AWS Firewalls - Stateless, Stateful and Deep Packet Inspection (DPI)

A firewall in a car blocks potential harms (fires) in the engine compartment from spreading to the passenger compartment, but still allows control cables and shafts (ultimately for the purpose of permitted communication) to pass through. The same concept can be likened to access control technologies in data communication. In ICT, firewalls may offer additional functionalities but access control is always a core feature – and in turn a core expectation of data security.

TCP/IP data communication is in the format of packets (billions and trillions of them), with each packet comprising of two portions: header(s) and data contents (payload). The communication protocols use a layered approach: the payload with the lower communication layer’s header together go into a higher layer’s payload with another header added - and such enveloping can go on a few times. 

Static access control is a basic form of access control - commonly known as operating at OSI (Open Systems Interconnection) Layer 3/4, based on checking the source / destination IP address and protocol port information in the headers. The data contents are not inspected. In recent eras this type of access control mechanism is not sophisticated enough to be regarded as a firewall. They are referred to as access control lists. AWS Network ACLs fall into this category.  

It is dubbed static as it evaluates communication packets against static rules defined in a list, from the top line down, line by line, with no concern of the context intelligence. It is also called stateless access control for this reason. Since communication is two way, both inbound and outbound permits / denies need to be defined accordingly. The order of the rule entries also matters as it actions as soon as a match is hit. 

Data communications follow a number of protocols, so there are behaviour patterns (set by the traits of these protocols). A more intelligent way is to incorporate such patterns in consideration. Let’s use the common TCP protocol handshake process as an example, in the following analogy. 

A would like to start a communication session with B. It initialises this by sending a synchronisation request to B:

A to B: Hey, I would like to talk (send and receive data) with you. (This request is flagged with a SYN in the header)

B to A: I acknowledge that I have got your request and I am OK with talking with you (SYN/ACK)

A to B: I acknowledge that I have got your acknowledgement to my request. (ACK)

Then A and B start sending data in a series of subsequent packets. Incrementing sequence and acknowledgement numbers are used to identity any missing or out of order segments.

The communication connection ends with a FIN or a RST.   


A more intelligent access control would recognise such patterns in these protocols. When A sends a SYN to B, it would expect a SYN/ACK from B - so if the access control allows A to talk to B using this protocol, then it would allow that certain type of reply from B - in that very context. And so it does not need a separate static inbound rule to permit it. Also, say, for argument’s sake, if the packet coming from B does not carry a SYN/ACK, then that would be abnormal and out of context, and so would not be allowed.

State tables need to be maintained to record the context of each session at each and every moment. As such, this type of access control is classified as stateful. AWS Security Groups and firewalls fall into this category. 

Though stateful access control is more intelligent than stateless, stateless access control has its own use cases and continues to be widely applied in numerous scenarios. 

It is also important to note that stateful access control alone still does not inspect the data contents in the packets. Nowadays it is common for malicious contents - spam, malware, viruses, intrusion code mechanisms and others - to hide better and better in the payload part of the packets that examining the headers alone would not detect.

This is why more advanced intelligence is needed - for firewalls to not only be stateful, but also inspect the full data contents in packets (together with the corresponding headers). This is known as Deep Packet Inspection (DPI).

In the past, two particular challenges existed.

First, due to the volume of data communication, inspecting the whole payload of every packet without introducing significant delays demands extraordinary computing power, compared to simply checking the headers. 

Second, modern data security calls for encryption, which by definition means data becomes un-inspect-able before decryption. To inspect data contents, the firewall needs to use the correct key (in HTTPS communication this is in the form of TLS certificates) to decrypt, then perform inspection and re-encrypt all the packets for the next communication leg - in real time. This challenge is probably n times bigger again than the one just mentioned above. 

Fortunately, the advancement in data computing technologies and cryptography capabilities has made performing DPI in real time feasible. 

AWS Web Application Firewall (WAF) has been able to perform Deep Packet Inspection for some time. The way the WAF operates made it able to do so long before another type of firewall by AWS: the AWS Network Firewall.  

Only in quite recent times has AWS enabled the functionality of deep packet inspection for encrypted traffic on its Network Firewall. There are still out of date documents in some enterprises’ policy documentation that state otherwise, to a common enough degree that it is worthwhile to highlight. All organisations are recommended to revise their respective documentation if needed, to clarify that, yes, AWS Network Firewall can do Deep Packet Inspection.

There are also third party firewalls from AWS partners that offer deep packet inspection and can integrate in AWS environments. One of the examples is Palo Alto Networks’ Cloud Next Generation Firewall. It should be noted that next generation firewalls, from various vendors, typically offer other features too, such as application awareness and control, threat intelligence and integrated intrusion prevention. 

WAF, Network Firewall and next gen firewall all have their respective use cases.

As a quick summary, Network ACLs are stateless, AWS Security Groups and all AWS firewalls are stateful. All of the following AWS and partner firewalls can perform deep packet inspection:

AWS WAF

AWS Network Firewall

Next Gen firewalls (with additional functionalities)


                                                                                                                         -- Simon Wang 09 July 2023

Comments

Popular posts from this blog

Fairness Evaluation and Model Explainability In AI

AWS and Generative AI

Amazon CloudFront and Its Primary and Secondary Origins