AWS includes open-source Suricata for stateful inspection with Network Firewall service

Enhanced network security for AWS virtual private cloud – while Microsoft previews Azure Firewall Premium


Updated AWS has announced Network Firewall, a new service drawing on the open-source Suricata project.

The Firewall Manager is a centralised service for configuring firewalls across accounts and applications within an AWS user organisation, this being a way of managing multiple AWS accounts.

The new AWS Network Firewall moves beyond the existing services by adding more intelligent rules using the open-source Suricata project for intrusion detection.

Diagram showing AWS Network Firewall protecting an VPC

Diagram showing AWS Network Firewall protecting an VPC

"Network Firewall uses the open source intrusion prevention system (IPS), Suricata, for stateful inspection," say the AWS docs, though it is not just a Suricata installation and not all Suricata features are implemented. IP reputation, Lua scripting, and Suricata datasets, for example, are not supported. In general, though, it uses Suricata rules, which is an advantage considering the capability of the rules language and many existing examples.

AWS users can configure Network Firewall endpoints for each availability zone in their VPC. Advanced logging and analysis is available, which comes into its own when admins need to monitor current activity as well as digging into past intrusion attempts. The new service is integrated with AWS Firewall Manager as well as the CloudWatch monitoring service, or admins can stream logging data to the Kinesis Data Firehose service for custom search and analysis.

The cost is $0.395 per hour for each firewall endpoint, and $0.065 per GB for traffic processing – not insignificant.

With sophistication comes complexity and numerous third-party security vendors are keen to step in, integrating Network Firewall with their own tools and services for policy management, compliance with security standards, and additional monitoring and alerting tools. Splunk will integrate with its Enterprise Security SIEM (Security Information and Event Management) too, for example, while IBM cloud security architect Christopher Di Dato called it a "game changer in cloud native security" thanks to its API, enabling Policy as Code (PAC) for programmatic security.

Modern security is about more than controlling ports, protocols and IP addresses, and the new Network Firewall embodies that.

Suricata is a project of the Open Information Security Foundation, though we noticed that AWS is not listed as one of the members here. We have asked AWS whether it intends to support the project.

AWS rival Microsoft Azure is also improving its firewall with the preview of Azure Firewall Premium, which adds TLS inspection (decrypting outbound traffic for inspection and then re-encrypting), signature-based intrusion detection, and traffic blocking based on categories such as social networking, shopping or gambling.

Microsoft also said that all new firewall features will be configurable only by firewall policy. Pricing for Microsoft's Firewall Premium is not stated, though the standard Azure Firewall service costs $1.25 per hour and $0.016 per GB – more expensive to deploy, but much less for processing than the new AWS service. Note that our link for the above information disappeared during the course of writing this article so someone may have jumped the gun.

Updated on 20 November at 15.26 GMT to add:

AWS did not answer our question about sponsorship of the project, but instead said that “we are working with the project and working upstream – here is an example PR which we did”.

This seemingly misses the point about whether a huge global company, which is charging customers to use a service based on this open source project, should not also consider sponsoring the foundation which supports it.®


Biting the hand that feeds IT © 1998–2020