2

Is it considered best practice to disable the Windows Firewall on an Amazon EC2 instance, and control traffic only via EC2 Security Groups?

If I open a port on the server firewall, and then open the same port on the security group, it requires double maintenance.

EDIT:

I found an advantage of doing both. Actually when you filter by IP and port at AWS level , you have more performance as AWS server will do the deny job and the requests do not even reach your server and that saves you more RAM, CPU and bandwidth .

EDIT2:

Actually when you configure windows firewall by mistake to disable 3389 RDP port, your machine is gone.

What do you think ?

Momo
  • 553
  • 1
  • 5
  • 10

4 Answers4

4

I always do both. It's a matter of who you trust more, Amazon, or yourself.

Perhaps one day the AWS security groups may be broken, disabled, circumvented. In that (unlikely) case, I have a second barrier I can rely on.

And if I accidentally leave something open on one, the other one will still block it. It's a bit like double opt-in, or two-factor authentication.

As far as administering a double set of firewall rules goes, for me it's worth it. It's not that many rules. If you have lots, then you should ask yourself whether that one instance is doing too much anyway, which adds a variety of possible points of failure and complexity.

If you do chose to only set up one, I would do the one you have full control of, the one on your instance.

JayMcTee
  • 3,923
  • 1
  • 13
  • 22
  • Thank you for sahring your experience . I will then do both to be sure all will be ok . – Momo Nov 06 '15 at 09:02
  • 1
    Isn't it rather "... who you trust more, Amazon or Microsoft" (as the question was about Windows in AWS)? The administrator ("yourself") is a factor for both solutions, if you can't trust the admin neither solution can counter that. – Håkan Lindqvist Nov 08 '15 at 14:03
  • Perhaps so, Hakan. Though what I meant was, you administer the configuration on AWS security groups, but are not to ultimate admin of that system. You are the ultimate admin of your instance, no matter whether it's Microsoft you run, UNIX or Linux. – JayMcTee Nov 08 '15 at 14:08
  • I still don't see how using Windows firewall is trusting "myself" more than using security groups. Both Amazon and Windows give you a panel to administer the security, and you have to trust both of them to properly implement your configuration. Either way, I agree with you and Rodrigo below that using both is good defense-in-depth. – David Feb 26 '16 at 16:17
4

Disabling one or the other is not best practice for long term network security. Best security practice is to maintain both a host-resident firewall and an AWS security group on your instance always. This practice is based on the security concept called Defense in Depth. It is a very sound way to build security redundancy in your network.

If you are using a VPC, there is another security layer to consider: Network Access Control List (ACL). A network ACL acts as a firewall for controlling traffic in and out of a subnet.

A useful technique when implementing your initial security architecture on AWS, is to rely only on security groups and/or a host-resident firewall during the design and test phase, to simplify management. As the implementation matures you can add ACL rules as another layer to further protect your network.

Rodrigo Murillo
  • 450
  • 3
  • 10
3

I don't know if it's a "best practice" from the community, but Amazon recommends doing it.

"We recommend that you disable Windows Firewall and control access to your instance using security group rules." (Source)

foxontherock
  • 161
  • 4
0

Amazon does not recommend to disable the Windows Firewall other than to troubleshoot an issue, such as a Remote Connectivity issue.

user563391
  • 1