prevent data exfiltration. It supports filtering based on URLs, IP addresses, and domain names, and can leverage Server Name Indication (SNI) for inspecting encrypted traffic. This functionality is crucial for blocking communication with known malicious hosts and controlling access to unauthorized destinations.

AWS Network Firewall vs. Security Groups vs. NACLs

The traffic within AWS’ VPCs can be monitored and controlled in a number of different ways. AWS Network Firewall, Security Groups, and Network Access Control Lists (NACLs) each represent the different scopes of AWS network security.

Security Groups are simpler versions of a virtual firewall that are positioned directly adjacent to the EC2 instances on each VPC. AWS VPCs are automatically provisioned with a Security Group, and further allow resource owners to control which IP addresses, protocols, and port ranges can be provisioned by each instance or resource.

NACLs are very similar to security groups – also a setting included by default for each VPC, NACLs define exactly which IP ranges can access the VPC. Whereas security groups are defined at the resource-level, NACLs are managed according to the wider subnet.

AWS Network Firewall is a complete service that provides advanced, centralized traffic filtering for VPCs. The firewall is deployed around the network, and filters malicious traffic according to the firewall’s relevant underlying policies.

While a fantastic addition to AWS services, AWS firewall limitations are often felt as an organization grows into multi-cloud architectures. This means that a more robust solution is often called for.

Secure your Multi-Cloud Traffic with Check Point CloudGuard

Determine how well your AWS networks are protected with an AWS security checkup. As close collaborators with AWS, Check Point offers one of the highest rates of malware detection, helping keep virtual networks secure from external and insider threats. Check Point helps thousands of organizations retain control over the security of their sensitive networks, no matter the underlying architecture. Explore how CloudGuard and AWS collaborated on network security in our whitepaper, or go straight to our Check Point AWS marketplace page.

Check Point CloudGuard is a cloud-native firewall that offers on-premises, hybrid, and cloud-based network security – offering not just firewall features, it also provides DLP and IPS to automatically identify and categorize network threats. Support rapid threat management with IaC tool integration, and a single cohesive dashboard that offers complete reporting and management.

Start taking strides toward next-level AWS security and schedule a CloudGuard network security demo.