modernisation-platform icon indicating copy to clipboard operation
modernisation-platform copied to clipboard

Published 20 hours ago verified publisher icon ministryofjustice

Implement AWS Managed Rulesets for Network Firewall

Open dms1981 opened this issue 2 years ago • 1 comments

User Story

As a Modernisation Platform Engineer I want to integrate AWS Managed Rulesets into our Network Firewall policy So that we can provide rich protection for our customers against things like botnets and malware domains

User Type(s)

Modernisation Platform Customer Modernisation Platform Engineer

Value

This story will cover the adjustment of our firewall-policy module to allow us to use multiple stateful_rule_group_reference blocks, and suppling our firewall-policy module with multiple AWS Network Firewall managed rule groups.

Questions / Assumptions / Hypothesis

  • We will want to include at least the following managed rule groups to begin with:
ThreatSignaturesExploits
ThreatSignaturesMalware
ThreatSignaturesMalwareWeb
  • We may want to supply further rule groups in future, so should consider this in our implementation
  • We will need to reorder the priority of our rule groups, moving our self-managed rules below the managed groups. This will ensure that traffic is properly passed through the rules before being matched, otherwise we could find our own rules being matched, and traffic being passed before being evaluated by a managed rule.
  • Alternatively we could consider the implications of moving away from a STRICT implementation of firewall rules.

Definition of done

  • [ ] AWS Managed Rules in place

Reference

How to write good user stories Spike: Investigate use of AWS Managed Rulesets for Network Firewall

dms1981 avatar Jan 06 '23 14:01 dms1981

This issue is stale because it has been open 90 days with no activity.

github-actions[bot] avatar May 02 '23 01:05 github-actions[bot]

We can now supply managed rulesets to our firewall policies. I think we still need to consider how traffic is matched against the rulesets in our policies, as since this was originally raised we've switched to using the default matching method rather than the strict method that was previously in use. If we choose to make use of managed rule sets, then we'll need to revisit how we match traffic in our policies.

https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html

dms1981 avatar Sep 22 '23 08:09 dms1981