AWS network-firewall documentation change
Summary
Expanded documentation for application layer actions in Network Firewall. Added new 'server-directed only' variants for drop and alert established actions, clarified invalid action combinations, and added detailed explanations of bidirectional vs server-directed traffic handling.
Security assessment
This change enhances documentation of security features (stateful firewall actions) but doesn't reference any specific vulnerability fix. It adds new options for granular traffic control without evidence of addressing a specific security incident.
Diff
diff --git a/network-firewall/latest/developerguide/suricata-rule-evaluation-order.md b/network-firewall/latest/developerguide/suricata-rule-evaluation-order.md index f220d19ee..b5a0360ab 100644 --- a//network-firewall/latest/developerguide/suricata-rule-evaluation-order.md +++ b//network-firewall/latest/developerguide/suricata-rule-evaluation-order.md @@ -67 +67 @@ When configuring these actions, consider the following caveats: - 2. For alert actions, you can choose none, one alert action, or **Alert all** plus any of the other two alert actions. + 2. For alert actions, you can choose none, one alert action, or **Alert all** plus any of the other alert actions. @@ -69 +69 @@ When configuring these actions, consider the following caveats: - 3. Some combinations of actions are invalid. If either **Drop established** or **Alert established** is selected, you cannot select **Application Layer drop established** or **Application Layer alert established** , and vice versa. + 3. Some combinations of actions are invalid. If either **Drop established** or **Alert established** is selected, you cannot select **Application drop established (bidirectional)** , **Application alert established (bidirectional)** , **Application drop established (server-directed only)** , or **Application alert established (server-directed only)** , and vice versa. @@ -90 +90 @@ For other protocols, such as UDP, Network Firewall considers the connection esta - * **Application Layer drop established** – Drops server-initiated banner packets and packets in established connections. It also provides enhanced support for segmented application layer traffic through the following behaviors: + * **Application drop established (bidirectional)** – Drops server-initiated banner packets and packets in established connections. It also provides enhanced support for segmented application layer traffic through the following behaviors: @@ -95,0 +96,8 @@ For other protocols, such as UDP, Network Firewall considers the connection esta + * **Application drop established (server-directed only)** – Drops client-to-server TCP and IP packets in established connections that don't match any stateful pass rule. Server-to-client traffic is allowed, including TCP control packets and server-initiated banners. Like the Application drop established (bidirectional) action, it provides enhanced support for segmented application layer traffic through the following behaviors: + + * Allows segmented TLS client hello packets until a `TLS.SNI` field is detected, then applies rules based on SNI. + + * Allows segmented HTTPS request packets until the `HTTP.HOST` field is detected, then applies rules based on host. + +Unlike the Application drop established (bidirectional) action, this action does not drop server-to-client packets for TCP and IP protocols, making it suitable for environments where server-initiated communication must be preserved. + @@ -99 +107 @@ For other protocols, such as UDP, Network Firewall considers the connection esta -###### About the application layer drop established action +###### About the Application drop established (bidirectional) action @@ -101 +109 @@ For other protocols, such as UDP, Network Firewall considers the connection esta -When you select the application layer drop established option, the firewall drops connections that have banner packets. After a connection is established, if the firewall sees a packet that no explicit pass rule allows, the firewall drops that packet and all subsequent packets in the connection. This behavior affects TCP flow control packets that occur after the TCP handshake but before a pass rule applies. +When you select the Application drop established (bidirectional) option, the firewall drops connections that have banner packets. After a connection is established, if the firewall sees a packet that no explicit pass rule allows, the firewall drops that packet and all subsequent packets in the connection. This behavior affects TCP flow control packets that occur after the TCP handshake but before a pass rule applies. @@ -133,0 +142,23 @@ To allow TCP resets: +###### About the Application drop established (server-directed only) action + +When you select the Application drop established (server-directed only) option, the firewall inspects application layer protocols before making drop decisions, and only drops TCP and IP traffic flowing from client to server. Server-to-client TCP and IP traffic is not dropped by this action. + +This action allows the following server-to-client packets to pass through the firewall without requiring explicit pass rules: + + * TCP window updates + + * TCP keep-alives + + * TCP resets (RST) + + * Server-initiated banner packets (for example, FTP, SMTP, and SSH greetings) + + * Server responses to allowed application layer requests + + + + +Client-to-server TCP traffic that does not match any stateful pass rule is dropped after application layer inspection. UDP and ICMP traffic is dropped regardless of direction, as these are connectionless protocols. + +Use this action instead of Application drop established (bidirectional) when your environment includes server-initiated protocols or when TCP control packets are causing unexpected connection drops. + @@ -140 +171 @@ _Choose none, one, or all._ - * **Application Layer alert established** – Logs an `ALERT` message on only the packets that are in established connections, with enhanced support for segmented application layer traffic. + * **Application alert established (bidirectional)** – Logs an `ALERT` message on only the packets that are in established connections, with enhanced support for segmented application layer traffic. @@ -144 +175,3 @@ _Choose none, one, or all._ -You can use these logged messages to better understand the impact that the Application Layer Drop Established action has on firewall behavior. +You can use these logged messages to better understand the impact that the Application Drop Established (bidirectional) action has on firewall behavior. + + * **Application alert established (server-directed only)** – Logs an `ALERT` message on client-to-server TCP and IP packets in established connections, with enhanced support for segmented application layer traffic. Server-to-client packets are not alerted.