Firewall Options in AWS

Discussion in 'Business & Enterprise Computing' started by gav1ski, May 28, 2019.

  1. gav1ski

    gav1ski Member

    Joined:
    Aug 9, 2001
    Messages:
    94
    Location:
    Sydney
    Hi,

    We are currently using Sophos UTM 9 as our front end firewall using WAF, IPS and NAT functionality but after a recent pen test we were pulled up on lacking single IP brute force protection and after talking with Sophos found out that they are not willing at this time to add a rule to block an IP for a period of time if the request rate goes above a set threshold in a set time period.

    So what I would like to know is what other people are using in AWS for the same/similar functionality so I can get some more options.

    What I am currently looking at is..

    1. Leave Sophos UTM in place and put the AWS ALB & WAF in front and have 1 rule to handle the IP blocking.
    2. Remove Sophos and just use AWS ALB/ELB and WAF. though this will remove the IPS protection on the NAT routes and require constant updating of the WAF rules to stay current (possible negate a bit by paying for a managed rule set).
    3. Replace Sophos UTM with another marketplace companies firewall that has the IPS/WAF and NAT functionality we need and is not a nightmare to actually configure (web configuration interface preferred).

    Thanks in advance.
     
  2. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,307
    Location:
    Canberra
    Sophos UTM has a RESTful API, why not bash together functionality to provide this capability, this is the definitive use case of software defined things..... No?

    Or take the application output around attacks and data pump it into the AWS VM filter firewall so it saves the VM CPU as well.
     
    Last edited: May 28, 2019
  3. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,593
    Location:
    Canberra
    UTM9 is a dead-end product. XG is the replacement - it may have the ips you're looking for.
     
  4. OP
    OP
    gav1ski

    gav1ski Member

    Joined:
    Aug 9, 2001
    Messages:
    94
    Location:
    Sydney
  5. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,307
    Location:
    Canberra
    Daemon likes this.
  6. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,593
    Location:
    Canberra
  7. OP
    OP
    gav1ski

    gav1ski Member

    Joined:
    Aug 9, 2001
    Messages:
    94
    Location:
    Sydney
    We are in the health space and store patient data so it's very important we keep up to date on WAF attack patterns and the IPS functionality helps protect against the server attacks, our applications are .net so IIS and windows are needed so we are starting at a lower point security wise than is we were running on Apache. Though they do supply managed rule sets for AWS WAF so if I go down option 2 then it will be worth looking at. I am also not a Linux admin (though I can find my way around) so I don't want to have to build and manage anything that does not come with some level of support.

    While this seems like a good option, but it's not supported to put it on an EC2 in AWS. Looking at the product a bit more they have rolled out to Azure but not AWS which is annoying.
     
  8. harrye30

    harrye30 Member

    Joined:
    Apr 1, 2012
    Messages:
    248
    Why not just run up a centos (redhat if you need support) box behind your existing firewall.

    Route all traffic and implement iptables (or firewalld if you want to get with the times) with a custom fail2ban configuration and jail to ban X (failed requests on periods etc etc) for X time?

    Straightforward. Takes maybe 8-9 minutes to setup?
     
  9. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    7,344
    Location:
    Briz Vegas
    https://aws.amazon.com/shield/
    Not sure exactly what you want as its a broad topic covered by a 3 letter acronymn, but I'll guess Shield is the AWS product you are after.
     
  10. Skitza

    Skitza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,747
    Location:
    In your street
    Well it does already have this function to a degree. Definitions and Users->Authentication services-> Advanced. In there you can block access to all services for a period of time for an IP that goes over a limit. Might help you. I'd go with 1) .
     
  11. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,208
    Location:
    Adelaide
  12. OP
    OP
    gav1ski

    gav1ski Member

    Joined:
    Aug 9, 2001
    Messages:
    94
    Location:
    Sydney
    Nice idea, but protects against authentication to the firewall services and out users don't authenticate with the firewall.

    No WAF functionality so not really suited.


    If I did not need the AV scan function that Sophos provides on the WAF I would just switch to option 2 (AWS only) but as it stands it looks like I will be going down option 1 after talking to one of the Sophos security architects, XG is 6+ months away for AWS and also does not support rate based rules.
     
  13. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,307
    Location:
    Canberra
    gav1ski are you guys using cloudflare, they incorporate some base OWASP rules in into their WAF, food for thought?
     
  14. Luke212

    Luke212 Member

    Joined:
    Feb 26, 2003
    Messages:
    9,608
    Location:
    Sydney
    doesnt aws shield do what you need? its ddos protection
     
  15. OP
    OP
    gav1ski

    gav1ski Member

    Joined:
    Aug 9, 2001
    Messages:
    94
    Location:
    Sydney
    Not using them, will have a look but we are completely in AWS Sydney only so we don't need cross provider/location

    We have shield (you get standard out of the box) but the main issue is when someone tries a brute force from a single IP.
     
  16. Luke212

    Luke212 Member

    Joined:
    Feb 26, 2003
    Messages:
    9,608
    Location:
    Sydney
    i know what you mean, i would have assumed thats definition of ddos protection, it should block an ip if > n requests.

    if aws shield standard doesnt do that or you cant set an ACL for that i would be surprised.

    looks like it does it with advanced:
    https://docs.aws.amazon.com/waf/latest/developerguide/ddos-get-started-rate-based-rules.html
    We recommend that you add rate-based rules as part of your AWS Shield Advanced protections. These rules can alert you to sudden spikes in traffic that might indicate a potential DDoS event. A rate-based rule counts the requests that arrive from a specified IP address every five minutes. If the number of requests exceed a rate limit that you define, the rule can trigger an action such as sending you a notification.

    aws shield advanced is $3000 USD/month though :/ if your client is worried about DDOS to this extent, they are probably big enough to pay that.
     
    Last edited: May 30, 2019
  17. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    7,344
    Location:
    Briz Vegas
    if your "login" uses an API you can rate limit that by using AWS API Gateway.
     
  18. Luke212

    Luke212 Member

    Joined:
    Feb 26, 2003
    Messages:
    9,608
    Location:
    Sydney
    just so you know, you can set up rate-based rules in AWS WAF now, and its free:

    The maximum number of requests from a single IP address that are allowed in a five-minute period. This value is constantly evaluated and requests will be blocked once this limit is reached. The IP address is automatically unblocked once it falls below the limit.
    Rate limit must be an integer equal to or greater than 2000.



    solved ?
     
    person and GumbyNoTalent like this.
  19. OP
    OP
    gav1ski

    gav1ski Member

    Joined:
    Aug 9, 2001
    Messages:
    94
    Location:
    Sydney
    Currently testing an application load balancer with a WAF rate rule in front of Sophos, while not free it's only $1/month on top of the load balancer costs just a lot of extra config when it only has 1 server behind it.
     
  20. Luke212

    Luke212 Member

    Joined:
    Feb 26, 2003
    Messages:
    9,608
    Location:
    Sydney
    why do you only have 1 server? more risky than worrying about ddos. didnt they complain about that in your audit?
     

Share This Page

Advertisement: