AWS Network Firewall is a firewall for Amazon Virtual Private Cloud (VPC) with pluggable support for third-party intrusion detection systems like Snort and Suricata. Customers use AWS Network Firewall to guard against unwanted traffic to and from their VPCs. Since AWS Network Firewall plays a key role within a VPC’s overall network security architecture, it’s important to monitor firewall traffic within the context of a VPC network as a whole—and to get fine-grained visibility into potential attacks.
Datadog is pleased to be a launch partner for AWS Network Firewall. With our new integration, which you can install with one click using CloudFormation, you can understand the performance of your VPC firewalls, discover trends in firewall traffic from all of your AWS accounts, and quickly detect threats to your network—all in one place.
AWS Network Firewall provides a flexible configuration language for determining which packets to drop or pass downstream. Datadog’s integration helps you monitor traffic through your firewall so you can ensure that your configuration is working as expected. You can use the integration to monitor the number of received, dropped, and passed packets. And with built-in tags for the name of each firewall and availability zone—and whether a packet was processed by AWS Network Firewall’s stateful or stateless engines—you can group and filter your AWS Network Firewall metrics to quickly locate the source of a misconfiguration.
You can visualize AWS Network Firewall metrics alongside VPC metrics to understand how much traffic your firewall is filtering in relation to other network infrastructure running in your VPC. For example, you can compare the dropped packet metric from AWS Network Firewall (
aws.networkfirewall.dropped_packets) with the metric for traffic accepted or rejected by security groups or Network Access Control Lists,
aws.vpc.flowlogs.action, to see which parts of your network are screening out the most traffic and discover possible root causes for network-related issues.
The integration also makes it easy to spot unexpected surges or drops in traffic. You can use an anomaly monitor to alert your team automatically if, for instance, your firewall drops far more packets than intended, so you can investigate the issue as soon as possible.
Network flow logs provide fine-grained visibility into firewall traffic so you can effectively troubleshoot incidents. AWS Network Firewall can write network flow logs to Amazon S3, CloudWatch Logs, or Amazon Kinesis Data Firehose. These logs include network traffic data such as source and destination addresses, protocols, and values of TCP flags.
You can forward your AWS Network Firewall flow logs to Datadog using our easy-to-install Lambda function, using adjustable exclusion filters to ensure that you’re indexing a manageable volume of flow logs. Datadog will automatically enrich your flow logs with attributes, which you can then aggregate and filter using Log Analytics to view trends in network activity through your firewall.
For example, you can use the
netflow.tcp.tcp_flags attribute—which indicates the values of the TCP flags within your firewall traffic in hexadecimal format—to identify a burst of abruptly reset connections (
04), as shown below. This could mean that a process listening for these connections has crashed, or that your infrastructure is subject to a TCP reset attack.
It’s crucial that you monitor your firewall to ensure that it’s blocking malicious traffic. You can use Datadog Cloud SIEM to define Detection Rules that Datadog will use to identify potential threats within your AWS Network Firewall flow logs—regardless of whether your flow logs are indexed. In the screenshot below, Cloud SIEM highlights a possible DoS attack on one AWS VPC, which it detected by tracking the frequency of traffic from the same IP address within a specific evaluation window.
Cloud SIEM is part of the Datadog Cloud Security Platform, which protects an organization’s production environment with a full-stack offering providing threat detection and posture management, as well as workload and application security.
Datadog’s AWS Network Firewall integration gives you deep visibility into traffic through your VPC. You can monitor AWS Network Firewall alongside AWS VPC and over 500 other technologies to ensure that the infrastructure running in your cloud-based networks is performing as expected. If you’re not already using Datadog, sign up for a free trial.