Monday, August 15, 2022

Aviatrix-Episode4: Embedded L4 Stateful FWs on Aviatrix GWs

 There is a cool Aviatrix feature on the Data Plane: the embedded L4 Stateful FW on every single Aviatrix Gateway!

You might say: 'Again another Security product..' or 'It is just a 'L4 Packet filtering FW'. 'What is so cool about it and even making a blog post on this specific?'

The answer is: 'You don't need to install anything if you need that capability!'

You might remember a recent post about AWS Network FW.. Remember all the complexity to make it work: so many different architectures, doing some routing manually, additional VPCs, etc..

Here nothing 😏. You start straight with the FW configuration. 

Some facts about embedded L4 Stateful FW

  • Filters on CIDRS, protocol & ports
  • It is great to be used in the Aviatrix Transit GWs for Centralized packet filtering (we will test that even if it could have been an Aviatrix Spoke GW)


  • Action can be 'Allow', 'Deny' or 'Force Drop'
    • Deny: blocks the new connections but allows the existing
    • Force Drop: Drop existing & new connections
  • This feature is automatically used by Aviatrix platform to enforce the FW rules for 
    • Public Subnet Filtering (AWS Guard Duty Enforcement) 
    • Threat Guard to block the malicious IPs & being protected against Data Exfiltration, Bitcoin Mining, DDoS, etc..): this is called Cyber Threat Protection.

What will we test today ? 😺

You might remember Episode1 architecture.


We will filter simply traffic on Aviatrix Transit GWs in AWS to deny only ICMP between SpokeB EC2 & VM VNET1 and allow everything else. Let's go?

Configuration

 1. Create Tag & Tag objects (example for SpokeB but same applies for VNET1)


2. Select the GW (same policy applies for HA GW)


3. Apply rules using TAGs or CIDRs


  • Sources & Destinations are based on the TAGs previously created
  • Protocol is ICMP
  • Action for this rule is Deny (remember the purpose of the test), whereas the base policy is Allow all: this means that everything will be allowed except the rule specified (ie ICMP between TAGs SpokeB & VNET1)

Testing

Ping is blocked as expected.


NOTE: You can visualize the logs by enabling 'Packet Logging' and sending it to a Syslog Server.

Bottom Line

  • Aviatrix embedded L4 Stateful FW is an easy feature to use
  • No rearchitecture is needed
  • It is free!

Next episodes foreseen:

Episode5: All you need to know about Aviatrix FQDN Filtering - Design Patterns

Episode6: Aviatrix Copilot Tour (including Cyber Threat Protection with ThreatIQ/ThreatGuard)

Episode7: How to spin up a fully resilient multicloud environment in minutes with Terraform

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Aviatrix-Episode3: Connecting OnPrem Remote site to Aviatrix Cloud infrastructure via BGPoIPSEC (incl. BGP route approval)

  Today, we will simulate an "On Prem" Data Centre connected to our existing MultiCloud Network infrastructure . For this, we will...