Skip to content

Instantly share code, notes, and snippets.

@mrpackethead
Created January 11, 2023 13:41
Show Gist options
  • Save mrpackethead/957eb2f6af9dbe674efe6d3db98bd3d3 to your computer and use it in GitHub Desktop.
Save mrpackethead/957eb2f6af9dbe674efe6d3db98bd3d3 to your computer and use it in GitHub Desktop.
import * as cdk from 'aws-cdk-lib';
import {
aws_networkfirewall as firewall,
}
from 'aws-cdk-lib';
import * as constructs from 'constructs';
export interface FirewallRulesProps {
cloudwanCidr: string;
}
export class FirewallRules extends constructs.Construct {
readonly firewallPolicy: firewall.CfnFirewallPolicy;
constructor(scope: constructs.Construct, id: string, props: FirewallRulesProps) {
super(scope, id);
/*
* Stateless firewall rules
* Allow ICMP both directions
*/
const fwStatefulAllowRuleGroup = new firewall.CfnRuleGroup(this, 'fwAllowStatelessRuleGroup', {
capacity: 10,
ruleGroupName: 'AllowStateless',
type: 'STATELESS',
ruleGroup: {
rulesSource: {
statelessRulesAndCustomActions: {
statelessRules: [
{
priority: 1,
ruleDefinition: {
actions: ['aws:pass'],
matchAttributes: {
protocols: [1], // Protocol 1 is ICMP
sources: [{
addressDefinition: '0.0.0.0/0',
}],
destinations: [{
addressDefinition: '0.0.0.0/0',
}],
},
},
},
],
},
},
},
});
/*
* Statefull firewall rules
* Allow HTTP/HTTPS anywhere from organisation network
*/
const fwAllowRuleGroup = new firewall.CfnRuleGroup(this, 'fwAllowRuleGroup', {
capacity: 10,
ruleGroupName: 'AllowRules',
type: 'STATEFUL',
description: 'Allow traffic to Internet',
ruleGroup: {
rulesSource: {
statefulRules: [
{
action: 'PASS',
header: {
destination: 'ANY',
destinationPort: '80',
source: props.cloudwanCidr,
sourcePort: 'ANY',
protocol: 'TCP',
direction: 'FORWARD',
},
ruleOptions: [{
keyword: 'sid:1',
}],
},
{
action: 'PASS',
header: {
destination: 'ANY',
destinationPort: '443',
source: props.cloudwanCidr,
sourcePort: 'ANY',
protocol: 'TCP',
direction: 'FORWARD',
},
ruleOptions: [{
keyword: 'sid:2',
}],
},
],
},
},
});
/*
* Deny rule group
* Drop all traffic that is not explicitly defined in allow rule groups
*/
const fwDenyRuleGroup = new firewall.CfnRuleGroup(this, 'fwDenyRuleGroup', {
capacity: 10,
ruleGroupName: 'DenyAll',
type: 'STATEFUL',
description: 'Deny all other traffic',
ruleGroup: {
rulesSource: {
statefulRules: [
{
action: 'DROP',
header: {
destination: 'ANY',
destinationPort: 'ANY',
source: 'ANY',
sourcePort: 'ANY',
protocol: 'IP',
direction: 'FORWARD',
},
ruleOptions: [{
keyword: 'sid:100',
}],
},
],
},
},
});
const managedStatefulGroups: string[] = [
'AbusedLegitMalwareDomainsActionOrder',
/**
* Contains rules that allow you to block requests to a class of domains which are generally legitimate
* but are compromised and may host malware. This can help reduce the risk of receiving malware
* or viruses originating from these sources with poor reputation.
*/
'AbusedLegitBotNetCommandAndControlDomainsActionOrder',
/**
* Contains rules that allow you to block requests to a class of domains which are generally legitimate
* but are compromised and may host botnets. This can help reduce the risk of resources accessing botnets
* originating from these sources with poor reputation.
*/
'MalwareDomainsActionOrder',
/**
* Contains rules that allow you to block requests to domains that are known for hosting malware.
* This can help reduce the risk of receiving malware or viruses originating from these known sources
*/
'BotNetCommandAndControlDomainsActionOrder',
/**
* Contains rules that allow you to block requests to domains that are known for hosting botnets.
* This can help reduce the risk of resources accessing botnets originating from these known sources
*/
'ThreatSignaturesBotnetActionOrder',
/**
* Signatures that are autogenerated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts.
*/
'ThreatSignaturesBotnetWebActionOrder',
/**
* Signatures that detect http botnets.
*/
'ThreatSignaturesBotnetWindowsActionOrder',
/**
* Signatures that detect Windows botnets
*/
'ThreatSignaturesDoSActionOrder',
/**
* Signatures that detect Denial of Service attempts
*/
'ThreatSignaturesEmergingEventsActionOrder',
/**
* Signatures with rules developed in response to active and short-lived campaigns and other temporary, high-profile events.
*/
'ThreatSignaturesExploitsActionOrder',
/**
* Signatures related to attacks and vulnerabilities regarding exploits, ActiveX, FTP, ICMP, NetBIOS, RPC, ShellCode,
* SNMP, SQL, Telnet, TFTP, and VoIP.
*/
'ThreatSignaturesFUPActionOrder',
/**
* Signatures to detect gaming traffic, potentially inappropriate websites, and P2P traffic as well as signatures that may indicate
* violations to an organizations policy
*/
'ThreatSignaturesIOCActionOrder',
/**
* Signatures to detect activity related to Exploit Kits, their infrastructure, and delivery
*/
'ThreatSignaturesMalwareActionOrder',
/**
* Signatures that detect malware (tcp, udp, smtp, icmp, smb, ip) and worm *
*/
'ThreatSignaturesMalwareCoinminingActionOrder',
/**
* Signatures with rules that detect malware which performs coin mining
*/
//'//ThreatSignaturesMalwareMobileActionOrder',
/**
* Signatures that detect mobile malware
*/
'ThreatSignaturesMalwareWebActionOrder',
/**
* Signatures to detect malicious code in HTTP and TLS protocols
*/
//'ThreatSignaturesPhishingActionOrder', //4200
/**
* ThreatSignaturesPhishingActionOrder
*/
'ThreatSignaturesScannersActionOrder',
/**
* Signatures to detect reconnaissance and probing from scanning tools
*/
'ThreatSignaturesSuspectActionOrder',
/** Signatures to fingerprint malicious SSL certificates using JA3 hashes, identify traffic
* related to chat clients, and detect suspicious and anomalous user agents.
*/
'ThreatSignaturesWebAttacksActionOrder',
/**
* Signatures to detect attacks and vulnerabilities related to web clients, web servers, and web applications
*/
];
const statefulRefs = [
{ resourceArn: fwAllowRuleGroup.attrRuleGroupArn },
{ resourceArn: fwDenyRuleGroup.attrRuleGroupArn },
];
managedStatefulGroups.forEach((group) => {
statefulRefs.push(
{
resourceArn: `arn:aws:network-firewall:${cdk.Aws.REGION}:aws-managed:stateful-rulegroup/${group}`,
},
);
});
// Firewall policy to enable stateless and statefull rule groups
this.firewallPolicy = new firewall.CfnFirewallPolicy(this, 'FWPolicy', {
firewallPolicy: {
statelessDefaultActions: ['aws:forward_to_sfe'],
statelessFragmentDefaultActions: ['aws:forward_to_sfe'],
statelessRuleGroupReferences: [
{ resourceArn: fwStatefulAllowRuleGroup.attrRuleGroupArn, priority: 1 },
],
statefulRuleGroupReferences: statefulRefs,
},
firewallPolicyName: 'FirewallPolicy',
});
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment