You can call us on +44 20 3337 3012 today to discuss your current challenges and how we can best help, or email us at help@hanscombe.net.
You can call us on +44 20 3337 3012 today to discuss your current challenges and how we can best help, or email us at help@hanscombe.net.
The documented solutions to use AWS Network Firewall to filter traffic to only allow to certain hostnames has limitations that are not obvious:
https://repost.aws/knowledge-center/network-firewall-configure-domain-rules
The configuration given above, filters based on Host header, or SNI. It is important to remember that it is trivial to spoof these values:
If you set up policies that only allow access to http://www.google.co.uk, I can configure one of my servers to pretend to be www.google.co.uk, and traffic to it would pass through your AWS Network Firewall fine.
Similarly, if your policy only allows access to https://www.google.co.uk, I can set up a self-signed certificate on my server, saying that it is www.google.co.uk, and again, the traffic would pass.
This makes this kind of configuration inappropriate for controlling exfiltration risk from a network.
https://repost.aws/questions/QUWYTvSFU7R8iTvrMCfwgakg/
Beyond filtering based on SNI or Host header, which can be spoofed, there is no native way of filtering based on a hostname. The above link suggests that this limitation is inherent to scalability, but this is a contentious answer, not least because other commercial firewalls include this functionality.
Above gives a suggestion on how to use a Lambda Function to dynamically resolve a hostname, giving the IP addresses needed for the firewall configuration. This particular code scales poorly, and is also likely to suffer from race-conditions between DNS changes and firewall reconfiguration, causing intermittent connectivity when DNS fails over.
Please do call us if you are working to control egress risk on AWS as we have worked extensively on this and there are better solutions which we can help you set up.
You can call us on +44 20 3337 3012 today to discuss your current challenges and how we can best help, or email us at help@hanscombe.net.