3

From what I read, stateless firewalls are used more for packet filtering. Why is AWS NACL stateless?

NACLs force too big a range of ports to be opened for the ephemeral ports.

Is there a way to create stateful firewalls on AWS other than Security Groups? Security Groups feel too granular and may get omitted by mistake.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
user6317694
  • 962
  • 1
  • 9
  • 19
  • 1
    What do you mean by "feel too granular and may get omitted by mistake"? If they are omitted, then the traffic (by default) will not be permitted and somebody should notice the issue. This is much more secure than allowing all traffic by default. – John Rotenstein May 28 '19 at 23:05
  • 1
    By granular, I meant that the permissions have to be added at each VM level. Enforcing it at subnet level will be easier. Also, if there is broad ephemeral port range open on NACL, a VM process may use one of those ports to do something malicious. – user6317694 May 29 '19 at 15:59

2 Answers2

12

Network Access Control Lists (ACLs) mimic traditional firewalls implemented on hardware routers. Such routers are used to separate subnets and allow the creation of separate zones, such as a DMZ. They purely filter based upon the content of the packet. That is their job.

Security Groups are an added capability in AWS that provides firewall-like capabilities at the resource level. (To be accurate, they are attached to Elastic Network Interfaces, ENIs). They are stateful, meaning that they allow return traffic to flow.

In general, the recommendation is to leave NACLs at their default settings (allow all traffic IN & OUT). They should only be changed if there is a specific need to block certain types of traffic at the subnet level.

Security Groups are the ideal way to control stateful traffic going in and out of a VPC-attached resource. They are THE way to create stateful firewalls. There is no other such capability provided by a VPC. If you wanted something different, you could route traffic through an Amazon EC2 instance acting as a NAT and then you would have full control over how it behaves.

BinaryButterfly
  • 18,137
  • 13
  • 50
  • 91
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • 1
    Thanks John for stating this explicitly. Somehow I kept on associating SG to VMs and hadn't pictured SG as firewall objects. – user6317694 May 29 '19 at 16:06
0

NACl is stateless. That means by default access is denied at inbound and outbound. If you allow some traffic (TCP or other) inbound, outbound has to be explicitly allowed (of course if you want that).

yogender
  • 496
  • 4
  • 7
  • So if only inbound is activated I will not get back a response for example when I communicate via TCP? – trallnag Feb 09 '23 at 13:02