Hoping you folks might be able to point me to the right things to Google.

Our project has developed a very “business lead” (to put it politely) requirement to monitor and allow/block outgoing connections to other parts of the business. We live in a dedicated AWS account and have reasonable autonomy over our networking setup (NACLs, route tables, etc), but less freedom with what AWS services we can use, and deploying things from Marketplace.

The basic requirements are as follows:

  • Default blocking for certain CIDRs.
  • Exceptions for certain IP/Host and port combos within those CIDRs.
  • Authentication and authorisation to use said exceptions (i.e. user tracking).
  • Detailed logging on connections; source, dest, request and response sizes, ports, protocols, whatever we can get out hands on.
  • All of the above for all (?) kinds of TCP connections (HTTPS, Postgres, Oracle DB, MongoDB, as examples).

The security aspect of this is fairly minimal as it’s mainly for usage tracking and making sure our users sign their life away before they access their services from our platform. As such, I was hoping to have something that could be rolled out fairly simply; a couple of EC2 instances, yum install foo, and some routing rules, but it looks like the feature set we want requires something more robust, like OPNsense or similar.

Am I missing an obvious solution here, a forward proxy of some sort, any “light” firewalls that don’t require a whole separate AMI?

Thanks in advance!

  • z3r0
    link
    fedilink
    21 year ago

    Hi! I’m afraid there is not a solution that groups all the functionality you that are looking for. Anyway, these are the AWS services I use for most of the requirements you described. Take at count most of them require AWS services and your company will be charged for most of them.

    Default blocking for certain CIDRs.

    Exceptions for certain IP/Host and port combos within those CIDRs.

    Use Security Groups (free cost): https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html

    Authentication and authorisation to use said exceptions (i.e. user tracking).

    You can implement user Authentication using AWS Cognito: https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html.

    Additionally you can delegate the user authentication by using Application Load Balancers and Cognito. See: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html

    Detailed logging on connections; source, dest, request and response sizes, ports, protocols, whatever we can get out hands on.

    All of the above for all (?) kinds of TCP connections (HTTPS, Postgres, Oracle DB, MongoDB, as examples).

    For connections through the Load Balancer y suggest you to enable access logs (requires an S3 bucket and will generate additional charges). For the rest of connections you may want to check this but I never tried it.