As organizations migrate workloads to AWS or establish new environments, leveraging existing on-premises firewall technologies becomes essential. This can include deploying partner appliances, such as Palo Alto or Fortinet firewalls, on Amazon EC2 instances to replicate your established firewall architecture. It’s crucial to ensure that the firewall and intrusion prevention system (IPS) rules safeguarding your on-premises data center are also applied to your Amazon Virtual Private Cloud (VPC). Regular updates to these rules are necessary to address emerging security threats. However, managing multiple rulesets across a hybrid architecture can be cumbersome for many enterprises.
AWS Network Firewall alleviates this burden by offering a managed service that efficiently operates a variety of firewall appliances, handling everything from patching to security updates. Utilizing the open-source Suricata for stateful inspection, AWS Network Firewall provides real-time intrusion detection (IDS), inline intrusion prevention (IPS), and network security monitoring (NSM). Customers can import their existing IPS rules from firewall software compliant with the Suricata standard, thus establishing a network security framework for hybrid architectures that minimizes operational complexity while ensuring consistent protection.
Overview of AWS Services Utilized
The following AWS services form the foundation of our proposed solution, establishing the basic building blocks of a hybrid architecture on AWS:
- AWS Network Firewall (ANFW): A stateful, managed network firewall and intrusion detection/prevention service that filters network traffic within your VPC. Pricing is based on the number of deployed firewalls and inspected traffic, with no upfront commitments.
- AWS Transit Gateway (TGW): A central hub for connecting your virtual private clouds (VPCs) and on-premises networks. It enables the interconnection of thousands of VPCs and consolidates all hybrid connectivity (VPN and Direct Connect) for streamlined routing management.
- AWS Direct Connect, AWS Site-to-Site VPN, and Amazon VPC are additional core components of this hybrid architecture.
Centralized Network Inspection Architecture
The architecture depicted in Figure 1 illustrates a centralized network security model where all inbound and outbound traffic is routed through a dedicated VPC for inspection. This setup employs AWS Network Firewall within an inspection VPC, with traffic from other VPCs directed through the AWS Transit Gateway (TGW). A partner integration solution manages threat intelligence rulesets, allowing automatic importation into AWS Network Firewall. This approach reduces manual processes and inconsistencies in maintaining and updating the rules.
AWS Network Firewall Partner Integrations
In the architecture shown, two partner integrations are highlighted: Trend Micro and Fortinet. For those utilizing Trend Micro for threat intelligence, this deployment model can standardize hybrid cloud security by combining AWS managed infrastructure with partner-supported threat intelligence. To enable this, simply activate the Sharing capability on Trend Micro Cloud One. For further details, refer to this excellent resource.
Existing users of Fortinet can seamlessly deploy updated IPS rules to AWS Network Firewall, ensuring consistent application security. More information on this integration can be found on the partner’s page.
Getting Started with AWS Firewall
To implement this pattern, follow these high-level steps, linking to detailed instructions along the way:
- Assess your current networking architecture and align it with the deployment models available for AWS Network Firewall. The blog post on deployment models for AWS Network Firewall can provide valuable insights.
- Verify your provider’s integration with ANFW on the AWS Network Firewall Partners page and follow the respective integration guidelines.
- Begin utilizing AWS Network Firewall by visiting the Amazon VPC Console to create or import your firewall rules, grouping them into policies applicable to your VPCs as outlined in the developer guide.
- Deploy your Network Firewall endpoint in the designated inspection VPC to start monitoring traffic.
Conclusion
Operating a hybrid architecture often necessitates using identical firewall and IPS rules for both on-premises and cloud networks. While running partner firewall appliances on EC2 instances can achieve this, it involves significant effort. Alternatively, AWS Network Firewall simplifies setup and management, dynamically scaling with your organization’s network traffic. The flexible rules engine allows for tailored firewall rules, and managed rulesets from Fortinet and Trend Micro can be easily deployed via AWS Marketplace offerings. This approach reduces complexity for security teams, enabling efficient rule creation and management to fully leverage AWS Network Firewall.
For more insights on AWS architectures and security, you can check out this blog post.
Leave a Reply