Memoized Functions with the Prototype Chain

Sometimes I like to play with code, this time, when looking around for the ways to apply the memoized function pattern with JavaScript, I found myself with a question: I know, I know, the prototype…

Smartphone

独家优惠奖金 100% 高达 1 BTC + 180 免费旋转




Inspect the traffic between VPC to VPC using AWS Network Firewall

AWS Network Firewall

AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs). The service can be setup with just a few clicks and scales automatically with your network traffic, so you don’t have to worry about deploying and managing any infrastructure. AWS Network Firewall’s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious activity. You can also import rules you’ve already written in common open source rule formats as well as enable integrations with managed intelligence feeds sourced by AWS partners. AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts.

AWS Network Firewall includes features that provide protections from common network threats. AWS Network Firewall’s stateful firewall can incorporate context from traffic flows, like tracking connections and protocol identification, to enforce policies such as preventing your VPCs from accessing domains using an unauthorized protocol. AWS Network Firewall’s intrusion prevention system (IPS) provides active traffic flow inspection so you can identify and block vulnerability exploits using signature-based detection. AWS Network Firewall also offers web filtering that can stop traffic to known bad URLs and monitor fully qualified domain names.

AWS Network firewall

Firewall

A firewall connects the VPC that you want to protect to the protection behavior that’s defined in a firewall policy.

Firewall policy

Defines the behavior of the firewall in a collection of stateless and stateful rule groups and other settings.

You can associate each firewall with only one firewall policy, but you can use a firewall policy for more than one firewall

Rule group

A rule group is a collection of stateless or stateful rules that define how to inspect and handle network traffic. Rules configuration includes 5-tuple, domain name filtering, suricata rules.

Stateless inspection

All individual packets in a flow are evaluated against each rule present in your policy. Rules are processed in strict order based on the priority assigned to them, with lower numbered rules (for example, 1) taking precedence over higher numbered rules (for example, 100).

Stateless rules inspect each packet in isolation, without regard to factors such as the direction of traffic, or whether the packet is part of an existing, approved connection. This has performance benefits, because the security policy makes a decision sooner. However, it also means that the policy cannot take the greater context of a flow into consideration before making a decision. For example, if you need to automatically allow return traffic, this is not something a stateless policy is best suited for.

Stateful inspection

It works differently. The stateful rules engine processes your rules in the order of their action setting, with pass rules processed first, then drop, then alert. The engine stops processing when it finds a match. The firewall also takes into consideration the order that the rules appear in the rule group, and the priority assigned to the rule, if any.

For example, a pass rule with a priority of 1 will be processed prior to a pass rule with a priority of 2. However, a drop rule with a priority of 1 will always be processed after all pass rules have been evaluated, including those with a lower priority.

Stateful rules take into context the entire flow from start to finish, which affects how your rules are evaluated.

Rule Engine:

Stateful

Inspects packets in the context of their traffic flow and direction of the traffic

Supports rules compatible with Suricata (an open source IPS)

Processes rules in the order of their action setting, with pass rules processed first, then drop, then alert and then stops processing when it finds a match

Stateless

Inspects each packet in isolation. Does not take into consideration factors such as the direction of traffic, or whether the packet is part of an existing, approved connection

Standard 5-tuple connection criteria — Protocol, Source IP range, Source port range, destination IP range, destination port range

Processes rules in the order that you prioritize them and stops processing when it finds a match. Similar in behavior and use to Amazon VPC network access control lists (ACLs)

A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks. As your cloud infrastructure expands globally, inter-Region peering connects transit gateways together using the AWS Global Infrastructure. Your data is automatically encrypted and never travels over the public internet.

Here in this blog ill show you how you can inspect or restrict traffic between one vpc to another vpc using AWS Network Firewall

Steps for implementing

Created 3 vpc’s that are going to attach to TGW ( You can create more vpc based on your need )

VPC

inspection firewall rules are attached to firewall policy

Stateless firewall

Inspection firewall policy are going to attach to inspection firewall

firewall policy

Inspection Firewall is going to attach to inspection firewall subnets and it’s having firewall-policy having rules group attached

The inspection vpc is only having 2 subnets deployed in one az one for firewall endpoint and another for tgw attachment

Inspection VPC Subnets

After successfully creation of this firewall you can note firewall endpoint from firewall details section and this endpoint we can use in inspection tgw subnet route table to route traffic to firewall subnet

Firewall
Inspection VPC TGW Subnet Route Table Association
Inspection Vpc firewall Subnets Route Table Association

for the tgw subnet vpc routetable we are redirecting all traffic from transit gateway to network firewall vpc endpoint

Inspection Vpc TGW Route Table

Create Transit Gateway in your region(us-east-1)

Attach all your vpc’s to TGW

VPC Attachment

Create TGW attachment specific routetable for all spoke vpc and inspection vpc

TGW Attachment Specific Route Tables

Associate all spoke vpc to tgw spoke route table

TGW Spoke Route Table Association

Add static 0.0.0.0/0 route through the inspection vpc tgw attachment

Associate tgw attachment to inspection routetable

Add all spoke vpc’s as a propagated routes to inspeception tgw route table

TGW Inspection Route Table Propagation

we can this propagated routes in routes section of inspection vpc attachment

TGW Inspection Route Table Routes

Add 0.0.0.0/0 as route to tgw for inspection firewall vpc route table

Inspection VPC FW Route table

Route tables of spoke vpc’s

Created 2 instances in each spoke vpc subnets

Spoke A instance ip

For spoke b instance white list all traffic because we are managing in/out traffic using network firewall

Added icmp and tcp routes for this network firewall rules only this rules are passed and all other traffic is dropped

Here we are able to logging from spoke a instance from spoke a vpc

Removed icmp and having only tcp white listed traffic

since we are not having any whitelisted icmp in firewall rules as seen above we cant able to ping and see 16 packet transmitted and 100% data loss

We are able to ssh into machines because it’s the only traffic is whitelisted and filtered

Thank you for following with me.

You can use Network Firewall to monitor and protect your Amazon VPC traffic in a number of ways. Pass traffic through only from known AWS service domains or IP address endpoints, such as Amazon S3.Use custom lists of known bad domains to limit the types of domain names that your applications can access.Perform deep packet inspection on traffic entering or leaving your VPC. Use stateful protocol detection to filter protocols like HTTPS, independent of the port used.

Add a comment

Related posts:

For Years I To Be Able To Know Tips On How To Save Cash

To keep ahead in this particular game of private finance, really set aim to master personal management of their bucks. You should make it possible for you give your financial health a “check up” at…

How to Get YouTube Views Without Posting or Promoting

Pushing the publish button on your first video is both exciting and anxiety-inducing. Will anyone watch my video? Will people judge my videos? I have experienced this twice in the creation of two…

Algorithm Interview Questions and How to be good at them.

I was asked to White Board Binary Search Algorithm, Read on if you want to get insight in how to be really well at cracking them. Even though I would never test anyone on White Board and this…