Firewalls are among the many most helpful data safety and compliance instruments. Their function is to observe site visitors shifting between community borders to find out whether or not it needs to be allowed to go. Amongst different duties, firewalls stop unauthorized entry to networks on which delicate knowledge is saved, making them a necessary software for companies looking for to adjust to rules and requirements that embody HIPAA, PCI DSS, GDPR, SOC 2, and extra.
This text explores the AWS Community Firewall, a firewall accessible to companies that host delicate knowledge on the Amazon Net Companies (AWS) platform.
What’s the AWS Community Firewall?
AWS Community Firewall is a managed, auto-scaling firewall and intrusion detection and prevention service that protects Amazon Digital Non-public Clouds (VPCs). It displays and filters undesirable and unauthorized site visitors into and out of VPCs. AWS Community Firewall is one among a number of firewalls accessible on the AWS platform, together with Safety Teams, Community Entry Management Lists, and the AWS Net Utility Firewall.
The AWS Community Firewall is designed to be easy to make use of and to require minimal infrastructure administration following the preliminary deployment. As a managed service, it may be deployed shortly. It scales robotically with community site visitors, eradicating the necessity for companies to construct and function infrastructure to help important community site visitors monitoring and filtering.
AWS Community Firewall is in scope for a variety of AWS compliance applications, which suggests it may be used as a part of a safe system that complies with HIPAA, PCI DSS, FedRAMP, and different frameworks. Nonetheless, it needs to be emphasised that utilizing AWS Community Firewall is just not adequate to attain compliance with any framework; compliance is finally the duty of AWS customers.
AWS Community Firewall Options
We’ve already mentioned a few of AWS Community Firewall’s headline options: it’s a managed service for monitoring and filtering community site visitors to and from Amazon VPCs. However there are different options that set it other than various firewall companies on the platform.
- AWS Community Firewall operates as each a stateless and stateful firewall. Customers can configure stateless rule teams that look at packets in isolation or stateful rule teams that contemplate the packet’s context; for instance, is the packet a response to a request from a selected IP deal with?
- It’s a high-availability auto-scaling firewall. As a managed service, Amazon handles redundancy and scaling, so customers can depend on their firewall’s infrastructure to develop and shrink in step with demand.
- AWS Community Firewall contains an intrusion detection and prevention system. It displays the stream site visitors in real-time and may adapt to guard networks in opposition to vulnerability exploits and brute pressure assaults.
- AWS Community Firewall integrates with different AWS safety companies, together with the AWS Firewall Supervisor, permitting customers to persistently set up and handle rule teams and insurance policies.
- Customers can reap the benefits of managed rule teams, predefined guidelines that Amazon robotically updates to account for brand spanking new software program vulnerabilities. Managed rule teams considerably scale back the effort and time required to maintain guidelines up-to-date.
We’ve highlighted among the most tasty options right here, however you may see an entire breakdown of AWS Community Firewall options within the service’s documentation.
Is AWS Community Firewall Layer 7?
AWS Community Firewall operates at Layers 3-7. These numbers discuss with the OSI Mannequin, which divides community communications into seven layers. Conventional firewalls function at Layer 3, the community layer. They will examine and filter packets touring over the community, however they can not, for instance, determine assaults that exploit vulnerabilities in net purposes—they haven’t any perception into protocols that function at Layer 7, the applying layer.
In distinction, AWS Community Firewall can filter VPC community site visitors on the community, utility, and different layers. It’s a versatile community filtering and intrusion detection service that enhances AWS’s different firewall companies.
What Are AWS Community Firewall Deployment Fashions?
To know AWS Community Firewall deployment fashions, we first want to debate how the firewall works. In brief, community site visitors to the VPC is routed to a firewall end-point to be examined earlier than it enters or exits the community. The firewall endpoint is deployed inside a subnet of a VPC. Ingress and egress site visitors flows by way of the firewall endpoint subnet after which to different protected subnets containing your cloud infrastructure.
Deployment fashions affect the place the firewall endpoint subnet is deployed. In a typical distributed deployment mannequin, a firewall subnet is deployed into every digital non-public cloud—every VPC has its personal firewall subnet. This mannequin permits VPCs to have an independently managed firewall with a novel firewall coverage. It’s usually used to observe and filter site visitors between the web and a protected subnet, though there are different use circumstances.
In distinction, a centralized deployment mannequin makes use of a centralized VPC into which a number of firewall subnets are deployed. This mannequin is commonly used to examine site visitors flowing between VPCs or between a VPC and a enterprise’s on-premises infrastructure. You’ll be able to learn extra about deployment fashions in Deployment fashions for AWS Community Firewall.
AWS Community Firewall vs. Safety Teams and NACLs
AWS Community Firewall is one among a number of firewall companies accessible on AWS.
- Safety Teams are stateful firewalls that filter site visitors to Elastic Community Interfaces usually used with EC2 cases. Safety teams present granular filtering for particular person cases.
- Community Entry Management Lists (NACLs) are elective stateless firewalls related to a number of subnets inside a digital non-public cloud.
- Amazon WAF is an online utility firewall that filters site visitors for net purposes and APIs, permitting customers to dam widespread assaults corresponding to these included within the OWASP Prime Ten.
You may be questioning why AWS wants so many firewalls. They every play a definite function. AWS Community Firewall protects the perimeter of your digital non-public cloud. It controls inbound and outbound site visitors for your complete community.
In distinction, safety teams are related to particular person EC2 cases and another companies. NACLs are an extra firewall that controls site visitors to and from subnets, permitting customers to configure guidelines that apply to a number of teams of cases and management site visitors flowing between subnets.
Collectively, these firewalls give customers huge flexibility in configuring entry to cases, subnets, and VPCs. For instance, you might need to permit connections of a particular kind into your VPC with AWS Community Firewall, however to have Community Entry Management Lists that deny comparable connections entry to explicit subnets or cases. One other use case for a number of firewalls is to run manufacturing and testing subnets, which ought to be capable of obtain requests from exterior networks however shouldn’t be in a position to talk instantly with one another.
AWS Community Firewall is one part of a layered strategy to cloud safety. To study extra, go to our intensive cloud safety and compliance sources or contact a cloud safety specialist to debate KirkpatrickPrice’s cloud safety audit and compliance audit companies.
