AWS Network Firewall: Network protection across all AWS workloads
Amazon Web Services announced the general availability of AWS Network Firewall, a new managed security service that makes it easier for customers to enable network protections across all of their AWS workloads.
Customers can enable AWS Network Firewall in their desired Amazon Virtual Private Cloud (VPC) environments with just a few clicks in the AWS Console, and the service automatically scales with network traffic to provide high availability protections without the need to set up or maintain the underlying infrastructure.
The firewall’s flexible rules engine gives customers granular control to define their own custom rules or integrate with their existing security ecosystem by importing rules from leading AWS Partner Network (APN) security partners like AlertLogic, CrowdStrike, Fortinet, and Trend Micro. There are no additional charges or upfront commitments required to use AWS Network Firewall, and customers pay only by hours deployed and gigabytes processed.
AWS provides protections to help customers secure their networks, such as AWS Web Application Firewall (WAF) to protect internet-facing web applications, AWS Shield to safeguard against Distributed Denial of Service (DDoS) attacks, and AWS Firewall Manager which provides central management and visibility across all firewall controls on AWS.
While these and other protections combine to provide highly secure and flexible layers of defense, many customers also want a simple way to apply and manage blanket network protections across all of their workloads (e.g., domain-based access controls, monitoring to identify malicious traffic patterns, and unified traffic inspection spanning from the network layer to the application layer).
Customers also want to customize these protections based on their organization’s specific security needs, import rules from other trusted providers that they already use, and easily integrate collected logs and network data into their existing security workflows. Customers are seeking easy-to-use and customizable network protections, without having to manually patch and maintain servers, handle failover, and provision capacity.
With AWS Network Firewall, customers can easily deploy granular network protections across their entire AWS environment, without the need to configure and manage additional security infrastructure. AWS Network Firewall provides essential protections against common network threats, including dynamic packet filtering, intrusion prevention and detection, and web filtering.
Customers can also implement customized Snort and Suricata rules (two widely used open source formats) to further tailor protections like preventing their VPCs from accessing unauthorized domains, blocking thousands of known bad IP addresses, or defending against common exploits by identifying patterns and behaviors associated with known threats. Customers can monitor firewall activity in real time via Amazon CloudWatch metrics, and can have AWS Network Firewall automatically send network traffic logs to Amazon S3, Amazon Cloudwatch, and Amazon Kinesis Data Firehose for additional visibility and auditing purposes.
“When we talk to customers about what they want in a cloud network firewall they tell us that they want network protections that work with their existing security systems and without the headache of managing the underlying infrastructure,” said Steve Schmidt, CISO, AWS. “AWS Network Firewall provides scalable network protections that allow customers to deploy highly customizable rules for their entire AWS infrastructure, and integrates with many of the APN partner services that customers already use. Best of all, there’s no need to configure or maintain additional infrastructure.”
AWS Network Firewall integrates with AWS Firewall Manager, allowing customers to build policies based on AWS Network Firewall rules and centrally apply those policies across their VPCs and accounts through the AWS Firewall Manager Console and API.
Leading providers, including Accenture, Alert Logic, Check Point Software Technologies, CrowdStrike, Datadog, Fortinet, Hashicorp, IBM, Palo Alto Networks, Rackspace, Splunk, SumoLogic, Trend Micro, and Tufin have built integrations with the firewall, with more coming soon.
These integrations allow customers to easily incorporate the solution into their existing security workflows for orchestration, automation, and threat detection and response. AWS Network Firewall is available today in the US East (N. Virginia), US West (Oregon), and Europe (Dublin) regions, with more regions coming soon.