AWS Network Firewall features

AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs). The service can be setup with just a few clicks and scales automatically with your network traffic, so you don't have to worry about deploying and managing any infrastructure. AWS Network Firewall’s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious activity. You can also import rules you’ve already written in common open source rule formats as well as enable integrations with managed intelligence feeds sourced by AWS partners. AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts.

AWS Network Firewall offers built-in redundancies to help ensure all traffic is inspected and monitored. AWS Network Firewall enables you to automatically scale your firewall capacity up or down based on the traffic load to help maintain steady, predictable performance to minimize costs.

The stateful firewall takes into account the context of traffic flows for more granular policy enforcement, such as dropping packets based on the source address or protocol type. The match criteria for this stateful firewall is the same as AWS Network Firewall’s stateless inspection capabilities, with the addition of a match setting for traffic direction. AWS Network Firewall’s rule engine gives you the ability to write firewall rules based on source/destination IP, source/destination port, and protocol. AWS Network Firewall filters common protocols without any port specification, not just TCP/UDP traffic filtering.

AWS Network Firewall supports inbound and outbound web filtering for unencrypted web traffic. For encrypted web traffic, Server Name Indication (SNI) is used for blocking access to specific sites. SNI is an extension to Transport Layer Security (TLS) that remains unencrypted in the traffic flow and indicates the destination hostname a client is attempting to access over HTTPS. In addition, AWS Network Firewall can filter fully qualified domain names (FQDN).

AWS Network Firewall’s intrusion prevention system (IPS) provides active traffic flow inspection with real-time network and application layer protections against vulnerability exploits and brute force attacks. Its signature-based detection engine matches network traffic patterns to known threat signatures based on attributes such as byte sequences or packet anomalies.

Alert logs are rule specific and provide additional data regarding the rule that was triggered and the particular session that triggered it. Flow logs provide state information about all traffic flows that pass through the firewall, with one line per direction. AWS Network Firewall flow logs can be natively stored in Amazon S3, Amazon Kinesis, and Amazon CloudWatch.

AWS Firewall Manager is a security management service that enables you to centrally deploy and manage security policies across your applications, VPCs, and accounts in AWS Organizations. AWS Firewall Manager can organize AWS Network Firewall rules groups into policies that you can deploy across your infrastructure to help you scale enforcement in a consistent, hierarchical manner. AWS Firewall Manager provides an aggregated view of policy compliance across accounts and automates the remediation process. As new accounts, resources, and network components are created, Firewall Manager makes it easy to bring them into compliance by enforcing a common set of firewall policies.

AWS Network Firewall enables customers to run Suricata-compatible rules sourced internally, from in-house custom rule development or externally, from third party vendors or open source platforms.

AWS Network Firewall integrates with AWS Partners for integration with central third-party policy orchestration and exporting logs to analytics solutions. AWS Network Firewall supports popular managed threat intelligence feeds for customers who prefer to leverage their existing managed rule providers. AWS Network Firewall can plug into third-party policy orchestration solutions for centrally managing hybrid or multiple firewall vendor architectures. For more visibility, AWS Network Firewall logs and security event information can be sent to third-party analytics solutions, such as Security Information and Event Management (SIEM) software. See a full list of AWS Network Firewall partners.

AWS Network Firewall allows you to inspect inbound encrypted traffic for your VPCs. It decrypts the TLS traffic, inspects and blocks malicious content, then re-encrypts the traffic for the destination. AWS Network Firewall allows you to inspect inbound encrypted traffic without having to deploy and manage any additional network security infrastructure. You can use AWS Network Firewall to decrypt TLS sessions and inspect inbound VPC traffic originating from the internet, another VPC, or another subnet. Encryption and decryption happen on the same firewall instance natively, so traffic doesn’t cross any network boundaries.

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.