AWS Firewalls - Stateless, Stateful and Deep Packet Inspection (DPI)

A firewall in a car blocks potential harms (fires) in the engine compartment from spreading to the passenger compartment, but still allows control cables and shafts (ultimately for the purpose of permitted communication) to pass through. The same concept can be likened to access control technologies in data communication. In ICT, firewalls may offer additional functionalities but access control is always a core feature – and in turn a core expectation of data security.

TCP/IP data communication is in the format of packets (billions and trillions of them), with each packet comprising of two portions: header(s) and data contents (payload). The communication protocols use a layered approach: the payload with the lower communication layer’s header together go into a higher layer’s payload with another header added - and such enveloping can go on a few times. 

Static access control is a basic form of access control - commonly known as operating at OSI (Open Systems Interconnection) Layer 3/4, based on checking the source / destination IP address and protocol port information in the headers. The data contents are not inspected. In recent eras this type of access control mechanism is not sophisticated enough to be regarded as a firewall. They are referred to as access control lists. AWS Network ACLs fall into this category.  

It is dubbed static as it evaluates communication packets against static rules defined in a list, from the top line down, line by line, with no concern of the context intelligence. It is also called stateless access control for this reason. Since communication is two way, both inbound and outbound permits / denies need to be defined accordingly. The order of the rule entries also matters as it actions as soon as a match is hit. 

Data communications follow a number of protocols, so there are behaviour patterns (set by the traits of these protocols). A more intelligent way is to incorporate such patterns in consideration. Let’s use the common TCP protocol handshake process as an example, in the following analogy. 

A would like to start a communication session with B. It initialises this by sending a synchronisation request to B:

A to B: Hey, I would like to talk (send and receive data) with you. (This request is flagged with a SYN in the header)

B to A: I acknowledge that I have got your request and I am OK with talking with you (SYN/ACK)

A to B: I acknowledge that I have got your acknowledgement to my request. (ACK)

Then A and B start sending data in a series of subsequent packets. Incrementing sequence and acknowledgement numbers are used to identity any missing or out of order segments.

The communication connection ends with a FIN or a RST.   


A more intelligent access control would recognise such patterns in these protocols. When A sends a SYN to B, it would expect a SYN/ACK from B - so if the access control allows A to talk to B using this protocol, then it would allow that certain type of reply from B - in that very context. And so it does not need a separate static inbound rule to permit it. Also, say, for argument’s sake, if the packet coming from B does not carry a SYN/ACK, then that would be abnormal and out of context, and so would not be allowed.

State tables need to be maintained to record the context of each session at each and every moment. As such, this type of access control is classified as stateful. AWS Security Groups and firewalls fall into this category. 

Though stateful access control is more intelligent than stateless, stateless access control has its own use cases and continues to be widely applied in numerous scenarios. 

It is also important to note that stateful access control alone still does not inspect the data contents in the packets. Nowadays it is common for malicious contents - spam, malware, viruses, intrusion code mechanisms and others - to hide better and better in the payload part of the packets that examining the headers alone would not detect.

This is why more advanced intelligence is needed - for firewalls to not only be stateful, but also inspect the full data contents in packets (together with the corresponding headers). This is known as Deep Packet Inspection (DPI).

In the past, two particular challenges existed.

First, due to the volume of data communication, inspecting the whole payload of every packet without introducing significant delays demands extraordinary computing power, compared to simply checking the headers. 

Second, modern data security calls for encryption, which by definition means data becomes un-inspect-able before decryption. To inspect data contents, the firewall needs to use the correct key (in HTTPS communication this is in the form of TLS certificates) to decrypt, then perform inspection and re-encrypt all the packets for the next communication leg - in real time. This challenge is probably n times bigger again than the one just mentioned above. 

Fortunately, the advancement in data computing technologies and cryptography capabilities has made performing DPI in real time feasible. 

AWS Web Application Firewall (WAF) has been able to perform Deep Packet Inspection for some time. The way the WAF operates made it able to do so long before another type of firewall by AWS: the AWS Network Firewall.  

Only in quite recent times has AWS enabled the functionality of deep packet inspection for encrypted traffic on its Network Firewall. There are still out of date documents in some enterprises’ policy documentation that state otherwise, to a common enough degree that it is worthwhile to highlight. All organisations are recommended to revise their respective documentation if needed, to clarify that, yes, AWS Network Firewall can do Deep Packet Inspection.

There are also third party firewalls from AWS partners that offer deep packet inspection and can integrate in AWS environments. One of the examples is Palo Alto Networks’ Cloud Next Generation Firewall. It should be noted that next generation firewalls, from various vendors, typically offer other features too, such as application awareness and control, threat intelligence and integrated intrusion prevention. 

WAF, Network Firewall and next gen firewall all have their respective use cases.

As a quick summary, Network ACLs are stateless, AWS Security Groups and all AWS firewalls are stateful. All of the following AWS and partner firewalls can perform deep packet inspection:

AWS WAF

AWS Network Firewall

Next Gen firewalls (with additional functionalities)


                                                                                                                         -- Simon Wang 09 July 2023

Comments

Post a Comment

Popular posts from this blog

Fairness Evaluation and Model Explainability In AI

Image
Artificial Intelligence (AI) relies on machine learning and its modelling to provide outcomes. Imagine a credit card company receives hundreds of thousands of applications each year and would like to use AI to do the first round of application filtering. If it is not developed properly, the AI decisions will be skewed with unfairness – such as rejecting a lot more applications from a certain age group, from a certain gender, or from a certain employment history pattern – UNFAIRLY. Please note unfairness is the key issue here – in other words, AI and machine learning inference that is not reflecting the due course in actual situations. This is typically called bias in AI and machine learning. Biases can come from various stages of a machine learning life cycle: • Biases may exist in the pre-training data -  e.g., the dataset to be used in machine learning training has biases in it • Biases may be introduced by the machine learning exercise  Below is a machine learning lifecycle char
Read more

AWS and Generative AI

Image
 Generative Artificial Intelligence, or Generative AI, GenAI, is one of the hottest topics in the recent months. You would ‘have to be living under a rock to not notice this massive topic’.  ‘Generative AI is a branch of AI that focuses on creating new data. It is a subset of machine learning. The goal of generative AI is to create new data that is similar to the data that was used to train the model.’ – texts generated by an AI tool.  Recently I experimented a couple of random text-to-image GenAI tools to observe how generative AI can create contents and how the data generated by different GenAI tools trained by different models is different. My experiment was straightforward: text-to-image GenAI tools ask you to provide some texts as a prompt, and then use this input to generate an image. So that was what I did. The prompt I supplied was: ‘female student graduation photo in front of a white building with flowers in hand in Paris’. Both GenAI tools I tested could output an image withi
Read more

Amazon CloudFront and Its Primary and Secondary Origins

Nowadays most of the online contents are web service based. A user accesses a specific content, for example a web page, by connecting their client end application (like a web browser) running on their desktop or mobile computing device to the server that hosts the web page. There are billions of websites and webpages. DNS services, online search engines and links on well known ‘portal’ websites help people to find and locate the contents they would like to visit.  A user’s web client device and the server it visits can be worldly apart: for example, let’s think of a user in Tasmania, Australia that uses its smart phone to visit a website hosted on a server that locates in a data centre in Montreal, Canada, which is more than sixteen thousand kilometres away. They are connected by the Internet. The Internet comprises of millions of inter-connected networks. Traffic on the Internet is routed between the users and the servers through those inter-connected networks in-between. Using the ab
Read more