AWS Network Firewall: Flow-Based Control Improves Security

AWS Network Firewall

Improved Network Security Management: Using AWS Network Firewall for Flow Management

The managed, stateful network firewall and intrusion detection and prevention service is called AWS Network Firewall. It enables you to apply security rules to your VPC network traffic for more precise management. The new AWS Network Firewall capabilities flow capture and flow flush, which improve network visibility and security policy enforcement, are covered in this blog post. While flow flush allows for the selective termination of some or all flows, flow capture offers thorough visibility into active network flows for monitoring and troubleshooting. Regular network monitoring, troubleshooting, and policy updates benefit greatly from these capabilities, as do security situations where it’s critical to isolate possibly compromised systems as soon as possible.

The firewall’s decision to let the traffic flow is final for the duration of the flow. To ensure compliance with your updated security requirements, you might wish to examine and re-apply the new policy on the current flows after making changes to firewall rules, such as switching from a broader to a more tailored firewall policy.

This is especially helpful during security situations that call for quick action or in dynamic cloud environments where security regulations are modified often. By offering a native ability to recognise active flows and selectively flush their connection data from the firewall’s inspection engine, these new features give users more visibility and control over this essential component of firewall behaviour. As a result, when performing scheduled security updates or flushing questionable network traffic flows during security incidents, you can keep your network’s policy enforcement constant.

The AWS Network Firewall API and AWS Management Console provide access to these functions.

Let’s review some of the new words before AWS get started on using these new features.

Understanding the terminologies:

• AWS Network Firewall’s active flow is a monitored network connection that is recognised by a distinct 5-tuple consisting of the source IP, destination IP, source port, destination port, and protocol. A network flow that is not in a CLOSED state is referred to as an active flow when discussing flow capture and flush features. This covers a session in the NEW or ESTABLISHED state for TCP, for instance.
• Using one or more criteria (e.g., source IP address, destination IP address, source port, destination port, or protocol), a flow filter is a collection of characteristics that determines which active network flows to match. Multiple network flows that satisfy the specified criteria can be matched by a single flow filter.
• Flow capture is a firewall function that, using the specified flow filter or filters, creates a snapshot of all active flows at a specific moment in time. This feature allows you to view network traffic, examine security events, and confirm flows prior to flushing.
• Flow flush: A firewall operation that, depending on the flow filter or filters you have established, flushes a subset of active flows from the firewall flow table at a given time. Following the flush, packets are reassessed in accordance with the stream exception rules and considered as midstream flows.

Read more on ML-KEM post-quantum TLS in AWS KMS, ACM, And AWS SM

Overview: Flow capture and flow flush operations workflow

For stateful inspection, AWS Network Firewall makes use of Suricata, an open-source intrusion detection and prevention system (IDS/IPS). The firewall keeps thorough connection state data in a flow table when examining your VPC traffic. This implies that the firewall is aware of the complete context of every network connection rather than just looking at individual packets.

Depending on flow filter criteria like IP address, port, or protocol, you may need to flush flows in one of two common scenarios: either to clear all active flows (during troubleshooting or maintenance, for example) or selectively (during firewall rule updates, when you want to flush long-running flows). You have two options: flush flows directly using pre-specified filters, or capture flows first for evaluation before flushing. Through the firewall operation history, you can keep an eye on and confirm the specifics of your capture and flush operations.

Let’s observe how the flush and flow capture features work:

To use the console to access these features:

• Open the Amazon VPC console after logging into the AWS management console.
• Choose Firewalls under Network Firewall in the navigation pane.
• Choose the name of the firewall from which you wish to collect or flush flows under Firewalls.
• The Configure flow capture and Configure flow flush options are located in the Firewall operations section.

Flow capture

This section will teach you how to use full or partial 5-tuple filters to capture active flows. Within the same VPC, traffic between subnets 10.0.1.0/24 and 10.0.2.0/24 is set up to pass via AWS Network Firewall for examination. Finding active flows on TCP port 80 from source subnet 10.0.1.0/24 to destination subnet 10.0.2.0/24 and flushing those flows are the objectives here.

To begin using the console for flow capture:

• To find active flows, choose Configure Flow Capture. A new window opens as a result.
• Choose the Availability Zone.
• Enter the destination address or the source address (at least one field is needed).
• You can optionally provide the Protocol (ICMP, TCP, UDP, IPv6-ICMP, or SCTP), Source Port, Destination Port, and Minimum Age of Flow.
• Select “Add filter.” Up to 20 filters can be added using complete or partial 5-tuple combinations.
• Select “Start capture.”

To capture traffic on TCP port 80 from subnet 10.0.1.0/24 to 10.0.2.0/24, only the first filter is required. To illustrate further filter options, more filters are displayed. Faster operation times are achieved by using more specialised filters.

The flow operation shows the flows that the filter has collected when capture is finished.

Flow flush

You will discover how to flush flows based on a complete or partial 5-tuple in this section. Use the capture procedure outlined in the preceding section to identify active flows before flushing them. As an alternative, you can define new filters to flush particular active flows, which will start a new flow flush procedure.

Using the console to initiate a flow flush:

Option 1: Record and then delete

• Choose “Configure Flow.” In the Configure flow capture procedure, flush the flows that match the filters you previously specified.
• To begin the flush process, select Start flush in.

Choice 2: Direct flush

• Choose “Set up flow flush” for firewall operations.
• Set up the filter’s parameters.
• Launch the Start flush process.

You can view the flushed flows once the flow flush process is finished using either option.

You can carry out a flow capture operation and then a flow flush to confirm flow flushing one more time. Usually, clients try to rejoin after flushing flows. These retry efforts show up in the flow capture results and are noted in the firewall’s flow table. To assist keep your flow capture data from being cluttered with retry flows, you can utilise the Minimum age option as a filter.

Additionally, flushed flows are seen in the flow logs if you have AWS Network Firewall flow logs set up for the stateful engine of your firewall. These entries include the flow’s previous condition prior to flushing and indicate that the reason field has been flushed.

History of firewall operations

Using distinct operation IDs for the chosen Availability Zone (AZ), the Firewall operation history shows the capture and flush activities over the previous 12 hours. Any operation that is more than twelve hours old is automatically purged. You can view the specifics of each capture or flush flow operation by clicking on a particular Flow operation ID.

Things to know:

• One action (flow capture or flow flush) can be carried out at a time per AZ per firewall. You can execute a flow capture or flow flush operation concurrently in many AZs if your firewall endpoints are spread across multiple AZs.
• If you want to find or flush long-running flows, use the Minimum age option in the Filter settings. For instance, only flows that have been active for five or more minutes are included when the Minimum Age is set to 300 seconds.
• Packets that reach the firewall after their appropriate flow state has been flushed are subject to the firewall policy’s stream exception policy. It advise using the reject stream exception policy for the majority of applications.
• The way flow capture and flush operations are actually carried out may change slightly throughout firewall hosts due to the distributed nature of the firewall infrastructure. Instead of operating as point-in-time processes, capture and flush actions are distributed throughout the firewall system.
• Both IPv4 and IPv6 flows are supported by these characteristics.
• For auditing purposes, AWS CloudTrail logs flow capture and flush operations as management events.

Read more on OpenSearch Service AWS Gets Amazon Q Developer Support

In conclusion

You discovered in this post how you can use the flow capture and flush capabilities to find and clear out existing flows and verify your security setups, including the implementations of stream exception policies, whenever you need to. Organisations may use these improved features to keep an eye on network traffic, react fast to security incidents, and ensure that their updated security rules are applied uniformly to all active connections. These features are enabled by default for both new and existing clients, and using them comes at no extra cost.