Security groups, Network ACL and Firewall

 Security groups, Network ACL and Firewall


Stateful and Stateless firewall - when connection initiated from client firewall checks the rules written and based on the defined rules allows/denies the traffic. Client initiates connection from any port (except the reserved by the OS) but destination port is known and static. So stateful firewall which as name implies keeps the state of connection so that even though there is no outbound rule for the outgoing connection, firewall will automatically allow it. Contrary to this approach in stateless firewall case you should explicitly define rule for inbound and outbound connections.  

Network Access Control List (Network ACL) -  is stateless firewall allows you to define rules in subnet level. Also it processes rules in order.

Security group - on the other hand stateful and also applied to individual instance or instance group. It evaluates all the rules. 

Let's learn how to manage Network ACL's :

  1. Search VPC in the searchbox located in dashboard, click to "Network ACL's" and click onto the VPC we just created in the previous post.





  2. Click to outbound rules and add the following rule. This will block ICMP connection to the any source. And pay attention to the "Rule number" the rule with the lower number processed with the high priority.






  3. Then create an EC2 instance, edit network options and select our VPC with the public subnet.






  4. Send ICMP request basically ping any host you like, even though curl requests works as planned but the ping request doesn't.





    Let's change our rule again this time to allow.






  6. And it works just as we expected.









 

Comments

Post a Comment

Popular posts from this blog

Identity Access Management - How to create user in IAM ?!

Image
Introduction IAM stands for Identity and Access Management. IAM is essential component of AWS allows you to create and manage access of user, role, application and control authentication/authorization. There are 4 essential components of IAM :  Users - are individuals or applications want to access to your AWS resources. Groups - are collection of users. By this you can assign permissions to group instead individual users. Roles - are special access type in IAM that allows user/resource to access another resource via temporary credentials. For example EC2 instance can access to DynamoDB or S3 bucket resources without using permanent credentials. This is possible only via Role which is great security point of view. Policies - are JSON documents that define permissions. In policies we define what actions are allowed or should be denied. This can be attached to users, groups, roles. Hands on IAM exercises :  Login to your AWS account and search for IAM :  After clicking IAM icon, you wil
Read more

EC2 - User data

Image
User data Functionality in EC2 service is important and very handy tool. This allows us to execute script right after EC2 instance creation phase. By that we can execute,install any program we want or update, upgrade operating system on that virtual machine. User data functionality will run once just after completion of the instance creation sequence.  First we need to create an EC2 instance with extra steps. Choose Amazon Linux OS so we don't have to install aws-cli tool which we will need in the next steps.    Click to advanced options and add script below also tick the metadata options as well. With new metadata service it is not possible to send request to metadata service without secret key. That is why we need to use old metadata service for the demonstration purposes. Script is at the end of the page !!! We need one more thing to do, since by default all the ports are closed state. We need to add firewall allow line to open port 80 to serve our page to the public web. Click
Read more

IAM - Roles

Image
IAM Roles Roles in AWS has special meaning. With this functionality you can define different variety of roles and assign it users or your application/service can use them. Roles are specifically important for AWS security. Because roles use temporary credentials with services. So that we don't need to use own permanent credentials to do some operations. If somehow hackers got access to AWS infrastructure they won't able to access our cached permanent  credentials. Here are some of advantages of using roles : Reduced Risk of Credential Exposure Least Privilege Principle Cross-Account Access  Let's create a role and assign it to the user  Click to "IAM" , "Roles" and then "Create role" button.  We need ARN (we talked about this in the previous post) of the user. Copy 12 digit unique ID. During role creation select "AWS account" since we are planning to add this role to user. Enter the ID we got from previous step. This ID defines our us
Read more