Amazon Network Firewall Features

High availability and automated scalingAmazon Network Firewall offers built-in redundancies to ensure all traffic is consistently inspected and monitored. Amazon Network Firewall offers a Service Level Agreement with an uptime commitment of 99.99%. Amazon Network Firewall enables you to automatically scale your firewall capacity up or down based on the traffic load to maintain steady, predictable performance to minimize costs.

The stateful firewall takes into account the context of traffic flows for more granular policy enforcement, such as dropping packets based on the source address or protocol type. The match criteria for this stateful firewall is the same as Amazon Network Firewall’s stateless inspection capabilities, with the addition of a match setting for traffic direction. Amazon Network Firewall’s flexible rule engine gives you the ability to write thousands of firewall rules based on source/destination IP, source/destination port, and protocol. Amazon Network Firewall will filter common protocols without any port specification, not just TCP/UDP traffic filtering.

Amazon Network Firewall supports inbound and outbound web filtering for unencrypted web traffic. For encrypted web traffic, Server Name Indication (SNI) is used for blocking access to specific sites. SNI is an extension to Transport Layer Security (TLS) that remains unencrypted in the traffic flow and indicates the destination hostname a client is attempting to access over HTTPS. In addition, Amazon Network Firewall can filter fully qualified domain names (FQDN).

Amazon Network Firewall’s intrusion prevention system (IPS) provides active traffic flow inspection with real-time network and application layer protections against vulnerability exploits and brute force attacks. Its signature-based detection engine matches network traffic patterns to known threat signatures based on attributes such as byte sequences or packet anomalies.

Alert logs are rule specific and provide additional data regarding the rule that was triggered and the particular session that triggered it. Flow logs provide state information about all traffic flows that pass through the firewall, with one line per direction. Amazon Network Firewall flow logs can be natively stored in Amazon S3, Amazon Kinesis, and Amazon CloudWatch.

Amazon Firewall Manager is a security management service that enables you to centrally deploy and manage security policies across your applications, VPCs, and accounts in Amazon Organizations. Amazon Firewall Manager can organize Amazon Network Firewall rules groups into policies that you can deploy across your infrastructure to help you scale enforcement in a consistent, hierarchical manner. Amazon Firewall Manager provides an aggregated view of policy compliance across accounts and automates the remediation process. As new accounts, resources, and network components are created, Firewall Manager makes it easy to bring them into compliance by enforcing a common set of firewall policies.

Amazon Network Firewall enables customers to run Suricata-compatible rules sourced internally, from in-house custom rule development or externally, from third party vendors or open source platforms.

Amazon Network Firewall supports Transport Layer Security (TLS) inspection, allowing customers to strengthen their security posture on Amazon Web Services Cloud by improving visibility into encrypted traffic flows. You can use Amazon Network Firewall to decrypt TLS sessions and inspect both inbound and outbound Amazon Virtual Private Cloud (VPC) traffic without the need to deploy or manage any additional network security infrastructure. Encryption and decryption happen on the same firewall instance natively, so traffic does not cross any network boundaries.