Amazon AWS Certified Advanced Networking Specialty – Security, Risk & Compliance Part 4

7. Network ACL (NACL)

Hey everyone and welcome back. In today’s video we will be discussing about the network ACL. So let’s look into some of the important pointers for network ACL. The first one is network ACL are stateless in nature. The second one is they operate at the subnet level instead of the instance level like the security group. So this can be understood with the diagram here.

So you have an EC two instance here and the security group is basically associated with the network interface card which is attached to the EC two instance. So the security group is operated at the instance level. However, when you talk about network ACL, they do not operate at the instance level, they operate at the subnet level. Now, a specific subnet can contain hundreds of instances and one rule in network KCl will affect all the hundred instances which are associated with a specific subnet.

Now, third important pointer is that all subnet in a VPC must be associated with the network KCl. So generally, whenever you create a new VPC, automatically AWS will create a default network ACL for you. And the fourth one is by default the network ACL contains full inbound and outbound as allowed. So these are the default network ACL which gets generated when you create a VPC. So let’s go ahead and understand the use case on why network ACL proves to be important. So, let’s say that you have a company XYZ and it is getting a lot of attack from a random IP which is 128, 191, 232.

Now, the company has more than 500 servers and the security team has decided to block that specific IP in firewall for all the servers. Now, how can you go ahead and achieve the goal? So generally, if you talk about the organization and if they are having application which is accessible over internet, so typically you’ll have something like four, four, three Allow or 80 Allah all. Now, in such cases you cannot block a specific IP that is something which is not possible in terms of security group. Like if you allow all the traffic and you want to block certain specific IP, it is not really possible. And even if it was possible, it would have been difficult because you see there are 500 servers and you don’t want to add this blacklisted IP in all the 500 security groups associated with those servers. So the better way would be the network ACL one.

So what you do is that if those 500 servers are within the same subnet, you block that IP at the network AC level and that’s about it. So let me quickly show you on how exactly network KCl looks like and how can you configure the rules there. So, this is the EC to console and I have one EC two instance. So we’ll be doing demo based on this EC two instance.

And if you look into this EC two instance, it has the public IP before and within the firewall rule it has allowed 80 and 22 on. All right. Now, let’s say that I want to block only one IP from accessing my port 80. On the EC two instance it is not really possible with the help of security group. So we need to take the route of network KCl. So in order to access network KCl, we need to go to the VPC console and let’s select one VPC. So this is the VPC where our EC two instance is currently created.

Now, within your if you go a bit down under the security you have a network ACL and there is one network ACL which is created and it has a value of default is equal to yes, that means this is the default network ACL which is created. And this network ACL is associated with the six subnets which are part of VPC. So a single network ACL can be associated with the multiple subnets within the VPC. Now, within the network ACL you have the inbound rules and the outbound rules. So within the inbound rule, you see there are two rules which are present and within the outbound rules also there are two rules which are present. Now, there is a rule number which is associated with them. So the first one has a rule number of hundred and all the traffic has been allowed over here. And the second one has the start and all traffic is denied. So one important part to remember is that in network ACS, the lower the number, the higher the priority it will take. So let’s say a traffic matches this specific rule, then network ACL will either allow or deny, basically depending on the configuration that you set over here. If the traffic matches here, then it will not look into the below rule, it will just follow what is present over here. All right? And this is the reason why 100 is lower and all the traffic is therefore allowed.

Same with the outbound. You see, 100 is lower here and this is the reason why all the traffic is allowed. So let’s look into whether the things which I am saying is correct or not. So let’s do one thing. I’ll copy the public IP here. So I’m in my CLI and let’s try to ping this specific EC two instance. And currently, you see, you are getting the ping reply back. Great. So that means the connectivity is present. So now let’s do one thing. Let’s modify the inbound rule.

I’ll add one more rule here. I’ll put the rule number as 99 and I’ll also associate with all the traffic here, similar to the first rule. And this time we’ll put it as a deny and I’ll click on save. All right? So now you have two rules which are quite identical. One is deny and second is allowed. And the rule priority in terms of number are different.

So now, if you try to ping, you see, the ping has been blocked over here. Now, this has been blocked because there is one rule over here which is denying all the traffic and the rule has the priority 99. So as soon as the network ACL receives the traffic from my network, it evaluates it against the rules that you have set. And since here we have already specified all the traffic. So that means that this rule matches. And since this rule matches over here, the network ACL will block it, it will not look into the next rule altogether. All right. So now let’s do one thing. I’ll change this rule number from 99 to 101 and let’s click on save. So this time the allow rule has the higher priority.

And here you see, you are able to get the reply back. Great. So I hope you understood at a high level overview on what a network ACL is all about. So one important part to remember is that a single network ACL can be associated with the multiple subnet and you can also create rule something similar to this. Let me do one thing. So currently this is my IP address. So let’s say, because we were discussing about the use case, let’s say you have something like this where you are allowing traffic from everyone and there is this one IP address which is trying to attack you all the time. So you can create a rule, you can put the rule number as 99, you can specify the source IP, I’ll say 32 and you can put it as deny and you can go ahead and do a save.

So now what will happen is a traffic, if it originates from this source address, it matches the rule number 99, and at the rule number 99 it will be blocked. Now, any other source which is other than the specific one that we have specified over here, it does not match over here. So network ACL will look into the second rule. Now, second rule says allow all and hence the traffic will be allowed. So this is the high level overview about the network ACL. Do remember that by default when you create a network ACL, it will have allow all. However, when you create a custom network ACL, let me actually show you this. So let’s go ahead and create a network ACL. I’ll call it as Kplabs Hype and custom. Now you can associate the network ACL with a VPC. Let me do a create here.

All right, so this is the custom network ACL and within the custom network ACL you see, by default the rule is denied. Same for inbound and same for outbound. If the network ACL is default like you have not created in a custom way, then it will have allow for all. So that’s the highlight overview about the network ACS. I hope this video has been informative for you and I look forward to seeing you in the next video.

8. Stateful vs Stateless Firewalls

Hey everyone and welcome back. In today’s video we will be discussing about the tasteful versus stateless firewalls. Now, typically, if you look into the basic TCP IP communication, let’s assume that you have one server here and you have the SSH which is running on the server on port 22. And along with that, you have the client over here. So the client wants to connect via SSH to the this specific server. So he’ll send a request and the server IP address is 190 to 168 ten one. So he’ll send the request to 190 to 168 ten one on port 22. Now, when it sends the request to the server, it will need to have a source port. So this 22 is basically the destination port because the traffic is going towards the destination server. However, along with that, it needs to create a source port. So in this case, we are assuming that the source port is 55607.

Now, when the server receives the request and it wants to reply back, then it will reply back on the source port with the client had opened, which is 55607. So this is how the basic TCP IP communication work in terms of the source IP and source code. Now, let me quickly show you this in wireshark so it becomes easier for us to understand. So I’ll quickly open up the wireshark in my windows. Great. So this is the wireshark console. And basically since I’m connected to WiFi, you see there are a lot of traffic which is ongoing. So I’ll be capturing the WiFi interface.

I’ll double click on that and you see there are a lot of packets which are getting captured over here. So let me take a random packet over here. So this is one random packet. Now, if you look into the IP protocol, IP protocol will basically have the source and the destination IP. So the source is 192, 106, 843135 and the destination is 542-39-3183. So if you just compare it here. So 192 168 is the source here and the IP address which was ranging from 52 is the destination over here. All right? So this is one part.

So when you open up the TCP header, you see you have the source port and the destination port. So if my computer or if my browser wants to communicate with a website, it needs to have a source port. So in this case, the destination port is four, four, three, and the source port is six 3378. All right? And this is something that we were discussing. So here, instead of six 3378, we have 55607. Now in the second case we have the firewall which is involved over here.

And this firewall is of type stateless. So now what really happens is when the client sends the request to the server, the firewall will first check whether the inbound 22 port is allowed or not. So if the inbound 22 port is allowed, then the request from my client will be reached to the server end. Now the server also needs to respond back, so it tries to respond back to this client IP which is 172, 1015, seven and on the client port which is 55607. However, before the server can send the data back in the outbound fashion, it also will have to verify whether the port FIFA or not.

Because if in the outbound, if fifth allowed, then the server will not be able to communicate back even though the inbound request had been received by the server. So this is the characteristic of the stateless firewall. Now, there are certain important points that we need to remember here. The first one is that the client typically initiates the request choosing the FML port range. Now the port from zero to 100:23 are also called as the well known or the reserved ports. And this FML port range is something which the client decides. Now it depends on which operating system the client is in. So if you talk about Linux kernel, it will choose the FML range from three to seven, six, eight to 61,000 typically. Now, if the request origin is originating from ELB, it uses 102-426-5535 and Windows XP typically uses 10252 5000. So this ports that I am saying, it is basically the port which client uses. So this is the source port typical of the client which is initiating the connection. So now in terms of stateless firewall, the problem is that let’s say that the client has chosen 55607.

So within the stateless firewall we have to ensure that the outbound port 55607 is allowed. Now a second client, if let’s say a second client is based on Windows XP, so it might not really choose 55607, it might actually choose the port 100:25. So again, in the stateless firewall you have to make sure that the outbound port 25 is allowed. So it really becomes very difficult because the stateless firewall does not really maintain any state. So you have to explicitly allow the ports outbound.

So when you take the use case of stateful firewall, stateful firewall are quite intelligent. So let’s say that this is of type stateful firewall. So now the client is sending the request towards the server and the server IP is 190 to on port 22. Now the state will firewall here before it allows this specific request to reach the server. It will verify whether the port 22 is allowed from this specific IP of the client. If it is allowed, then it will automatically allow the reply from the server back to the client.

It will not really look into the outbound. The reason is because it is obvious that if the client is sending the request to the server and if the server’s inbound is allowed, then obviously the server will need to reply back to the client. And this is the reason why the stateful firewall will not really look into the outbound connection. It knows that the request originated from a specific client, so it will allow the outbound request. So security group in AWS is of type stateful. So let’s look into how exactly this would really look like. So I am in my EC to console and I have one EC two instance up and running. Now, this EC two instance has a security group. Now, security group is a stateful firewall.

Now, if you look into the inbound, it is allowing all the traffic. However, in outbound, it is not really allowing any traffic over here, all right? So let’s try and connect to this EC two instance over here. So it has the IP from 20 two. So I’m in my CLI, and if we try to log in, you see I got logged in. Now, the reason why I got logged in over here is because of the stateful firewall. Now, stateful firewall remembered that, all right? So the request came from a specific IP and it was allowed inbound. So if the request is allowed inbound and it was initiated from the client, then the server would typically need to reply back. And this is the reason why, irrespective of what you put in the outbound, the server will be able to respond back. So the session state is actually stored within the state full firewall. Now, let me quickly show you something interesting over here.

So if I try to do ping on Google. com, it will not be allowed over here, all right? Now, the reason why it is not allowed is, again, because of the firewall. You see, in Outbound, there are no security group rules over here. And since this is the new request, so this ping Google. com is a new request which is originating from the server towards a destination of Google. com. Now, this is the reason why it is not allowed over here in the session state.

It did not see that this connection was established. This is a new connection and this is the reason why the outbound is not allowed. So let’s do one thing. Let’s put the outbound here. Let me put outbound as all traffic I’ll put, all right, so outbound is full zero allowed. And now if I try to do a ping on Google. com, I am able to do it perfectly great. So this is what the stateful firewall is all about. Now, we should also look into the stateless firewall because otherwise our understanding in terms of practicality will be incomplete. So in AWS, the network ACL is of type stateless. So let’s play around with that as well. So I’ll select the VPC where our EC two instance is in, and let’s go a bit down. I have a network ACL.

So this is the network ACL. Generally in AWS, whenever you create a VPC, the network ACL is created by default. So this is the default network ACL over here, all right? Now this network ACL is of type stateless. So it does not really remember the state even though if the client sends the request to the server, if the outbound here if you see your outbound rules is also present, if outbound rule does not allow it, the traffic will not be able to reach back to the client.

So let’s try this out. So what I will do in security group, we have full allowed on inbound and outbound. So security group will not come into picture here. The only thing that will come into picture here is the network ACL. So let’s do one thing, let’s edit the outbound room. So here, instead of allow, let me put it as denied and I’ll click on save and let’s try to connect to the server yet again. So I’ll do SSS easy to use it at the IP address of the server. And currently you see I have not been able to connect to the server.

If you even try ping, you will not be able to get reply back. Now, in this case, what is happening is the data. If you talk about ping, the echo request is successfully reaching the server. However, server is not being able to reply back because within the outbound rule of the network ACL we have everything as denied. However, in security group, even if you do not have an outbound rule here so in security group generally if you do not have an outbound rule, it is default deny. Now, even if you do not have an outbound rule here, the security group will still allow because it knows that the client had initiated the request and in the inbound the traffic was allowed. So for that specific session, outbound will by default be allowed. All right, so now let’s remove this rule.

I’ll just put it as allow yet again and now you see the traffic has been coming back. Now, a little challenge over here as we were discussing is that if you are using network ACL, then you cannot really specify port because various client uses different FML port range. So let’s say if you might use this port range in the outbound of the network ACL and if someone from Windows expedite tries to connect to your application, then he’ll not be able to get the reply back. So typically network ACL outbound all the traffic is generally allowed. So this is the high level overview. I hope this practical has proved to be useful.

Now again, let’s revise again. So there are two main types of firewall. You have state full firewall and stateless firewall. State full firewall basically maintains the connection state and it knows which packet to allow outbound, even when the outbound is restricted. In the other hand, stateless firewall does not maintain the connection state for each packet traversing inbound or outbound in a new separate packet.

Now, generally, whenever I take interviews, the first question typically if it is a security interview, because I have been working in security domain, one of the first questions that I ask is stateful versus stateless firewall. And this is actually one of the basic things that if you are working into security or if you’re working into network security domain, this is something that is quite basic and you should be knowing. And I have seen that a lot of other interviewers from organizations they also have similar question sets for the interviews.

• Category: Uncategorized