fbpx

TLS design for AWS Network Firewall and encrypted traffic review

AWS Network Firewall is a managed service that provides a convenient way to deploy essential network protections for your virtual private clouds (VPCs). In this blog, we are going to cover how to leverage the TLS inspection configuration with AWS Network Firewall and perform Deep Packet Inspection for encrypted traffic. We shall also discuss key considerations and possible architectures.

 <p>Today, the majority of internet traffic is SSL/TLS encrypted to maintain privacy and secure communications between applications. Deep packet inspection (DPI) refers to the method of examining the full content of data packets as they traverse a network perimeter firewall. However, the lack of visibility into encrypted traffic presents a challenge to organizations that do not have the resources to decrypt and inspect network traffic. TLS encryption can hide malware, conceal data theft, or mask data leakage of sensitive information such as credit card numbers or passwords. Additionally, TLS decryption is compute-intensive and cryptographic standards are constantly evolving. Organizations that want to decrypt and inspect network traffic typically use a combination of hardware and software solutions from multiple vendors, which adds operational complexity and implementation challenges around capacity planning, scaling issues, and latency concerns. This forces some organizations to make adverse decisions to reduce the complexity of inspecting their network traffic such as blocking access to popular websites to mitigate performance problems.</p> <p>There are multiple options you can use to perform DPI for encrypted traffic in your AWS environment, based on the use case. These include using <a href="https://aws.amazon.com/blogs/security/defense-in-depth-using-aws-managed-rules-for-aws-waf-part-1/" target="_blank" rel="noopener">AWS WAF</a> or implementing <a href="https://aws.amazon.com/marketplace/solutions/security/next-generation-firewalls" target="_blank" rel="noopener">third-party</a> security appliances (next generation firewalls). The addition of new services like <a href="https://aws.amazon.com/elasticloadbalancing/gateway-load-balancer/" target="_blank" rel="noopener">Gateway Load Balancer</a> gives you more flexibility in designing your firewall architectures and the ability to perform DPI on AWS.</p> <p>With this release, <a href="https://aws.amazon.com/network-firewall/" rel="noopener" target="_blank">Network Firewall</a> also becomes an option to support Deep Packet Inspection on encrypted payloads.</p> <h2>Considerations for deep packet inspection</h2> <p>The following are some key factors to consider when you enable TLS decryption functionality on Network Firewall.</p> <p><strong>DPI and performance.</strong> DPI is processor-intensive, because it not only looks into individual packets, but it also looks into traffic flows (a flow is a collection of related packets). This is combined with the fact that inspection needs to be done in real time with minimal impact to latency. Also, because many firewalls perform other advanced functions (for example, stateful packet inspection, NAT, virtual private network (VPN), and malware threat prevention), adding DPI increases the complexity of the entire system and impacts performance. However, because Network Firewall is an AWS managed service, the bandwidth performance of 100 gigabits per second (Gbps) per firewall endpoint is not impacted, even after you enable TLS inspection configuration. Single digit millisecond latency is expected at initial connection due to the TCP and TLS handshake before data can flow to the firewall. We recommend that you conduct your own testing for the rule sets to verify that the service meets your performance expectations.</p> <p><strong>DPI and encryption.</strong> Encryption has particularly been a challenge to DPI. Effective decisions can’t be made if the contents of the packets aren’t known. As more applications and websites use encryption, it is important that you implement the right TLS decryption technique. With Network Firewall, you can chose which traffic to decrypt by using your available certificates in <a href="https://aws.amazon.com/certificate-manager/" target="_blank" rel="noopener">AWS Certificate Manager (ACM)</a>. You can then apply the TLS configurations across the stateful rule groups, thereby authorizing Network Firewall to act as a go-between. For more information on how AWS Network Firewall handles privacy, please read the <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-configurations.html" target="_blank" rel="noopener">Network Firewall documentation</a>.</p> <h2>AWS Network Firewall deployment architectures</h2> <p>There are three main architecture patterns for Network Firewall deployments. You can refer to the <a href="https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/" target="_blank" rel="noopener">Deployment models for AWS Network Firewall</a> blog post, which provides details on these, as well as key considerations. The three main models are as follows:</p> <ul> <li><strong>Distributed deployment model</strong> — Network Firewall is deployed into each individual VPC.</li> <li><strong>Centralized deployment model</strong> — Network Firewall is deployed into a centralized VPC for East-West (VPC-to-VPC) or North-South (inbound and outbound from internet, on-premises) traffic. We refer to this VPC as the inspection VPC throughout this blog post.</li> <li><strong>Combined deployment model</strong> — Network Firewall is deployed into a centralized inspection VPC for East-West (VPC-to-VPC) and a subset of North-South (on-premises, egress) traffic. Internet ingress is distributed to VPCs that require dedicated inbound access from the internet, and Network Firewall is deployed accordingly.</li> </ul> <p>Each of these architectures is still valid for TLS inspection functionality. Today, AWS Network Firewall supports TLS inspection only for the ingress (inbound) traffic coming into the VPC.</p> <p>In this section, we will highlight a deployment architecture with AWS Network Firewall and the process for deep packet inspection.</p> <h2>AWS Network Firewall – prior to TLS inspection configuration</h2> <p>Below figure 1 shows how Network Firewall performs inspection when the TLS inspection feature isn’t enabled. The workflow is as follows:</p> <ol> <li>The ingress traffic enters the VPC. <a href="https://aws.amazon.com/about-aws/whats-new/2019/12/amazon-vpc-ingress-routing-insert-virtual-appliances-forwarding-path-vpc-traffic/" target="_blank" rel="noopener">Ingress routing</a> enables the internet traffic to be inspected by AWS Network Firewall.</li> <li>The traffic from the firewall endpoint to the Network Firewall: <ol> <li>Network Firewall inspects the packet first through a stateless engine. Network Firewall makes a drop/pass decision by applying the rules that are present in the stateless engine.</li> <li>If there is no match on the set of stateless rules present, the traffic is then forwarded to the stateful engine. Again, a drop/pass decision is made by applying the set of stateful rules.</li> </ol> </li> <li>If the decision is to pass traffic, then the firewall endpoint present in the firewall subnet sends the traffic to the customer subnet through the routes present in the VPC subnet route table.</li> </ol> <div id="attachment_29043" class="wp-caption aligncenter"> <a href="https://infracom.com.sg/wp-content/uploads/2023/04/img1_2-1024x510-1.png" rel="noopener" target="_blank"><img aria-describedby="caption-attachment-29043" src="https://infracom.com.sg/wp-content/uploads/2023/04/img1_2-1024x510-1.png" alt="Figure 1: AWS Network Firewall without TLS inspection configuration" width="760" class="size-large wp-image-29043"><p id="caption-attachment-29043" class="wp-caption-text">Figure 1: AWS Network Firewall without TLS inspection configuration</p></a> </div> <h2>AWS Network Firewall — after TLS inspection configuration</h2> <p>After you enable the TLS inspection capability in Network Firewall, the traffic flow changes slightly, as shown in Figure 2. Because the ingress data you want to inspect is encrypted, it first needs to be decrypted before it is sent to the firewall stateful engine.</p> <p>In Figure 2, you can see the ingress traffic flow, which has the following steps:</p> <ol> <li>The ingress traffic enters the VPC. <a href="https://aws.amazon.com/about-aws/whats-new/2019/12/amazon-vpc-ingress-routing-insert-virtual-appliances-forwarding-path-vpc-traffic/" target="_blank" rel="noopener">Ingress routing</a> enables the internet traffic to be inspected by AWS Network Firewall.</li> <li>The traffic from the firewall endpoint to the Network Firewall: <ol> <li>Network Firewall inspects the packet first through a stateless engine. Network Firewall makes a drop/pass decision by applying the rules present in the stateless engine.</li> <li>If there is no match on the set of stateless rules present, the traffic is then forwarded to the stateful engine. However, before the traffic passes to the stateful engine, if there is no match and the traffic is in the scope of the TLS encryption configuration, the traffic is forwarded for the decrypt operation.</li> <li>After decryption, the traffic is then forwarded to the firewall stateful engine for inspection. Again, Network Firewall makes a drop/pass decision by applying the set of stateful rules.</li> </ol> </li> <li>If the decision is to pass traffic, then the firewall endpoint present in the firewall subnet sends the traffic to the customer subnet through the routes present in the VPC subnet route table.</li> </ol> <blockquote> <p><strong>Note:</strong> Customers must trust this certificate for the TLS inspection configuration to function properly.</p> </blockquote> <div id="attachment_29044" class="wp-caption aligncenter"> <a href="https://infracom.com.sg/wp-content/uploads/2023/04/img2_2-1024x513-1.png" rel="noopener" target="_blank"><img aria-describedby="caption-attachment-29044" src="https://infracom.com.sg/wp-content/uploads/2023/04/img2_2-1024x513-1.png" alt="Figure 2: AWS Network Firewall with TLS inspection configuration" width="760" class="size-large wp-image-29044"><p id="caption-attachment-29044" class="wp-caption-text">Figure 2: AWS Network Firewall with TLS inspection configuration</p></a> </div> <h2>Implement TLS inspection in AWS Network Firewall</h2> <p>Let’s look at how to implement TLS inspection when you create a new network firewall in AWS Network Firewall. A TLS inspection configuration contains one or more references to a valid AWS Certificate Manager (ACM) SSL/TLS certificate that Network Firewall uses to decrypt ingress (inbound) traffic. Network Firewall supports a <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html" target="_blank" rel="noopener">variety of certificate types</a> supported in addition to wildcard certificates. You can optionally define a scope (5-tuple based) to decrypt traffic by source and destination IP or port. To follow this procedure, you must have at least one valid certificate type supported by Network Firewall in ACM that’s accessible by your AWS account.</p> <p><strong>To create a TLS inspection configuration (console)</strong></p> <ol> <li>Sign in to the AWS Management Console and <a href="https://console.aws.amazon.com/vpc/" target="_blank" rel="noopener">open the Amazon VPC console</a>.</li> <li>In the navigation pane, under <strong>Network Firewall</strong>, choose <strong>TLS inspection configurations</strong>.</li> <li>Choose <strong>Create TLS inspection configuration</strong>. <div id="attachment_28973" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-28973" src="https://infracom.com.sg/wp-content/uploads/2023/04/img3-4.png" alt="Figure 3: TLS inspection configuration for AWS Network Firewall" width="720" class="size-full wp-image-28973"> <p id="caption-attachment-28973" class="wp-caption-text">Figure 3: TLS inspection configuration for AWS Network Firewall</p> </div> </li> <li>On the <strong>Associate SSL/TLS certificates</strong> page, in the search box, select the ACM certificate to use in the TLS inspection configuration, and then choose <strong>Add certificate.</strong> You can use as many as 10 certificates for a single configuration. <div id="attachment_28974" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-28974" src="https://infracom.com.sg/wp-content/uploads/2023/04/img4-4.png" alt="Figure 4: SSL/TLS certificate as part of Network Firewall inspection configuration" width="720" class="size-full wp-image-28974"> <p id="caption-attachment-28974" class="wp-caption-text">Figure 4: SSL/TLS certificate as part of Network Firewall inspection configuration</p> </div> </li> <li>Choose <strong>Next</strong> to go to the TLS inspection configuration’s <strong>Describe TLS inspection configuration</strong> page.</li> <li>For <strong>Name</strong>, enter a name to identify this TLS inspection configuration, and optionally enter a description for the TLS inspection configuration.</li> <li>Choose <strong>Next</strong> to go to the TLS inspection configuration’s <strong>Define scope</strong> page. <div id="attachment_28975" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-28975" src="https://infracom.com.sg/wp-content/uploads/2023/04/img5-5.png" alt="Figure 5: Description for Network Firewall inspection configuration" width="720" class="size-full wp-image-28975"> <p id="caption-attachment-28975" class="wp-caption-text">Figure 5: Description for Network Firewall inspection configuration</p> </div> <p>Note that you can’t change the name after you create the TLS inspection configuration.</p> </li> <li>In the <strong>Scope configuration</strong> pane, you can optionally define one or more 5-tuple scopes for the domains that you want Network Firewall to decrypt. Network Firewall uses the corresponding SSL/TLS certificates in your TLS inspection configuration to decrypt the SSL/TLS traffic that matches the scope criteria. <div id="attachment_28976" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-28976" src="https://infracom.com.sg/wp-content/uploads/2023/04/img6-5.png" alt="Figure 6: Define scope for Network Firewall to decrypt" width="720" class="size-full wp-image-28976"> <p id="caption-attachment-28976" class="wp-caption-text">Figure 6: Define scope for Network Firewall to decrypt</p> </div> <ul> <li>For <strong>Protocol</strong>, choose the protocol to decrypt and inspect for. Network Firewall currently supports only TCP.</li> <li>For <strong>Source</strong>, choose the source IP addresses and ranges to decrypt and inspect for. You can inspect for either <strong>Custom</strong> IP addresses or <strong>Any IPv4 address</strong>. (IPv6 is currently not supported.)</li> <li>For <strong>Source port</strong>, choose the source ports and source port ranges to decrypt and inspect for. You can inspect for either <strong>Custom</strong> port ranges or <strong>Any port</strong>.</li> <li>For <strong>Destination</strong>, choose the destination IP addresses and ranges to decrypt and inspect for. You can inspect for either <strong>Custom</strong> IP addresses or <strong>Any IPv4 address</strong>.</li> <li>For <strong>Destination port</strong>, choose the destination ports and destination port ranges to decrypt and inspect for. You can inspect for either <strong>Custom</strong> port ranges or <strong>Any port</strong>.</li> </ul> </li> <li>After you’ve set the scope criteria, choose <strong>Add scope configuration</strong>, and then choose <strong>Next</strong>.</li> <li>On the next page, <strong>Select encryption options</strong>, determine whether you want to use the AWS managed key or customize encryption settings (advanced). Here we use the default key that AWS owns and manages on your behalf, choose <strong>Next.</strong> <div id="attachment_28977" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-28977" src="https://infracom.com.sg/wp-content/uploads/2023/04/img7-4.png" alt="Figure 7: Select the encryption options" width="720" class="size-full wp-image-28977"> <p id="caption-attachment-28977" class="wp-caption-text">Figure 7: Select the encryption options</p> </div> </li> <li>On the <strong>Add tags</strong> page, choose <strong>Next</strong>. Tags are optional but are recommended as a best practice. Tags help you organize and manage your AWS resources. For more information about tagging your resources, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tagging.html" target="_blank" rel="noopener">Tagging AWS Network Firewall resources</a>.</li> <li>On the <strong>Review and confirm</strong> page, check the TLS inspection configuration settings. Choose <strong>Create TLS inspection configuration</strong>. Your TLS inspection configuration is now ready for use. <div id="attachment_28978" class="wp-caption aligncenter"> <img aria-describedby="caption-attachment-28978" src="https://infracom.com.sg/wp-content/uploads/2023/04/img8-4.png" alt width="720" class="size-full wp-image-28978"> <p id="caption-attachment-28978" class="wp-caption-text">Figure 8: Validate the TLS inspection configuration</p> </div> </li> </ol> <h2>Update an existing network firewall with TLS inspection configuration</h2> <p>There are two methods that you can use modify an existing firewall configuration for TLS inspection, depending on your scenario.</p> <p><strong>Scenario 1: Add TLS inspection to an existing network firewall.</strong> In this scenario, you only need to consider the scope that TLS inspection applies to. After you have followed steps 1 through 12 outlined in the procedure in this post, and created the TLS inspection configuration, ingress (inbound) traffic will be decrypted and then sent to the stateful engine for inspection that uses your existing firewall policies.</p> <p><strong>Scenario 2: Modify an existing firewall with TLS inspection configured.</strong> In this scenario, where TLS configuration has already been added and you just need to modify the configuration, you can use the following steps. Note that you can’t change the name of a TLS inspection configuration after creation, but you can change other details.</p> <p><strong>To update a TLS inspection configuration</strong></p> <ol> <li>Sign in to the AWS Management Console and <a href="https://console.aws.amazon.com/vpc/" target="_blank" rel="noopener">open the Amazon VPC console</a>.</li> <li>In the navigation pane, under <strong>Network Firewall</strong>, choose <strong>TLS inspection configurations</strong>.</li> <li>On the <strong>TLS inspection configuration</strong> page, select the name of the TLS inspection configuration you want to update.</li> <li>Make your desired changes to the configuration.</li> <li>Choose <strong>Save</strong>.</li> </ol> <p>To understand more about how Network Firewall handles changes, including TLS inspection configuration, refer to <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-policy-managing.html" target="_blank" rel="noopener">Managing your firewall policy in AWS Network Firewall</a>.</p> <h2>Conclusion</h2> <p><a href="https://aws.amazon.com/network-firewall/" target="_blank" rel="noopener">AWS Network Firewall</a> lets you inspect traffic at scale in a variety of use cases. In this blog post, we looked into the recently launched <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-configurations.html" rel="noopener" target="_blank">TLS inspection configuration</a> for ingress inspection architectures and discussed considerations for enabling this feature. We showed how you can enable and update the TLS inspection feature on Network Firewall. To learn more about the TLS inspection feature, check out the <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-configurations.html" target="_blank" rel="noopener">AWS Network Firewall Developer Guide</a>. We hope this post is helpful and look forward to hearing about how you use the latest feature.</p> <p>If you have feedback about this post, submit comments in the<strong> Comments</strong> section below. If you have questions about this post, <a href="https://console.aws.amazon.com/support/home" target="_blank" rel="noopener noreferrer">contact AWS Support</a>.</p> <p><strong>Want more AWS Security news? Follow us on <a title="Twitter" href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong></p> <!-- '"` -->