Network Firewall

Question 1

Routing

TL;DR for Network Firewall?

Answer 1

Protects your VPCs

Question 2

Routing

Does a NF protect incoming or outgoing traffic?

Answer 2

Both

Question 3

Routing

Is NF simple filtering or deep-packet inspection?

Answer 3

Yes to both

Question 4

Routing

How/where do you put NF in your VPC?

Answer 4

It’s just ENIs: create dedicated subnets, put NF ENIs in each

Question 5

Routing

How do you get inbound traffic to go thru the NF?

Answer 5

IGW Route Table sends incoming packets from IGW to the NF ENIs

Question 6

Routing

How do you get outbound traffic to go thru the NF?

Answer 6

Just like NAT GWs: Route Tables send 0.0.0.0/0” to the NF subnets

Question 7

Routing

Is NF HA?

Answer 7

Yes if you create multiple ENIs in different AZs

Question 8

Configuration

Top-level thing that holds all configuration for a NF?

Answer 8

Firewall Policy

Question 9

Configuration

Limit on the number of Firewall Policies per NF?

Answer 9

1

Question 10

Configuration

Can a Firewall Policy be shared with other NF?

Answer 10

Yes

Question 11

Configuration

What’s inside a Firewall Policy?

Answer 11

Rule Groups (which hold Rules)

Question 12

Configuration

Are Rules stateful or stateless?

Answer 12

Both! You pick.

Question 13

Configuration

What are the different actions a Rule can take?

Answer 13

Pass, drop, forward, custom (for stateful rules)

Question 14

Configuration

What is the “5-Tuple”?

Answer 14

source IP, source port, dest IP, dest port, protocol (like TCP vs. UDP)

Question 15

Configuration

What are the two Engines in a NF?

Answer 15

Stateless Engine and Stateful Engine

Question 16

Stateless Engine

What’s the default action if a packet doesn’t match a stateless Rule?

Answer 16

Whatever you configured

Question 17

Stateless Engine

How can the two Engines interact?

Answer 17

Stateless can forward a packet to the Stateful engine (but not the other direction)

Question 18

Stateless Engine

What sequence are stateless Rules processed?

Answer 18

Priority Order (lowest number is highest priority)

Question 19

Stateless Engine

What happens if two stateless Rules match a packet being inspected?

Answer 19

Doesn’t happen: Engine stops as soon as it finds a Rule that matches

Question 20

Stateless Engine

What do stateless Rules operate on?

Answer 20

5-Tuple

Question 21

Stateful Engine

What’s the Stateful Engine code base?

Answer 21

Suricata (open standard)

Question 22

Stateful Engine

How does the stateful engine interact with the stateless engine?

Answer 22

It doesn’t

Question 23

Stateful Engine

What sequence are stateful rules processed?

Answer 23

Depends: choose from Strict Order or Action Order

Question 24

Stateful Engine

What is Strict Order?

Answer 24

Evalutes each rule one-at-a-time, in the order you list them

Question 25

Stateful Engine

What is Action Order?

Answer 25

Evaluate all pass rules, then all drop rules, then all reject rules

Question 26

Stateful Engine

What do stateful Rules operate on:

Answer 26

5-Tuple + domain names + entire packet (deep-packet inspection)