A company recently migrated to AWS and wants to implement a solution to protect the traffic that flows in and out of the production VPC. The company had an inspection server in its on-premises data center. The inspection server performed specific operations such as traffic flow inspection and traffic filtering. The company wants to have the same functionalities in the AWS Cloud.
Which solution will meet these requirements?
To protect the traffic in and out of a production VPC on AWS and to perform specific operations such as traffic flow inspection and traffic filtering, AWS Network Firewall is the appropriate solution. It is a managed firewall service that allows you to create rules for both inbound and outbound traffic, ensuring a robust security posture. With its ability to perform deep packet inspection and advanced traffic filtering, it aligns closely with the functionalities described, replicating what an on-premises inspection server would do within the AWS environment.
I would recommend option C: Use AWS Network Firewall to create the required rules for traffic inspection and traffic filtering for the production VPC. AWS Network Firewall is a managed firewall service that provides filtering for both inbound and outbound network traffic. It allows you to create rules for traffic inspection and filtering, which can help protect your production VPC. Option A: Amazon GuardDuty is a threat detection service, not a traffic inspection or filtering service. Option B: Traffic Mirroring is a feature that allows you to replicate and send a copy of network traffic from a VPC to another VPC or on-premises location. It is not a service that performs traffic inspection or filtering. Option D: AWS Firewall Manager is a security management service that helps you to centrally configure and manage firewalls across your accounts. It is not a service that performs traffic inspection or filtering.
Thank you for this reply
I agree with C. **AWS Network Firewall** is a stateful, managed network firewall and intrusion detection and prevention service for your virtual private cloud (VPC) that you created in Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the perimeter of your VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect.
And I'm not sure Traffic Mirroring can be for filtering
option B with Traffic Mirroring is the most suitable solution for mirroring the traffic from the production VPC to an inspection instance or tool, allowing you to perform traffic inspection and filtering as required.
Traffic Mirroring will allow you to inspect and filter traffic using a server, (note company had a on-premise server for Traffic filtering )
I didn't realize the network firewall could do inspection, but here's what the documentation says: AWS Network Firewall supports Transport Layer Security (TLS) inspection, allowing customers to strengthen their security posture on AWS by improving visibility into encrypted traffic flows. You can use AWS Network Firewall to decrypt TLS sessions and inspect both inbound and outbound Amazon Virtual Private Cloud (VPC) traffic without the need to deploy or manage any additional network security infrastructure. Encryption and decryption happen on the same firewall instance natively, so traffic does not cross any network boundaries.
AWS Network Firewall is a managed network firewall service that allows you to define firewall rules to filter and inspect network traffic. You can create rules to define the traffic that should be allowed or blocked based on various criteria such as source/destination IP addresses, protocols, ports, and more. With AWS Network Firewall, you can implement traffic inspection and filtering capabilities within the production VPC, helping to protect the network traffic. In the context of the given scenario, AWS Network Firewall can be a suitable choice if the company wants to implement traffic inspection and filtering directly within the VPC without the need for traffic mirroring. It provides an additional layer of security by enforcing specific rules for traffic filtering, which can help protect the production environment.
B is correct answer
Network Firewall to define firewall rules for traffic inspection. A: GuardDuty is not for this B: Wrong product D: Firewall Manager does not monitor traffic, it manages firewall
Answer-C
AWS Nework Firewall to support from layert 3 to layer 7 protection, it is able to inspect any direction lets say vpc to vpc and outbound and inbound and even supporting direct connect and site to site vpn
AWS Network Firewall is a managed firewall service that provides filtering for both inbound and outbound network traffic. It allows you to create rules for traffic inspection and filtering, which can help protect your production VPC.
Why isn’t D viable? Firewall Manager will help to provision network firewall as required if you define it in firewall manager. And it’s fully managed, not requiring you to do any configuration or set up.
Because we need a firewall, not a service that we COULD IN THEORY use to create a firewall?
C with no doubt
- AWS Network Firewall is a managed network security service that provides stateful inspection of traffic and allows you to define firewall rules to control the traffic flow in and out of your VPC. - With AWS Network Firewall, you can create custom rule groups to define specific operations for traffic inspection and filtering. - It can perform deep packet inspection and filtering at the network level to enforce security policies, block malicious traffic, and allow or deny traffic based on defined rules. - By integrating AWS Network Firewall with the production VPC, you can achieve similar functionalities as the on-premises inspection server, performing traffic flow inspection and filtering.
Option C MET THE REQUIREMENT
Anyone with the contributor access, kindly help me. I'm in need of the last set of questions as a means of retake preparations.
C is correct as the option uses AWS services to fully meet the requirement. Has the question not been asking "in the AWS cloud", option B could be a correct option too, but a costlier one though as the user has to pay for network data for every bit of traffic replication between AWS cloud and on-prem location.
Option B is correct, no need to send traffic to on-prem, also the inspection server migrated to Cloud too.