AWS re:Invent 2025 - Level up your AWS Network Firewall rules for maximum protection (SEC231)

AWS re:Invent 2025 - Level up your AWS Network Firewall rules for maximum protection (SEC231)

Overview of AWS Network Firewall

• AWS Network Firewall is a fully managed firewall service that allows customers to easily deploy essential network protections on their VPC workloads.
• Key capabilities include:
  • Fully managed service, no need to deploy or maintain firewall infrastructure
  • High reliability and scalability, up to 100 Gbps per Availability Zone
  • Stateful inspection engine to write rules based on IP, applications, domains, and custom TCP headers
  • Integration with Firewall Manager for consistent security across VPCs and accounts

Common Use Cases for AWS Network Firewall

1. Ingress Filtering: Prevent intrusion using stateful inspection, protocol detection, and IDS/IPS capabilities.
2. Egress Filtering: Monitor outbound connections to internet and block access to unauthorized destinations, especially for regulated workloads.
3. VPC-to-VPC Security: Create logical boundaries and prevent lateral movement of traffic between VPC workloads, common in regulated industries.

Enhancements to Threat Intelligence

Active Threat Defense

• Managed rules from AWS based on threat intelligence from the Amazon Madrpot infrastructure, a global fleet of digital decoys.
• Rules are automatically updated every 10 minutes to protect against active threats, and removed when threats are no longer active.
• Integrated with Amazon GuardDuty for centralized visibility into emerging threats.

AWS Partner Managed Rules

• New capability to leverage threat intelligence from AWS Marketplace partners directly within AWS Network Firewall.
• Partners include Checkpoint, Fortinet, Infoblox, Lumen, Rapid7, Trend Micro, and ThreatStop.
• Partner-managed rules are constantly updated to provide proactive protection against the latest vulnerabilities, malware, and emerging threats.
• Customers can easily subscribe to partner rule groups and add them to their Network Firewall policy directly from the console.

Partner Threat Intelligence Details

• Checkpoint: Curated rules to protect against common vulnerabilities and OWASP Top 10 threats.
• Fortinet: AI-driven IPS rules to detect and block malware and command-and-control threats, also provides PCI-DSS compliance.
• Infoblox: Predictive DNS threat intelligence to block high-risk domains and newly registered domains.
• Lumen: Threat intelligence from the Black Lotus Labs global network to detect and neutralize dangerous emerging attacks.
• Rapid7: Protections against both state-sponsored advanced persistent threats and financially-motivated ransomware/cybercrime.
• Trend Micro: Cloud IPS solution with rules to guard against malware, active CVEs, and other emerging threats.
• ThreatStop: Curated rules to enforce OFAC and ITAR sanctions compliance.

Recommended Network Firewall Policy Approach

1. Start with a deny-list approach, leveraging AWS-managed and partner-managed threat intelligence rules.
2. Complement the deny-list with GEO-IP filtering to block traffic from high-risk countries.
3. Utilize stateful inspection and threat signature rules for additional protection.
4. Gradually transition to a more restrictive allow-list approach, whitelisting only trusted high-level domains and destinations.

Key Takeaways

• AWS Network Firewall provides a fully managed, highly scalable, and reliable firewall service to secure VPC workloads.
• New enhancements to threat intelligence, including Active Threat Defense and Partner Managed Rules, offer proactive protection against the latest vulnerabilities and attacks.
• Customers can easily leverage curated threat intelligence from leading security vendors like Checkpoint, Fortinet, and Trend Micro directly within Network Firewall.
• A combination of deny-list and allow-list approaches, along with advanced filtering capabilities, can help customers maintain a robust and adaptive security posture.