AWS recently announced that Firewall Manager supports Palo Alto Networks Cloud Next Generation Firewalls (NGFW). Palo Alto Networks partnered with the cloud provider to offer a managed firewall service designed to simplify securing AWS deployments.
Jeff Barr, vice president and chief evangelist at AWS, explains the benefits of Cloud NGFW for AWS:
Palo Alto Networks pioneered the concept of deep packet inspection in their NGFWs. Cloud NGFW for AWS can decrypt network packets, look inside, and then identify applications using signatures, protocol decoding, behavioural analysis, and heuristics. This gives you the ability to implement fine-grained, application-centric security management that is more effective than simpler models that are based solely on ports, protocols, and IP addresses.
With Advanced URL filtering, customers can create rules to identify and handle network traffic based on feeds, curated lists of sites that distribute viruses, spyware, and other types of malware. Other supported Palo Alto technologies are Threat Prevention, to stop known vulnerability exploits and malware, and App-ID, to reduce the risk of attack by controlling traffic based on Layer 7 traffic classification.
Source: https://live.paloaltonetworks.com/t5/blogs/how-native-is-cloud-ngfw-for-aws/ba-p/476736
Cloud NGFW can control traffic across VPCs without inserting IPS appliances to monitor and protect cloud workloads. Using Palo Alto’s technology on AWS was previously possible but not easy to set up, requiring either a VPN connection or a so-called VPC insertion. Moreover the customer had to manage the firewall and the scaling of the infrastructure.
The cybersecurity company released a Getting Started with Cloud NGFW for AWS guide to document the setup of the new service and explains on its tech blog:
Cloud NGFW supports a variety of deployment scenarios. You can use AWS gateways such as Internet Gateway, NAT gateway, and Transit gateway in conjunction with NGFW endpoint(s) and VPC routing to support distributed and centralised deployment architectures. Cloud NGFW acts as a bump-in-the-wire in outbound, east-west, and inbound traffic paths in these architectures. The traffic packet headers and payload remain intact, providing complete visibility to the destination (no SNAT/DNAT).
Nick Matthews, principal product manager at AWS, tweets about the partnership:
I think this is pretty cool - Palo Alto as a Service within AWS. We've talked for years about how we could enable third party services 'as a checkbox' and it's finally coming to fruition.
Matthews adds:
I think the elegant part here is these firewalls show up as a single network interface in your VPC - you're not messing with a stack of firewalls and load balancers and symmetry, etc.
Amazon Firewall Manager supports other types of firewalls too: AWS WAF, Shield Advanced, VPC security groups, AWS Network Firewall, and Route 53 DNS Resolver DNS Firewall.
AWS Firewall Manager and Cloud NGFW are regional services with Cloud NGFW currently supported only in the Northern Virginia and Northern California regions. The service is available as a pay-as-you-go subscription in the AWS Marketplace and starts at $1.637/hr plus the traffic processed. The Threat Prevention and Advanced URL Filtering capabilities are charged separately.