Profile Applicability

  • Level 1

Description:

In AWS, Network Firewalls provide essential traffic filtering between VPCs, subnets, and external networks. By configuring default actions for full packets (non-fragmented packets), you can determine how unprocessed or unfiltered packets are handled. The default action for full packets in a Network Firewall should either be set to drop or forward based on your security requirements. This SOP ensures that your Network Firewall policy is configured to securely handle full packets to prevent unauthorized access and potential security risks.

Rationale:

  • Security: The default action of full packets (non-fragmented) helps control how traffic flows through the firewall. By either dropping or forwarding packets, you can prevent malicious or unauthorized traffic from entering your VPC.

  • Compliance: Many compliance frameworks (e.g., SOC 2, PCI-DSS) require that firewalls be configured to ensure secure traffic management.

  • Traffic Management: Proper handling of full packets ensures that unwanted traffic is prevented from reaching sensitive resources while allowing necessary traffic to flow.

Impact:

Pros:

  • Improved Security: Dropping packets with unwanted or suspicious traffic helps prevent attacks like DDoS or unauthorized access.

  • Better Traffic Management: Configuring firewalls to handle specific traffic types improves control over which packets are allowed or denied.

  • Compliance: Helps meet industry-specific security and regulatory requirements.

Cons:

  • Operational Complexity: Requires regular monitoring and review of firewall policies to ensure that legitimate traffic is not inadvertently dropped.

  • Potential Service Interruptions: Incorrect configurations could result in legitimate traffic being blocked or delayed.

Default Value:

By default, Network Firewalls may allow all full packets. You must explicitly set a default action (either drop or forward) for full packets during firewall configuration.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeNetworkInterfaces

    • ec2:DescribeSecurityGroups

    • ec2:ModifySecurityGroupRules

    • ec2:CreateNetworkFirewall

  • AWS CLI installed and configured.

  • Amazon VPC Network Firewalls are deployed and operational.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to VPC under Services.

  3. In the VPC Dashboard, go to Network Firewalls.

  4. Select the firewall policy associated with your Network Firewall.

  5. Review the default action for full packets (non-fragmented packets):

    • Ensure that the default action is either drop or forward.

    • If the default action is not set or incorrectly configured, proceed with the steps in the Implementation Steps below.

Using AWS CLI:

  1. To describe the Network Firewall policy and check the default action for full packets, run:

    aws ec2 describe-network-firewalls --query 'NetworkFirewalls[*].{FirewallName:Name,DefaultAction:DefaultActionForFullPackets}'

  2. Review the output to confirm that the default action is set to drop or forward for full packets. If the action is not correctly configured, follow the steps in the Implementation Steps to correct it.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to VPC.

  2. In the VPC Dashboard, go to Network Firewalls.

  3. Select the Network Firewall policy you want to modify.

  4. Under Firewall Policy settings, navigate to the section for default action for full packets.

  5. Set the default action to Drop or Forward as per the desired policy.

  6. Save the changes to apply the updated configuration.

Using AWS CLI:

  1. To create a Network Firewall policy with the default action set to drop or forward, run:

    aws ec2 create-network-firewall-policy \
  --firewall-policy-name <policy-name> \
  --default-action <drop-or-forward> \
  --stateful-rule-group-reference <rule-group-id>

  1. To update an existing Network Firewall policy to ensure the default action for full packets is set correctly:

    aws ec2 update-network-firewall-policy \
  --firewall-policy-id <firewall-policy-id> \
  --default-action <drop-or-forward> \
  --stateful-rule-group-reference <rule-group-id>

  1. To verify the default action for full packets, run:

    aws ec2 describe-network-firewalls --query 'NetworkFirewalls[*].{FirewallName:Name,DefaultAction:DefaultActionForFullPackets}'

Backout Plan:

Using AWS Console:

  1. If setting the default action causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS Network Firewall > Firewall Policies.

  3. Select the Firewall Policy and modify the Default Action.

    • Set it back to the previous configuration if needed.

  4. Save the changes and verify that the new default action is in place.

Using AWS CLI:

  1. To revert the default action, run:

    aws networkfirewall update-firewall-policy --firewall-policy-name <POLICY_NAME> --default-action <PREVIOUS_ACTION>

  2. Verify that the default action has been reverted:

    aws networkfirewall describe-firewall-policy --firewall-policy-name <POLICY_NAME

References:

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.