AWS Network Firewall features

AWS Network Firewall offers built-in redundancies to ensure all traffic is consistently inspected and monitored. AWS Network Firewall offers a Service Level Agreement with an uptime commitment of 99.99%. AWS Network Firewall enables you to automatically scale your firewall capacity up or down based on the traffic load to maintain steady, predictable performance to minimize costs.

The stateful firewall takes into account the context of traffic flows for more granular policy enforcement, such as dropping packets based on the source address or protocol type. The match criteria for this stateful firewall is the same as AWS Network Firewall’s stateless inspection capabilities, with the addition of a match setting for traffic direction. AWS Network Firewall’s flexible rule engine gives you the ability to write thousands of firewall rules based on source/destination IP, source/destination port, and protocol. AWS Network Firewall will filter common protocols without any port specification, not just TCP/UDP traffic filtering.

AWS Network Firewall supports inbound and outbound web filtering for unencrypted web traffic. For encrypted web traffic, Server Name Indication (SNI) is used for blocking access to specific sites. SNI is an extension to Transport Layer Security (TLS) that remains unencrypted in the traffic flow and indicates the destination hostname a client is attempting to access over HTTPS. In addition, AWS Network Firewall can filter fully qualified domain names (FQDN).

AWS Network Firewall’s intrusion prevention system (IPS) provides active traffic flow inspection with real-time network and application layer protections against vulnerability exploits and brute force attacks. Its signature-based detection engine matches network traffic patterns to known threat signatures based on attributes such as byte sequences or packet anomalies.

Alert logs are rule specific and provide additional data regarding the rule that was triggered and the particular session that triggered it. Flow logs provide state information about all traffic flows that pass through the firewall, with one line per direction. AWS Network Firewall flow logs can be natively stored in Amazon S3, Amazon Kinesis, and Amazon CloudWatch.

AWS Firewall Manager is a security management service that enables you to centrally deploy and manage security policies across your applications, VPCs, and accounts in AWS Organizations. AWS Firewall Manager can organize AWS Network Firewall rules groups into policies that you can deploy across your infrastructure to help you scale enforcement in a consistent, hierarchical manner. AWS Firewall Manager provides an aggregated view of policy compliance across accounts and automates the remediation process. As new accounts, resources, and network components are created, Firewall Manager makes it easy to bring them into compliance by enforcing a common set of firewall policies.

AWS Network Firewall enables customers to run Suricata-compatible rules sourced internally, from in-house custom rule development or externally, from third party vendors or open source platforms.

AWS Network Firewall integrates with AWS Partners for integration with central third-party policy orchestration and exporting logs to analytics solutions. AWS Network Firewall supports popular managed threat intelligence feeds for customers who prefer to leverage their existing managed rule providers. AWS Network Firewall can plug into third-party policy orchestration solutions for centrally managing hybrid or multiple firewall vendor architectures. For more visibility, AWS Network Firewall logs and security event information can be sent to third-party analytics solutions, such as Security Information and Event Management (SIEM) software. See a full list of AWS Network Firewall partners

AWS Network Firewall supports Transport Layer Security (TLS) inspection, allowing customers to strengthen their security posture on AWS by improving visibility into encrypted traffic flows. You can use AWS Network Firewall to decrypt TLS sessions and inspect both inbound and outbound  Amazon Virtual Private Cloud (VPC) traffic without the need to deploy or manage any additional network security infrastructure. Encryption and decryption happen on the same firewall instance natively, so traffic does not cross any network boundaries.