AWS Network Firewall

2020년 11월 17일 AWS에서 Network Firewall을 출시했다.

자세한 것은 AWS 뉴스 블로그에서 확인 할 수 있다.

이미 NACL, Security Group, WAF, Shield 등이 있지만, 소개 문서에는 다음과 같이 이야기한다.

AWS Network Firewall은 Amazon VPC를 오가는 트래픽이나 Amazon VPC 사이의 트래픽을 검사하고 필터링하고자 하는 고객을 위한 서비스

현재 AWS Network Firewall을 사용할 수 있는 AWS 리전은 미국 동부(버지니아 북부), 미국 서부(오레곤) 및 유럽(아일랜드)이다.

AWS Network Firewall의 How it Work 도식도

AWS Network Firewall은 VPC에 대한 필수 네트워크 보호 기능을 쉽게 배포할 수 있도록 지원하는 관리형 서비스이다. 몇 번의 클릭으로 서비스를 설정하고, 자동으로 확장할 수 있어서 관리에 신경을 쓸 필요가 없다.

AWS Network Firewall의 유연한 규칙 엔진을 사용하면 네트워크 트래픽을 세부적으로 제어할 수 있는 Firewall policies를 정의하여 악의적인 활동을 방지할 수 있다.

VPC->AWS Network Firewall 카테고리 안에 Firewall policies와 Network Firewall rule groups이 있는데 policies와 groups가 있는 것은 WAF와 비슷한 것 같다.

그리고 이미 공통 오픈소스 규칙 형식으로 만들어진 규칙을 가져올 수 있고, AWS 파트너가 소싱한 인텔리전스 피드와 통합을 활성화 할 수도 있다.

AWS Network Firewall은 AWS Firewall Manager과 함께 작동해서 AWS Network Firewall policies을 VPC 및 계정에 중앙 집중식으로 적용할 수 있다.

가용 영역 별로 방화벽을 사용하며, 각 가용 영역에 대해 트래픽을 필터링 하는 방화벽 엔드포인트 용 서브넷을 선택하고, 각 엔드포인트는 엔드포인트용 서브넷을 제외한 나머지 서브넷을 보호할 수 있다.

AWS Network Firewall의 구성 요소

방화벽(Firewalls)

보호 대항 VPC를 방화벽 정책과 연결한다. 사용자는 보호할 각 가용 영역에 방화벽 엔트포인트 전용 서브넷을 연결한다. 그리고 방화벽 엔트포인트를 통해 트래픽을 전송하도록 라우팅 테이블을 업데이드 한다.

방화벽 정책(Firewall policies)

Stateful, Stateless 규칙 그룹 및 기타 설정을 정의한다.

규칙 그룹(Network Firewall rule groups)

방화벽 정책에 대한 모음이다. 또한 suricate 오픈 소스 규칙을 사용할 수도 있다.

AWS Network Firewall의 기능

1. 고가용성 및 자동 확장

모든 트래픽이 일관성 있게 검사 및 모니터링 되도록 기본으로 이중화 기능을 제공

99.99%의 가용성의 SLA을 제공하며, 트래픽 부하에 따라 방화벽 용량을 자동으로 스케일업/다운할 수 있다.

2. Stateful 방화벽

소스 주소 및 프로토콜 유형에 따라 세분화된 정책을 위해 트래픽의 흐름을 고려하며, 이 Stateful 방화벽의 일치 기준은 AWS Network Firewall Stateless 검사 기능과 동일하며, 트래픽의 방향에 대한 일치 설정이 추가된다. AWS Network Firewall은 TCP/UDP 트래픽 필터링뿐만 아니라 모든 포트를 필터링한다.

3. 웹 필터링

AWS Network Firewall은 암호화 되지 않은 웹 트래픽에 대한 인바운드/아웃바운드 웹 필터링을 지원한다. 암호화된 웹 트래픽은 SNI를 사용하여 FQDN(정규화된 도메인 이름)을 필터링 할 수 있다.

4. 칩입 방지

AWS Network Firewall의 칩입 방지 시스템은 취약성 공격 및 애플리케이션 계층 보호 기능으로 트래픽 흐름 검사를 제공한다.

5. 경고 및 Flow logs

경고 로그는 규칙 별로 상이하며, 트리거된 규칙과 특정 세션에 대한 추가 데이터를 제공한다.

Flow logs는 방화벽을 통과하는 모든 트래픽의 흐름에 대한 상태 정보를 제공하며, AWS S3, Amazon Kinesis, AWS CloudWatch에 저장할 수 있다.

6. 중앙 집중식 관리 및 가시성

AWS Firewall Manager은 AWS 조직의 서비스, VPC 및 계정 전반에 대한 보안 정책을 중앙에서 배포 및 관리 할 수 있다.

7. 규칙 관리 및 사용자 정의

AWS Network Firewall을 통해 고객은 사내 자제 규칙 및 써드 파티, 오픈 소스 플랫폼에서 조달한 Suricata 호환 규칙을 실행할 수 있다.

그렇다면 AWS Network Firewall은 AWS 기존 서비스들과 AWS 마켓 플레이스의 제품과 뭐가 다를까?

AWS Network Firewall 전체 VPC에 대한 3~7 계층의 네트워크 트래픽을 제어하고 가시성을 제공하여 기존 서비스 및 마켓플레이스 제품의 보안을 보완한다. 사용 사례에 따라 VPC 보안 그룹, WAF의 규칙, AWS 마켓플레이스 제품과 같은 기존 보안 규칙을 따라 AWS Network Firewall을 구축할 수 있다.

AWS Network Firewall을 언제 사용해야 될까?

URL, IP, 도메인 기반 트래픽을 제어할 수도 있지만 VPC to VPC, Transit Gateway를 통해 실행되는 AWS Direct Connect 및 AWS VPN 서비스를 보호 할 수 있어서 이런 케이스 때 사용하면 좋을 것 같다.

AWS Network Firewall의 배포 모델

단일 AZ에 배포된 AWS 네트워크 방화벽 및 공용 서브넷의 워크로드에 대한 트래픽 흐름
각각 보호된 VPC에 배포된 AWS 네트워크 방화벽
다중 AZ 구성으로 배포된 AWS 네트워크 방화벽
ALB/NAT 게이트웨이 사이의 트래픽을 검사하기 위한 모델
중앙 집중식 모델
Transit Gateway를 통해 들어오는 트래픽을 검사하기 위한 모델

다음에는 HOL을 작성할 예정.

참고 자료

https://aws.amazon.com/ko/blogs/korea/aws-network-firewall-new-managed-firewall-service-in-vpc/

https://aws.amazon.com/ko/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/

카테고리aws

“AWS Network Firewall”에 대한 21개의 댓글

  1. I wanted to put you the tiny remark to be able to say thanks a lot over again on the precious strategies you have provided in this case. It was really strangely open-handed with you to make publicly precisely what many people would’ve offered for an ebook to get some money for themselves, notably now that you might have tried it in case you desired. These solutions in addition served to be the good way to know that other people online have the identical interest really like my personal own to learn more and more related to this matter. I am sure there are numerous more pleasant periods in the future for many who read carefully your site.

  2. I enjoy you because of all of the effort on this blog. Debby delights in conducting internet research and it’s easy to see why. A number of us hear all about the compelling form you convey both useful and interesting guidelines by means of the blog and boost contribution from other individuals about this area of interest and my child has been becoming educated a great deal. Enjoy the remaining portion of the new year. You’re carrying out a dazzling job.

  3. I’m commenting to let you be aware of of the beneficial discovery my child developed browsing the blog. She came to find a good number of details, including how it is like to have a great coaching character to get certain people completely comprehend a number of complex issues. You actually did more than her desires. I appreciate you for coming up with such effective, dependable, edifying and cool guidance on that topic to Emily.

  4. Needed to send you the very little word to finally thank you so much the moment again regarding the spectacular techniques you have shared on this site. This has been simply surprisingly open-handed with you to present unreservedly what most of us would’ve sold for an electronic book in order to make some bucks for their own end, certainly considering that you could have done it if you considered necessary. The concepts additionally acted as the easy way to be certain that many people have a similar dream just as mine to find out a little more concerning this condition. Certainly there are a lot more enjoyable instances ahead for folks who discover your blog.

  5. I wanted to put you that tiny remark to be able to say thanks a lot over again on the pleasing solutions you have provided in this case. It was certainly particularly generous of people like you to convey freely exactly what a lot of people could possibly have made available as an e book to earn some cash for their own end, even more so considering the fact that you could possibly have done it if you ever decided. The guidelines also acted like a fantastic way to comprehend other individuals have similar dreams like my own to grasp good deal more in terms of this issue. I’m sure there are many more fun occasions ahead for individuals that go through your blog post.

  6. Thank you for every one of your labor on this web site. My daughter really loves making time for investigations and it’s really obvious why. Most people learn all regarding the lively mode you present reliable techniques through this web site and even inspire participation from some others on the point then our favorite princess is really starting to learn a whole lot. Take advantage of the rest of the year. You are always doing a splendid job.

  7. A lot of thanks for all your efforts on this site. Gloria loves engaging in investigation and it’s easy to understand why. Almost all know all concerning the dynamic means you give helpful secrets on the web blog and as well encourage contribution from others on that concern plus our daughter is always discovering a lot. Have fun with the remaining portion of the new year. You’re the one conducting a good job.

  8. I am only writing to make you understand what a terrific experience our princess undergone viewing yuor web blog. She picked up such a lot of things, with the inclusion of what it is like to possess an ideal teaching style to make the others effortlessly fully understand certain extremely tough matters. You actually did more than my desires. I appreciate you for displaying such helpful, healthy, educational and also cool guidance on that topic to Evelyn.

  9. I am glad for writing to make you know what a nice encounter my wife’s girl had studying your web site. She mastered several pieces, which include what it’s like to possess an awesome helping nature to let other individuals very easily know precisely some problematic subject matter. You truly exceeded people’s expectations. Thank you for presenting these practical, trusted, informative and in addition fun tips about this topic to Kate.

  10. I happen to be writing to make you understand what a useful experience our princess went through visiting yuor web blog. She realized too many things, with the inclusion of what it is like to possess an incredible teaching style to make the rest without problems understand various very confusing topics. You undoubtedly surpassed visitors’ expected results. Thanks for supplying those warm and friendly, trustworthy, revealing not to mention unique tips on your topic to Tanya.

  11. I happen to be writing to make you understand what a terrific experience our princess went through visiting yuor web blog. She realized such a lot of things, with the inclusion of what it is like to possess an incredible teaching style to make the others without hassle thoroughly grasp various tricky topics. You undoubtedly surpassed visitors’ expected results. Thanks for showing those warm and friendly, trustworthy, revealing not to mention unique tips on your topic to Sandra.

  12. My spouse and i got quite joyful that Jordan managed to do his reports through the entire precious recommendations he had through the web pages. It is now and again perplexing to just continually be handing out secrets which people may have been selling. So we keep in mind we have got the writer to give thanks to for that. The most important illustrations you have made, the simple web site navigation, the relationships you will help foster – it’s got many incredible, and it’s really helping our son in addition to the family know that the situation is exciting, which is rather mandatory. Thank you for everything!

  13. Thanks for your suggestions. One thing I’ve noticed is the fact that banks as well as financial institutions really know the spending routines of consumers as well as understand that many people max away their own credit cards around the vacations. They sensibly take advantage of this particular fact and begin flooding your own inbox as well as snail-mail box along with hundreds of Zero APR credit card offers right after the holiday season finishes. Knowing that if you’re like 98% of all American open public, you’ll leap at the opportunity to consolidate credit debt and move balances to 0 annual percentage rates credit cards. eeeddfj https://headachemedi.com – buy Headache medications

  14. I figured out more a new challenge on this losing weight issue. Just one issue is a good nutrition is vital if dieting. A big reduction in bad foods, sugary foodstuff, fried foods, sweet foods, pork, and white colored flour products may perhaps be necessary. Retaining wastes harmful bacteria, and contaminants may prevent aims for losing belly fat. While specified drugs momentarily solve the matter, the bad side effects are usually not worth it, they usually never give more than a short lived solution. It can be a known incontrovertible fact that 95% of fad diet plans fail. Many thanks sharing your notions on this site. https://osteoporosismedi.com treatment for osteoporosis in women

  15. I wanted to compose a comment in order to appreciate you for all of the awesome concepts you are giving at this site. My considerable internet investigation has at the end been compensated with beneficial content to exchange with my classmates and friends. I ‘d admit that many of us readers actually are definitely blessed to be in a fabulous community with many awesome individuals with beneficial basics. I feel extremely blessed to have come across the site and look forward to many more amazing minutes reading here. Thank you again for a lot of things. https://bronchitismed.com medication for bronchitis

답글 남기기

이메일 주소를 발행하지 않을 것입니다.