Control traffic at all layers

PostedNovember 28, 2024

UpdatedMarch 21, 2025

ByKevin McCaffrey

Protecting your network resources necessitates a comprehensive approach to traffic control. By implementing multiple layers of defense, you can effectively minimize the risk of both external and internal threats, ensuring that only authorized traffic interacts with your workloads.

Best Practices

Implement Layered Security Controls

Utilize security groups and network ACLs: Configure AWS security groups to control inbound and outbound traffic at the instance level, while network ACLs can provide an additional layer of security at the subnet level. This helps ensure that only necessary traffic is allowed.
Deploy a Web Application Firewall (WAF): Protect your applications from common web exploits by deploying a WAF that filters and monitors HTTP traffic between your web application and the Internet.
Use VPN and Direct Connect: Establish secure connections for private networking with AWS by utilizing Virtual Private Network (VPN) connections or AWS Direct Connect to enhance security for sensitive data transfers.
Segment your VPC: Create separate subnets within your VPC for different application tiers to isolate your network components and control the flow of traffic between them.
Conduct regular security assessments: Regularly review your security configurations and access logs to identify and mitigate potential threats proactively.

Monitor and Audit Network Traffic

Enable VPC Flow Logs: Capture information about the IP traffic going to and from network interfaces in your VPC, which aids in troubleshooting and gaining visibility into traffic patterns.
Utilize AWS CloudTrail: Monitor and log API calls made on your AWS account to keep track of actions taken on your resources, ensuring accountability and simplifying compliance audits.
Set up Amazon GuardDuty: Implement GuardDuty for continuous monitoring of your AWS accounts and workloads to identify unauthorized or malicious behavior.
Regularly review security logs: Establish a routine for examining logs for unusual activity and set up alerts to notify you of suspicious behavior.

Enforce Least Privilege Access

Define and apply IAM policies: Use AWS Identity and Access Management (IAM) to create fine-grained access policies that permit only the minimum necessary permissions for users and services.
Implement role-based access controls: Establish roles with specific permissions and assign users to these roles based on their job responsibilities, reducing the risk of over-provisioning.
Regularly review and clean up permissions: Conduct periodic reviews of user access rights to eliminate unnecessary permissions and minimize exposure to potential threats.

Questions to ask your team

Have you implemented a layered network security strategy, such as using firewalls, security groups, and network access control lists (ACLs)?
Do you regularly review and update your network access policies to reflect the principle of least privilege?
Are there monitoring and logging mechanisms in place to track and analyze network traffic?
How do you manage and secure communication between different network segments, such as public and private subnets?
Are you using services like AWS Shield or AWS WAF to protect against DDoS attacks or web application vulnerabilities?
Have you established baseline traffic patterns to identify anomalies in network activity?

Who should be doing this?

Network Architect

Design and implement the network topology considering security best practices.
Define and document the connectivity requirements for each component in the network.
Ensure that only necessary traffic is allowed at each layer of the network.
Conduct regular reviews and updates of network security configurations.

Security Engineer

Monitor network traffic for suspicious activity.
Implement firewalls and intrusion detection systems to control traffic.
Conduct penetration testing to identify vulnerabilities in the network.
Collaborate with the Network Architect to refine security measures.

Systems Administrator

Manage and configure network devices such as routers, switches, and firewalls.
Respond to security incidents and implement corrective actions.
Ensure compliance with organizational security policies and standards.
Maintain documentation of network configurations and changes.

Cloud Security Specialist

Evaluate cloud services for their security posture regarding network resources.
Advise on best practices for securing cloud network architectures.
Ensure that security controls are effectively implemented in cloud environments.
Stay updated on emerging threats and recommend enhancements to network security.

What evidence shows this is happening in your organization?

Network Traffic Control Policy: A policy document outlining the procedures and rules for controlling and monitoring network traffic across all layers. This includes defining acceptable traffic types, implementing permissions, and establishing incident response protocols.
Network Architecture Diagram: A visual representation of the organization’s network architecture, illustrating the separation of network layers, the placement of firewalls, security groups, and other traffic control technologies used to safeguard resources.
VPC Security Best Practices Checklist: A checklist designed for ensuring best practices in managing Virtual Private Clouds. It includes items such as configuring security groups, network access control lists, and proper routing tables to control traffic flow.
Traffic Monitoring Dashboard: A live dashboard used for monitoring real-time network traffic patterns and anomalies. This tool helps in visualizing allowed and disallowed traffic, enabling proactive management of network security.
Incident Response Plan for Network Threats: A comprehensive plan that outlines the steps to be taken in the event of a network security breach. This plan details communication protocols, roles and responsibilities, and post-incident assessment procedures.

Cloud Services

AWS

AWS Network Firewall: AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for your Amazon VPCs. It allows you to control traffic at various layers using firewall rules.
AWS Security Groups: Security groups act as virtual firewalls for your Amazon EC2 instances to control inbound and outbound traffic, ensuring that only legitimate traffic is allowed.
AWS WAF (Web Application Firewall): AWS WAF helps protect web applications by controlling traffic based on defined rules and conditions, enabling you to filter out malicious requests.
Amazon VPC Traffic Mirroring: Traffic mirroring allows you to capture and inspect traffic flowing to and from your network interfaces, providing insight into the traffic patterns for better security analysis.

Azure

Azure Firewall: Azure Firewall is a managed, cloud-based network security service that protects applications and resources through filtering and monitoring traffic using rules.
Azure Network Security Groups (NSGs): NSGs allow you to define security rules that control inbound and outbound traffic to network interfaces and subnets within your Azure virtual networks.
Azure DDoS Protection: Azure DDoS Protection provides enhanced security for your applications by protecting against DDoS attacks, helping to maintain service availability.
Azure Application Gateway Web Application Firewall: Application Gateway WAF provides centralized protection to web applications from common threats and vulnerabilities using rules to control traffic.

Google Cloud Platform

Google Cloud Armor: Google Cloud Armor provides network security by protecting your services from DDoS attacks and other vulnerabilities using security policies.
Google Cloud VPC Firewall Rules: Firewall rules can be defined for various operations in Google Cloud to control the traffic to and from your VPC network, allowing only the specified traffic.
Google Cloud IDS (Intrusion Detection System): Cloud IDS helps detect threats and provide alerts for malicious traffic flowing through your networks, improving overall security monitoring capabilities.
Google Cloud VPC Flow Logs: VPC Flow Logs provide visibility into traffic patterns in your VPC, helping analyze and identify potential network threats or misconfigurations.

Question: How do you protect your network resources?
Pillar: Security (Code: SEC)

Operational Excellence

Determine what your priorities are

Structure your organization to support your business outcomes

Organizational culture to support your business outcomes

Implement observability in your workload

Reduce defects, ease remediation, and improve flow into production

Mitigate deployment risks

Be ready to support a workload

Uilize workload observability

Understand the health of your operations

Manage workload and operations events

Evolve your operations

Security

Securely operate your workload

Manage identities for people and machines

Manage permissions for people and machines

Detect and investigate security events

Protect your network resources

Protect your compute resources

Classify your data

Protect your data at rest

Protect your data in transit

Anticipate, respond to, and recover from incidents

Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle

Reliability

Manage service quotas and constraints

Plan your network topology

Design your workload service architecture

Design interactions in a distributed system to prevent failures

Design interactions in a distributed system to mitigate or withstand failures

Monitor workload resources

Design your workload to adapt to changes in demand

Implement change

Back up data

Fault isolation to protect your workload

Design your workload to withstand component failures

Test reliability

Plan for disaster recovery (DR)

Cost Optimization

Implement cloud financial management

Govern usage

Monitor your cost and usage

Decommission resources

Evaluate cost when you select services

Meet cost targets when you select resource type, size and number

Use pricing models to reduce cost

Plan for data transfer charges

Manage demand, and supply resources

Evaluate new services

Evaluate the cost of effort

Performance

Select the appropriate cloud resources and architecture patterns for your workload

Select and use compute resources in your workload

Store, manage, and access data in your workload

Select and configure networking resources in your workload

Support more performance efficiency for your workload

Sustainability

Select Regions for your workload

Align cloud resources to your demand

Take advantage of software and architecture patterns to support your sustainability goals

Take advantage of data management policies and patterns to support your sustainability goals

Select and use cloud hardware and services in your architecture to support your sustainability goals

Implement organizational processes support your sustainability goals