ACM.101 Configuring network and host firewalls on home and business networks to allow SSH to an AWS IP address
This is a continuation of my series on Automating Cybersecurity Metrics.
In the last post, we deployed an EC2 instance configured with an EIP on AWS.
If you’ve done that, now you can also restrict SSH from your local network to your EIP on AWS and disallow connections to unauthorized IP addresses and disallow unauthorized hosts on your local network from using SSH. I’m going to demonstrate this with PFSense but whatever network firewall you use should have similar options.
You can install the free open source PFSense software on your own hardware or buy a pre-installed appliance from Netgate. Some of the Netgate appliances have different features you can use such as multiple ports that you can configure with different network rules and VLANS.
In my case, I use different ports on the firewall for different purposes. I’m going to allow the port associated with the network I use for development to access the EIP I just created on port 22.
Create an Alias
The first step I’ll do is create an alias. I can create an alias that points to other things in my network configuration like IP addresses, networks, and domain names. In this case I’m going to create an alias for a group of IP addresses that devices on my developer network can access via SSH.
At the bottom of the list of Aliases click Add.
Copy the EIP in the AWS console.
Add the alias with the appropriate information:
Create a Firewall Rule
Next I’m going to create a rule to my WAN interface allow access for SSH to those IP addresses.
You will see a list of interfaces on your firewall at the top:
Interfaces
If you want to see what those interfaces are mapped to click Interfaces > Assignments. They may be assigned to the ports on your hardware or VLANS depending on how your firewall is configured.
For example, your firewall may have a WAN interface (exposed to the Internet) a LAN interface (your private network) and another interface (possibly called OPT) that you can use for firewall administration. You may also configure your firewall to have separate VLANs so you can segregate your Internet of Insecure Things and guest network (or insecure roommate) network from your development network.
In my case, I have a WAN interface and I’ll need to specify that traffic from my development interface or VLAN can send traffic on port 22 to the Internet. I’ll also need to allow that rule on my development interface.
PFSense also has something call “Floating” which can apply to all your Interfaces. Be careful with that one — especially if you are using VLANs. A misconfiguration can allow an attacker to bypass VLAN controls. But it should be fine for blocking traffic across all interfaces.
Create a rule for SSH from LAN network to EIP Alias on WAN Interface
Click on the WAN interface. Click ^ Add (with the up arrow) to add a rule.
Make sure you do not click the Add button with the down arrow. There’s a default rule that blocks all traffic — make sure you do not delete it! That rule applies after all the rules that allow traffic. If you delete it you’ve essentially allow anything and you wasted money on your firewall. 🙂
Leave the top as the default.
Note that I do not use IPv6 not because I can’t or it’s insecure but because it’s just more complexity than I need. I am not running out of IP addresses and that would be the only reason to use IPv6 on a local network. It can be misconfigured and attackers do use it in attacks because people configure networks with IPv6 and don’t know what they are doing.I just saw a post on LinkedIn where the only way a penetration tester was able to get into a client’s network was through an IPv6 misconfiguration. If you don’t need and and haven’t researched all possible attacks in great detail, you are probably just creating a security risk rather than adding any value to your network by enabling it.Some vendors have started requiring it to be enabled on operating systems but things should still work just fine without it. Also note that my guidance will change if the day comes where IPv4 has some massive security flaw and or is no longer feasible. In that case, I would recommend only using IPv6 and turn off IPv4 to reduce the complexity of what you need to manage.
SSH uses the TCP protocol. Do not add protocols you don’t need. As you can see we are allowing this traffic on the WAN interface.
Scroll down. Choose a source. For the source you can allow a singe IP address on your local network, or traffic from one of your network interfaces among other options. Let’s say you wanted any host on your LAN (local area network) interface to be able to reach your EIP. Choose LAN net.
Expand advanced. Our source IP will be connecting TO port 22. The return traffic to the source host will be ephemeral ports as I explained in a prior post. Allow traffic back to the source on ephemeral ports.
For the destination, choose single host or alias.
Start typing the name of your alias and then you can select it.
For the destination port range we can choose SSH from a list.
When you choose SSH PFSense populates the ports for you.
You could also choose (other) and enter 22 yourself.
Make sure to enable logging. Enter a description that will show up in the logs. You will probably want to add -WAN to the end of the description so you know the traffic is coming from the WAN interface when you look at your logs.
Click on advanced to see some of the other options.
This is where we are getting into some of the details in the packet headers and protocols I’ve been telling you about in other posts. For example, we could get granular about which TCP protocol flags to allow if we wanted. We’re not going to do that here.
Click Save:
Click Apply Changes:
Create a rule for SSH from LAN network to EIP Alias on LAN Interface
Now click the two boxes on the right to copy the WAN interface rule so we can copy it to the LAN interface.
Now in the copied rule change the interface to the private interface from which you will be initiating the traffic (such as LAN if your network cable from your WiFi device or your laptop is plugged into that port.) Change the log description to say -LAN instead of -WAN.
Save and apply the copied rule.
Now make sure your EC2 instance is started and try to connect to it using the methods in our prior post.
If you are only using a network-based firewall and not using a host-based firewall, that should work. Make sure your EC2 instance is started and you are using the AWS networking we deployed in prior posts that allow your specific IP address to connect to your developer VM.
View your firewall logs
By the way, if you want to see all the traffic scanning your network from the minute you connect your router or firewall too it, check the logs. On PFSense click the box with lines highlighted below for your WAN interface.
In my case, I have weeded out a lot of noise so I can’t really show you all the rogue traffic unless I go change my firewall logs but by default you will see traffic from all over the place scanning your network and looking for security vulnerabilities.
Even firewalls have vulnerabilities at times. Search for the name of your firewall or mode in Google along with “vulnerability” or “breach” or “malware” to see if you can find examples where attackers have broken into the particular type of device you own. Make sure your firewalls and routers are kept up to date with the latest firmware and software patches.
Host-Based Firewalls
I’m also using a host-based firewall on my Mac called Little Snitch. It pops up and alerts me when anything connects so I can allow or deny it. (You can configure it to not display ever alert. I’m just a network geek and like to see all my connections and especially new ones.)
If you’re using Linux you can use the IPTables firewall.
Windows has its own firewall built into the operating system.
Apparently Chromebooks have a firewall as well.
Why do I use a host-based firewall and a network-based firewall? Let’s say some malware gets onto my local machine and is able to bypass or even turn off my local firewall. Then my network firewall may catch it.
Alternatively if my network based firewall is misconfigured or compromised, hopefully my localhost firewall will catch it. I even wrote about how you could use multiple firewalls with different capabilities and for additional traffic inspection to make sure each device is properly doing its job in this post: Watching the Network Watchers.
The first time I connect to this IP I get a warning. I can choose to allow it once, all the time, or until I logout or restart.
Once I allow the traffic, I can connect to my EC2 instance associated with that IP address.
Success. Next I’ll show you how you can restrict access to GitHub from your AWS EC2 instance with the associated EIP.
Follow for updates.
Teri Radichel
If you liked this story please clap and follow:
Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research
© 2nd Sight Lab 2022
All the posts in this series:
____________________________________________
Author:
Cybersecurity for Executives in the Age of Cloud on Amazon
Need Cloud Security Training? 2nd Sight Lab Cloud Security Training
Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.
Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.
Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts
