SEC05-BP03: Implement inspection-based protection
Inspect and filter your traffic at each layer. For example, a web application firewall can help protect against malicious web requests. You can use inspection to identify attacks, malware, and other threats, and to take action to stop them. You can also use inspection to identify and block unwanted traffic, such as traffic from known bad IP addresses or traffic that doesn't match your expected patterns.
Implementation guidance
Inspection-based protection involves analyzing network traffic, application requests, and system behavior to identify and block malicious activities. By implementing comprehensive inspection at multiple layers, you can detect sophisticated attacks that might bypass traditional security controls.
Key steps for implementing this best practice:
- Implement deep packet inspection:
- Deploy network firewalls with deep packet inspection capabilities
- Configure stateful inspection rules for traffic analysis
- Implement protocol-specific inspection for common services
- Use signature-based detection for known attack patterns
- Enable behavioral analysis for anomaly detection
- Configure web application firewalls:
- Deploy AWS WAF for web application protection
- Configure managed rule sets for common attack patterns
- Implement custom rules for application-specific threats
- Enable rate limiting and geo-blocking capabilities
- Configure bot detection and mitigation
- Implement intrusion detection and prevention:
- Deploy network-based intrusion detection systems (NIDS)
- Configure host-based intrusion detection systems (HIDS)
- Implement real-time threat detection and alerting
- Configure automated response to detected threats
- Integrate with threat intelligence feeds
- Enable SSL/TLS inspection:
- Implement SSL/TLS decryption for encrypted traffic analysis
- Configure certificate management for inspection proxies
- Balance security inspection with privacy requirements
- Implement selective decryption based on risk assessment
- Ensure compliance with regulatory requirements
- Deploy malware detection:
- Implement file scanning and malware detection
- Configure sandboxing for suspicious file analysis
- Enable real-time malware signature updates
- Implement behavioral analysis for zero-day threats
- Configure quarantine and remediation procedures
- Monitor and analyze inspection data:
- Centralize inspection logs and alerts
- Implement correlation and analysis of inspection data
- Configure dashboards for security visibility
- Set up automated alerting for critical threats
- Conduct regular analysis of inspection effectiveness
Implementation examples
Example 1: AWS Network Firewall with deep packet inspection
python import boto3 import json
def create_advanced_waf_configuration(): “"”Create advanced AWS WAF configuration with comprehensive inspection”””
wafv2 = boto3.client('wafv2')
# Create regex pattern set for SQL injection detection
sql_injection_patterns = wafv2.create_regex_pattern_set(
Name='SQLInjectionPatterns',
Scope='REGIONAL',
Description='Regex patterns for SQL injection detection',
RegularExpressionList=[
{'RegexString': r'(\%27)|(\')|(\-\-)|(\%23)|(#)'},
{'RegexString': r'((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(;))'},
{'RegexString': r'\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))'},
{'RegexString': r'((\%27)|(\'))union'},
{'RegexString': r'exec(\s|\+)+(s|x)p\w+'}
],
Tags=[
{
'Key': 'Name',
'Value': 'SQL-Injection-Patterns'
}
]
)
# Create IP set for known malicious IPs
malicious_ip_set = wafv2.create_ip_set(
Name='MaliciousIPSet',
Scope='REGIONAL',
IPAddressVersion='IPV4',
Addresses=[
'192.0.2.0/24',
'203.0.113.0/24',
'198.51.100.44/32'
],
Description='Known malicious IP addresses',
Tags=[
{
'Key': 'Name',
'Value': 'Malicious-IP-Set'
}
]
)
# Create comprehensive Web ACL with inspection rules
web_acl_rules = [
{
'Name': 'BlockMaliciousIPs',
'Priority': 1,
'Action': {'Block': {}},
'Statement': {
'IPSetReferenceStatement': {
'ARN': malicious_ip_set['Summary']['ARN']
}
},
'VisibilityConfig': {
'SampledRequestsEnabled': True,
'CloudWatchMetricsEnabled': True,
'MetricName': 'BlockMaliciousIPs'
}
},
{
'Name': 'SQLInjectionProtection',
'Priority': 2,
'Action': {'Block': {}},
'Statement': {
'OrStatement': {
'Statements': [
{
'RegexPatternSetReferenceStatement': {
'ARN': sql_injection_patterns['Summary']['ARN'],
'FieldToMatch': {
'Body': {}
},
'TextTransformations': [
{
'Priority': 1,
'Type': 'URL_DECODE'
},
{
'Priority': 2,
'Type': 'HTML_ENTITY_DECODE'
}
]
}
},
{
'RegexPatternSetReferenceStatement': {
'ARN': sql_injection_patterns['Summary']['ARN'],
'FieldToMatch': {
'UriPath': {}
},
'TextTransformations': [
{
'Priority': 1,
'Type': 'URL_DECODE'
}
]
}
}
]
}
},
'VisibilityConfig': {
'SampledRequestsEnabled': True,
'CloudWatchMetricsEnabled': True,
'MetricName': 'SQLInjectionProtection'
}
},
{
'Name': 'AWSManagedRulesCommonRuleSet',
'Priority': 3,
'OverrideAction': {'None': {}},
'Statement': {
'ManagedRuleGroupStatement': {
'VendorName': 'AWS',
'Name': 'AWSManagedRulesCommonRuleSet',
'ExcludedRules': []
}
},
'VisibilityConfig': {
'SampledRequestsEnabled': True,
'CloudWatchMetricsEnabled': True,
'MetricName': 'CommonRuleSet'
}
},
{
'Name': 'AWSManagedRulesKnownBadInputsRuleSet',
'Priority': 4,
'OverrideAction': {'None': {}},
'Statement': {
'ManagedRuleGroupStatement': {
'VendorName': 'AWS',
'Name': 'AWSManagedRulesKnownBadInputsRuleSet'
}
},
'VisibilityConfig': {
'SampledRequestsEnabled': True,
'CloudWatchMetricsEnabled': True,
'MetricName': 'KnownBadInputs'
}
},
{
'Name': 'RateLimitingRule',
'Priority': 5,
'Action': {'Block': {}},
'Statement': {
'RateBasedStatement': {
'Limit': 2000,
'AggregateKeyType': 'IP',
'ScopeDownStatement': {
'NotStatement': {
'Statement': {
'ByteMatchStatement': {
'SearchString': 'healthcheck',
'FieldToMatch': {
'UriPath': {}
},
'TextTransformations': [
{
'Priority': 1,
'Type': 'LOWERCASE'
}
],
'PositionalConstraint': 'CONTAINS'
}
}
}
}
}
},
'VisibilityConfig': {
'SampledRequestsEnabled': True,
'CloudWatchMetricsEnabled': True,
'MetricName': 'RateLimiting'
}
}
]
try:
web_acl_response = wafv2.create_web_acl(
Name='AdvancedInspectionWebACL',
Scope='REGIONAL',
DefaultAction={'Allow': {}},
Rules=web_acl_rules,
Description='Advanced WAF with comprehensive inspection capabilities',
Tags=[
{
'Key': 'Name',
'Value': 'Advanced-Inspection-WebACL'
}
],
VisibilityConfig={
'SampledRequestsEnabled': True,
'CloudWatchMetricsEnabled': True,
'MetricName': 'AdvancedInspectionWebACL'
}
)
return web_acl_response['Summary']['ARN']
except Exception as e:
print(f"Error creating advanced WAF configuration: {str(e)}")
return None
Example 3: VPC Traffic Mirroring for inspection
Example 4: GuardDuty malware detection integration
AWS services to consider
Benefits of implementing inspection-based protection
- Advanced threat detection: Identifies sophisticated attacks that bypass traditional security controls
- Real-time protection: Provides immediate response to detected threats and malicious activities
- Comprehensive coverage: Inspects traffic at multiple layers for complete protection
- Behavioral analysis: Detects zero-day threats and unknown attack patterns
- Compliance support: Helps meet regulatory requirements for traffic inspection and monitoring
- Reduced false positives: Advanced inspection techniques provide more accurate threat detection
- Automated response: Enables immediate action against detected threats without manual intervention