1

I'm looking into implementing AWS Network Firewall with Suricata IPS rules, and find it really hard to find real examples and ideas of what is relevant regarding rules etc. Our customer put emphasis on IPS, IDS and anti-malware.

My setup today is Internet Gateway -> Application Load Balancer -> Auto-scaling ECS containers. Correct me if I'm wrong, but the firewall fits in between IG and ALB?

I have spent some time staring at the following screen;

Create Network Firewall rule group

and my initial questions are;

  1. How do I determine what rules are applicable to me?
  2. What is "Capacity" really?

Starting with number one, I believe the rules I can choose from are listed here, and initially I thought that I surely wanna use all the 30k (?) rules they supply. Thinking about it a bit more I assume that that might affect the responsiveness for our end users. So, if I'm thinking IPS, what rule-sets are necessary for a web solution with port 80 and 443 open to the public? If I look at the file containing all "emerging" rules they list about 30k rules but I hardly think all of them are relevant to me.

Regarding point two, Capacity, Amazon state the following as an explanation;

Maximum processing capacity allowed for the rule group. Estimate the stateful rule group’s capacity requirement as the number of rules you expect to add. You can’t change or exceed this setting when you update the rule group.

Initially I thought that "one capacity" refers to one line (one rule in any rule set), but I later understood that one line itself might require up to 450 "capacity" (I've lost the link where I read/interpreted this).

I understand that this subject is huge, and I'm somewhat of a rookie when it comes to firewalls, but can anyone enlighten me how to approach this? I feel as if I'm not certain what I'm asking about, so please let me know if I need to clarify anything.

Patrik Bäckström
  • 117
  • 1
  • 1
  • 6

1 Answers1

0

I have recently developed an integration between IDSTower (suricata & rules management solution) and AWS Network firewall, so I can relate to the confusion :)

How do I determine what rules are applicable to me?

The starting point should be the services you are protecting, once you know that things will be easier, ET Open/Suricata rules can be grouped in different ways, they are published in different files (eg: emerging-smtp.rules, emerging-sql.rules ...etc) and contains classtype that classify the rules (eg: bad-unknown, misc-attack ...etc) as well as metadata like tags, signature_severity ...etc

Another important thing to point here is that aws network firewall has a limit of the uploaded rules size (in a single stateful rule group) of 2 MBs, which will force you to pick and choose you rules.

there are several approaches to decide what rules to enable:

  1. Using the grouping of rules explained above, start by enabling a small subset, monitor the output, adjust/tune and enable another subset, till you cover the services, so start small and grow the enabled rules.

  2. Enable all of the rules (in IDS mode) and asses the alerts, disable/tune noisy/useless ones till you reach a state of confidence.

  3. Enable Rules that monitor the protocol you system speaks, if you are protecting HTTP based web services, start by enabling rules that are monitoring http protocol ('alert http.....')

If you are applying the above to a production environment, make sure you start by alerting only and once you remove false positives you can move them to drop.

What is "Capacity" really?

AWS use the capacity settings to make sure your Cloud-Suricata instance can deliver the promised performance which is largely influenced by the number of enabled rules.

a single stateful rule consumes 1 capacity

Initially I thought that "one capacity" refers to one line (one rule in any rule set), but I later understood that one line itself might require up to 450 "capacity" (I've lost the link where I read/interpreted this).

Yes, Suricata Rules (which are stateful in AWS Network Firewall world) consumes 1 capacity point per single rule line, however for stateless rules, a single rule can consume more depending on protocols, sources, destinations as mentioned in AWS Docs

A rule with a protocol that specifies 30 different protocols, a source with 3 settings, a destination with 5 settings, and single or no specifications for the other match settings has a capacity requirement of (3035) = 450.

Here is the AWS Network Firewall Docs link

IDSTower
  • 26
  • 2