AWS network-firewall documentation change
Summary
Added SNI-based domain filtering example and testing recommendations
Security assessment
Provides security-focused rule examples for domain filtering using SNI and emphasizes testing, improving guidance for secure rule configuration without addressing specific vulnerabilities.
Diff
diff --git a/network-firewall/latest/developerguide/suricata-examples.md b/network-firewall/latest/developerguide/suricata-examples.md index 60b4181b0..422d97cb1 100644 --- a//network-firewall/latest/developerguide/suricata-examples.md +++ b//network-firewall/latest/developerguide/suricata-examples.md @@ -5 +5 @@ -Allow trafficBlock trafficLog trafficRule variablesIP set referenceGeographic IP filterManage rule evaluation orderDomain list rulesStandard stateful rule groups +Allow trafficBlock trafficLog trafficRule variablesIP set referenceGeographic IP filterManage rule evaluation orderDomain list rulesStandard stateful rule groupsAllow traffic to a domain using its SNI @@ -448,0 +449,4 @@ These rules block all unsolicited traffic from `$EXTERNAL_NET` to `$HOME_NET` wh +###### Note + +Before using any example rule, test and adapt it to your needs. + @@ -485,0 +490,19 @@ The following Suricata rules listing shows the rules that Network Firewall gener +## Stateful rules example: allow traffic to a domain using its SNI + +###### Note + +Before using any example rule, test and adapt it to your needs. + +The following set of rules will allow traffic to a domain using its SNI, while blocking traffic to all other domains in a strict order action policy. + + + # Drop all established to_server traffic (even TLS) from $HOME_NET to $EXTERNAL_NET + drop tcp $HOME_NET any -> $EXTERNAL_NET any (flow: to_server, established; sid:1;) + + # This rule does not allow the traffic because it is already dropped by sid:1, but it does keep the dropped traffic from touching any other rules in the ruleset + pass tcp $HOME_NET any -> $EXTERNAL_NET any (flow: to_server, established; sid:11;) + + # Allow all TLS from anywhere to anywhere if it's SNI is example.com + pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:"example.com"; dotprefix; nocase; flow: to_server, established; sid:2;) + +