Introduction to AWS Network Firewall
Managing Global Firewall Rules in AWS
AWS Network Firewall is a managed service used to deploy network protections for all of your VPCs and filter network traffic at the perimeter of your VPC. It will give you centralized, global control over firewall rules and policies. According to AWS, the main features of Network Firewall include:
- High availability and automated scaling
- Stateful firewall
- Web filtering
- Intrusion prevention
- Alert and flow logs
- Central management and visibility
- Rule management and customization
- Diverse ecosystem of partner integrations
Transcription
At the end of 2020, AWS introduced their Network Firewall. This was great news for people who traditionally have managed firewall rules and understand it in a global sense of controlling those rules across the infrastructure and applications. You are able to accomplish many of the things that compliance frameworks require for firewall capabilities by utilizing many of the built-in AWS services such as Web Application Firewall, AWS Shield, Security Groups. By implementing those tools, you are able to utilize AWS Firewall Manager to manage those policies that were configured in those different places. But now, Network Firewall gives you that centralized aspect of policy control across your VPCs and accounts. You can now have a security layer across your AWS environment with Network Firewall. It brings a lot of the capabilities that we typically think about when it comes to a network firewall. It offers web filtering. It offers intrusion prevention by providing a signature-based protection approach. It offers packet inspection from the network layer to the application layer. So be sure to check out Network Firewall and see if it’s a good solution for you in order to introduce global control across your assets.
Related Videos
AWS Controls for Implementing a DMZ
Authenticate and Authorize Users with Client Certificates
Avoid Using Default Service Account When Configuring Instances
Best Practices for Container Security
Best Practices for Secret Management
Configuring Network Border Controls
Consistently Manage User Accounts with OS Login
Create a Minimal Audit Policy for Logging
Do Not Enable Serial Ports for VM Instance
Do Not Use Project-Wide SSH Keys When Authenticating Instances
Do Not Use RSASHA1 for DNSSEC Key-Signing Keys
Enable DNSSEC to Protect DNS Protocols
Enable HTTPS Connections on App Engine Applications
Enable Shielded VM to Ensure Operating System is Trustworthy
Enable VPC Flow Logs for Every Subnet
Encrypt BigQuery Datasets with Customer Managed Encryption Key (CMEK)
Ensure BigQuery Datasets Are Not Publicly Accessible
Ensure Cloud Storage Buckets Are Not Publicly Accessible
Ensure Container Network Interfaces Support Network Policies
Ensure GKE Nodes are Configured Properly
Ensure Kubernetes Idle Timeout Parameter is Appropriately Set
Ensure No Weak SSL Cipher Suites Are Permitted
Ensure Only Authorized Users Can Create Security Groups
Ensure to Restrict SSH Access from the Internet
GKE Cluster Configuration Security Benchmarks
General Policies for Cluster Management
Harden Cloud SQL Database with Logging
House Accounts in CloudTrail
How To Configure Your Cluster Networks
How to Configure Kubelet Within Your Environment
How to Restrict Public Access to S3 Buckets
How to Use S3 Bucket Policies
IP Forwarding Should Not Be Enabled for Instances
Image Registry and Scanning Best Practices
Industry Best Practices for Configuration Standards
Introduction to AWS WAF and Shield
Introduction to Amazon EKS
Introduction to PCI DSS Requirement 1
Introduction to PCI Requirement 2.mp4
Leverage Confidential Computing to Protect Data
Manage Access Securely Using Uniform Bucket-Level Access
Meeting Firewall and Router Configuration Standards
Migrate Away from RSASHA1 for DNSSEC Zone-Signing Keys
Migrate Legacy Networks to VPC Networks
Minimize Public IP Address on Compute Instances
Minimize Root and SA Account Access in Cloud SQL
Network Segmentation for AWS
Networking Configurations in Kubernetes Environment
Node MetaData Recommendations in GKE
PCI DSS Requirement 1.1.1 - Implementing a Change Control Program
PCI DSS Requirement 1.1.2 and 1.1.3 - Network Documentation Best Practices
PCI DSS Requirement 1.1.4 - Establishing a Firewall and DMZ
PCI DSS Requirement 1.1.5 Defining Roles and Responsibilities for Managing Network Components
PCI DSS Requirement 1.1.6 Documentation of Business Justification & Approval for use of all Services, Ports and Protocols
PCI DSS Requirement 1.1.7 - Review Firewall and Router Rule Sets
PCI DSS Requirement 1.2 Restrict Connections to Untrusted Networks
PCI DSS Requirement 1.2.1 Restrict Traffic to that which is Necessary
PCI DSS Requirement 1.2.2 Secure and Synchronize Router Configuration Files
PCI DSS Requirement 1.2.3 Install Firewalls Between all Wireless Networks and the CDE
PCI DSS Requirement 1.3.1 - Establishing a DMZ
PCI DSS Requirement 1.3.2 Limit Inbound Internet Traffic
PCI DSS Requirement 1.3.3 - Implement Anti Spoofing Measures
PCI DSS Requirement 1.3.4 - Deny Unauthorized Outbound Traffic
PCI DSS Requirement 1.3.5 - Permit Only Established Connections into the Network
PCI DSS Requirement 1.3.6 Segregate the CDE from the DMZ
PCI DSS Requirement 1.3.7 Do Not Disclose Private IP Addresses
PCI DSS Requirement 1.4 Install Personal Firewall Software
PCI DSS Requirement 1.5 Ensure Security Policies are Known to all Affected Parties
PCI Requirement 2.1 - Always Change Vendor-Supplied Defaults
PCI Requirement 2.1.1 - Change all Wireless Vendor Defaults
PCI Requirement 2.2 - Develop Configuration Standards for all System Components
PCI Requirement 2.2.1 - Implement Only One Primary Function Per Server
PCI Requirement 2.2.2 - Enable Only Necessary Services, Protocols and Daemons
PCI Requirement 2.2.3 - Implement Additional Security Features
PCI Requirement 2.2.4 - Configure System Security Parameters to Prevent Misuse
PCI Requirement 2.2.5 - Remove all Unnecessary Functionality
PCI Requirement 2.3 - Encryption
PCI Requirement 2.4 - Maintain an Inventory of In-Scope System Components
PCI Requirement 2.5 - Ensure Security Policies Are Known to All Affected Parties
PCI Requirement 2.6 - Shared Hosting Providers Must Protect Each Entity’s Hosted Environment
PCI Requirement 6.4 – Follow Change Control Processes & Procedures for Changes to System Components
Pods Security Policies Benchmarks
Preventing Publicly Available S3 Buckets
Protect Against Threats With Extensible Admission Control
Protect Kernel Defaults Through Configuration Settings
Remove Default Networks from All Projects
Restrict API Permissions If Using Default Service Accounts
Restrict RDP Authorized Access from the Internet
Restrict Unnecessary External Access in Cloud SQL
Reviewing Firewall and Router Configurations
SOC 2 Academy: Change Control Processes
SOC 2 Academy: Change Management Best Practices
Specify Customer-Managed Encryption Key (CMEK) as Default in BigQuery Datasets
Systems Manager Maintenance
The Importance of Patch Management in Virtual Machines
Use Customer Supplied Encyryption Keys (CSEK) for Critical VM Disks
Use Identity Aware Proxy (IAP) to Restrict Access to Network
Use TLS to Encrypt All Connections in Cloud SQL
Utilize Managed Disks for Virtual Machines
