/url-filtering-with-nw-firewall

Deploy a firewall that should allow or drop traffic based on customisable rules

Primary LanguagePython

Firewall for Url filtering

Mystique Unicorn App is looking to deploy a firewall that should allow or drop traffic based on customizable rules. The team is looking for your help to achieve this. Can you help them?

Miztiik Automation: AWS Network Firewall for Url filtering

๐ŸŽฏ Solutions

Up until very recently, network prevention has been quite limited,

  • Create Security Groups to limit various types of layer 3 and 4 traffic
  • or Create Network Access Control Lists (NACL) to limit layer 3 and 4 traffic
  • or Route traffic through a custom network appliance running as an EC2 instance

This is not enough in many use-cases, You also want the ability to take action based on the payload. The recently launched AWS Network Firewall1 provides active traffic flow inspection so you can identify and block vulnerability exploits using signature-based detection. AWS Network Firewall also offers web filtering that can stop traffic to known bad URLs and monitor fully qualified domain names. At launch you have the following capabilities.

  • Allow or Deny based on source IP and/or port, destination IP and/or port, and protocol (also known as 5-tuple)
  • Allow or Deny based upon domain names
  • Allow or Deny based upon Suricata-compatible IPS rules

Miztiik Automation: AWS Network Firewall for Url filtering

In this demo, We will build a architecture, similar to the one shown above. We will start backwards so that all the dependencies are satisfied.

  1. ๐Ÿงฐ Prerequisites

    This demo, instructions, scripts and cloudformation template is designed to be run in us-east-1. With few modifications you can try it out in other regions as well(Not covered here).

    • ๐Ÿ›  AWS CLI Installed & Configured - Get help here
    • ๐Ÿ›  AWS CDK Installed & Configured - Get help here
    • ๐Ÿ›  Python Packages, Change the below commands to suit your OS, the following is written for amzn linux 2
      • Python3 - yum install -y python3
      • Python Pip - yum install -y python-pip
      • Virtualenv - pip3 install virtualenv
  2. โš™๏ธ Setting up the environment

    • Get the application code

      git clone https://github.com/miztiik/url-filtering-with-nw-firewall
      cd url-filtering-with-nw-firewall
  3. ๐Ÿš€ Prepare the dev environment to run AWS CDK

    We will use cdk to make our deployments easier. Lets go ahead and install the necessary components.

    # You should have npm pre-installed
    # If you DONT have cdk installed
    npm install -g aws-cdk
    
    # Make sure you in root directory
    python3 -m venv .venv
    source .venv/bin/activate
    pip3 install -r requirements.txt

    The very first time you deploy an AWS CDK app into an environment (account/region), youโ€™ll need to install a bootstrap stack, Otherwise just go ahead and deploy using cdk deploy.

    cdk bootstrap
    cdk ls
    # Follow on screen prompts

    You should see an output of the available stacks,

    url-filtering-with-nw-firewall-vpc-stack
    url-filtering-with-nw-firewall-stack
    secured-workload-on-ec2-stack
  4. ๐Ÿš€ Deploying the application

    Let us walk through each of the stacks,

    • Stack: url-filtering-with-nw-firewall-vpc-stack

      This stack will create an custom VPC to host our firewall and test workload.

      Initiate the deployment with the following command,

      cdk deploy url-filtering-with-nw-firewall-vpc-stack
    • Stack: url-filtering-with-nw-firewall-stack

      This stack will the network firewall in the firewall subnet. We will do create stateful rules as they offer better control. We will forward all stateless traffic to through the stateful rules. This way all traffic flow through our rule set.

      This stack will create 3 rules,

      • ALLOW-For-Domains - This rule will allows traffic only to these two domains"aws.com", "google.com" from the workloads in the VPC.
      • DENY-For-Domains - This rule will denies traffic to these two domains".example.com",".modi-am-i.com" from the workloads in the VPC.
      • DENY-On-Url - Any traffic to with text deny_test in the url will be denied. NOTE: - This rule is not attached to the firewall, we will later add this during our testing phase.

      Initiate the deployment with the following command,

      cdk deploy url-filtering-with-nw-firewall-stack

      After successfully deploying the stack, Check the Outputs section of the stack. You will find the NetworkFirewallEndpoints that does traffic routing between subnets.

    • Stack: secured-workload-on-ec2-stack

      This stack deploys a simple EC2 instance that also runs a webserver with two webpages - One for / page and deny_test page. You can also login to the instance using SSM Session Manager2.

      Initiate the deployment with the following command,

      cdk deploy secured-workload-on-ec2-stack

      After successfully deploying the stack, Check the Outputs section of the stack. You will find the PublicWorkloadInstance instance id and the WebServerUrl.

  5. ๐Ÿ”ฌ Testing the solution

    • Use the WebServerUrl from the previous stack on your browser. You should be able to access the / page and also the deny_test page. Make sure to use http and not https as the webserver is not configured with any certificates. For example http://34.232.95.57 and http://34.232.95.57/deny_test

    Miztiik Automation: AWS Network Firewall for Url filtering

    Miztiik Automation: AWS Network Firewall for Url filtering

    • Now login to the EC2 instance using SSM Session Manager2
    • Try to access the allowed and denied domains
    curl aws.com
    curl google.com
    curl example.com

    Miztiik Automation: AWS Network Firewall for Url filtering

    You will notice that the first two requests were successful, whereas the last two were blocked by the firewall. Now let try to add the DENY-On-Url to our firewall.

    • Goto VPC Service > Network Firewalls > url-filtering-with-nw-firewall-stack
    • Under Stateful rule groups > Add rule groups > Add stateful rule groups to the firewall policy
    • Select DENY-On-Url > Add stateful rule group

    Now try to access the deny_test page in your browser, preferably in private mode to avoid fetching locally cached page, Your request should time out

    Miztiik Automation: AWS Network Firewall for Url filtering

    Now lets check our logs to see why our traffic was blocked. Miztiik Automation: AWS Network Firewall for Url filtering You can notice that the request does matches our deny FQDN rule and the traffic was blocked.

    If you poke around the logs, you will also find the logs for deny_test url. This request has the custom error message that we added in the deny rule - Miztiik drop tcp traffic Miztiik Automation: AWS Network Firewall for Url filtering

  6. ๐Ÿ“’ Conclusion

    Here we have demonstrated how to use network firewall to allow of deny request based on the domain names. The firewall also gives us the ability to deny request to unsecure urls as well.

  7. ๐Ÿงน CleanUp

    If you want to destroy all the resources created by the stack, Execute the below command to delete the stack, or you can delete the stack from console as well

    • Resources created during Deploying The Application
    • Delete CloudWatch Lambda LogGroups
    • Any other custom resources, you have created for this demo
    # Delete from cdk
    cdk destroy
    
    # Follow any on-screen prompts
    
    # Delete the CF Stack, If you used cloudformation to deploy the stack.
    aws cloudformation delete-stack \
      --stack-name "MiztiikAutomationStack" \
      --region "${AWS_REGION}"

    This is not an exhaustive list, please carry out other necessary steps as maybe applicable to your needs.

๐Ÿ“Œ Who is using this

This repository aims to show how to use network firewall to new developers, Solution Architects & Ops Engineers in AWS. Based on that knowledge these Udemy course #1, course #2 helps you build complete architecture in AWS.

๐Ÿ’ก Help/Suggestions or ๐Ÿ› Bugs

Thank you for your interest in contributing to our project. Whether it is a bug report, new feature, correction, or additional documentation or solutions, we greatly value feedback and contributions from our community. Start here

๐Ÿ‘‹ Buy me a coffee

ko-fi Buy me a coffee โ˜•.

๐Ÿ“š References

  1. Docs: AWS Network Firewall

  2. Docs: AWS SSM Session Managerhttps://aws.amazon.com/network-firewall

๐Ÿท๏ธ Metadata

miztiik-success-green

Level: 300