mrpackethead · January 11, 2023 13:41
diff --git a/firewallpolicy.ts b/firewallpolicy.ts
 import * as cdk from 'aws-cdk-lib';
 import {
  aws_networkfirewall as firewall,
 }
  from 'aws-cdk-lib';
 import * as constructs from 'constructs';


 export interface FirewallRulesProps {
  cloudwanCidr: string;
 }


 export class FirewallRules extends constructs.Construct {

  readonly firewallPolicy: firewall.CfnFirewallPolicy;

  constructor(scope: constructs.Construct, id: string, props: FirewallRulesProps) {
    super(scope, id);

    /*
    * Stateless firewall rules
    * Allow ICMP both directions
    */
    const fwStatefulAllowRuleGroup = new firewall.CfnRuleGroup(this, 'fwAllowStatelessRuleGroup', {
      capacity: 10,
      ruleGroupName: 'AllowStateless',
      type: 'STATELESS',
      ruleGroup: {
        rulesSource: {
          statelessRulesAndCustomActions: {
            statelessRules: [
              {
                priority: 1,
                ruleDefinition: {
                  actions: ['aws:pass'],
                  matchAttributes: {
                    protocols: [1], // Protocol 1 is ICMP
                    sources: [{
                      addressDefinition: '0.0.0.0/0',
                    }],
                    destinations: [{
                      addressDefinition: '0.0.0.0/0',
                    }],
                  },
                },
              },
            ],
          },
        },
      },
    });

    /*
      * Statefull firewall rules
      * Allow HTTP/HTTPS anywhere from organisation network
      */
    const fwAllowRuleGroup = new firewall.CfnRuleGroup(this, 'fwAllowRuleGroup', {
      capacity: 10,
      ruleGroupName: 'AllowRules',
      type: 'STATEFUL',
      description: 'Allow traffic to Internet',
      ruleGroup: {
        rulesSource: {
          statefulRules: [
            {
              action: 'PASS',
              header: {
                destination: 'ANY',
                destinationPort: '80',
                source: props.cloudwanCidr,
                sourcePort: 'ANY',
                protocol: 'TCP',
                direction: 'FORWARD',
              },
              ruleOptions: [{
                keyword: 'sid:1',
              }],
            },
            {
              action: 'PASS',
              header: {
                destination: 'ANY',
                destinationPort: '443',
                source: props.cloudwanCidr,
                sourcePort: 'ANY',
                protocol: 'TCP',
                direction: 'FORWARD',
              },
              ruleOptions: [{
                keyword: 'sid:2',
              }],
            },
          ],
        },
      },
    });


    /*
      * Deny rule group
      * Drop all traffic that is not explicitly defined in allow rule groups
      */

    const fwDenyRuleGroup = new firewall.CfnRuleGroup(this, 'fwDenyRuleGroup', {
      capacity: 10,
      ruleGroupName: 'DenyAll',
      type: 'STATEFUL',
      description: 'Deny all other traffic',
      ruleGroup: {
        rulesSource: {
          statefulRules: [
            {
              action: 'DROP',
              header: {
                destination: 'ANY',
                destinationPort: 'ANY',
                source: 'ANY',
                sourcePort: 'ANY',
                protocol: 'IP',
                direction: 'FORWARD',
              },
              ruleOptions: [{
                keyword: 'sid:100',
              }],
            },
          ],
        },
      },
    });


    const managedStatefulGroups: string[] = [
      'AbusedLegitMalwareDomainsActionOrder',
      /**
       * Contains rules that allow you to block requests to a class of domains which are generally legitimate
       * but are compromised and may host malware. This can help reduce the risk of receiving malware
       * or viruses originating from these sources with poor reputation.
       */

      'AbusedLegitBotNetCommandAndControlDomainsActionOrder',
      /**
       * Contains rules that allow you to block requests to a class of domains which are generally legitimate
       * but are compromised and may host botnets. This can help reduce the risk of resources accessing botnets
       * originating from these sources with poor reputation.
       */

      'MalwareDomainsActionOrder',
      /**
       * Contains rules that allow you to block requests to domains that are known for hosting malware.
       * This can help reduce the risk of receiving malware or viruses originating from these known sources
       */

      'BotNetCommandAndControlDomainsActionOrder',
      /**
       * Contains rules that allow you to block requests to domains that are known for hosting botnets.
       * This can help reduce the risk of resources accessing botnets originating from these known sources
       */

      'ThreatSignaturesBotnetActionOrder',
      /**
       * Signatures that are autogenerated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts.
       */

      'ThreatSignaturesBotnetWebActionOrder',
      /**
       * Signatures that detect http botnets.
       */

      'ThreatSignaturesBotnetWindowsActionOrder',
      /**
       * Signatures that detect Windows botnets
       */

      'ThreatSignaturesDoSActionOrder',
      /**
       * Signatures that detect Denial of Service attempts
       */

      'ThreatSignaturesEmergingEventsActionOrder',
      /**
       * Signatures with rules developed in response to active and short-lived campaigns and other temporary, high-profile events.
      */

      'ThreatSignaturesExploitsActionOrder',
      /**
       * Signatures related to attacks and vulnerabilities regarding exploits, ActiveX, FTP, ICMP, NetBIOS, RPC, ShellCode,
       *  SNMP, SQL, Telnet, TFTP, and VoIP.
       */

      'ThreatSignaturesFUPActionOrder',
      /**
       * Signatures to detect gaming traffic, potentially inappropriate websites, and P2P traffic as well as signatures that may indicate
       * violations to an organizations policy
       */

      'ThreatSignaturesIOCActionOrder',
      /**
       * Signatures to detect activity related to Exploit Kits, their infrastructure, and delivery
       */

      'ThreatSignaturesMalwareActionOrder',
      /**
       * Signatures that detect malware (tcp, udp, smtp, icmp, smb, ip) and worm *
       */

      'ThreatSignaturesMalwareCoinminingActionOrder',
      /**
       * Signatures with rules that detect malware which performs coin mining
       */

      //'//ThreatSignaturesMalwareMobileActionOrder',
      /**
       * Signatures that detect mobile malware
       */
      'ThreatSignaturesMalwareWebActionOrder',
      /**
       * Signatures to detect malicious code in HTTP and TLS protocols
       */
      //'ThreatSignaturesPhishingActionOrder',    //4200
      /**
       * ThreatSignaturesPhishingActionOrder
       */
      'ThreatSignaturesScannersActionOrder',
      /**
       * Signatures to detect reconnaissance and probing from scanning tools
       */
      'ThreatSignaturesSuspectActionOrder',
      /** Signatures to fingerprint malicious SSL certificates using JA3 hashes, identify traffic
       *  related to chat clients, and detect suspicious and anomalous user agents.
       */
      'ThreatSignaturesWebAttacksActionOrder',
      /**
       * Signatures to detect attacks and vulnerabilities related to web clients, web servers, and web applications
       */
    ];

    const statefulRefs = [
      { resourceArn: fwAllowRuleGroup.attrRuleGroupArn },
      { resourceArn: fwDenyRuleGroup.attrRuleGroupArn },
    ];

    managedStatefulGroups.forEach((group) => {
      statefulRefs.push(
        {
          resourceArn: `arn:aws:network-firewall:${cdk.Aws.REGION}:aws-managed:stateful-rulegroup/${group}`,
        },
      );
    });


    // Firewall policy to enable stateless and statefull rule groups
    this.firewallPolicy = new firewall.CfnFirewallPolicy(this, 'FWPolicy', {
      firewallPolicy: {
        statelessDefaultActions: ['aws:forward_to_sfe'],
        statelessFragmentDefaultActions: ['aws:forward_to_sfe'],
        statelessRuleGroupReferences: [
          { resourceArn: fwStatefulAllowRuleGroup.attrRuleGroupArn, priority: 1 },
        ],
        statefulRuleGroupReferences: statefulRefs,
      },
      firewallPolicyName: 'FirewallPolicy',
    });

  }
 }
	import * as cdk from 'aws-cdk-lib';
	import {
	aws_networkfirewall as firewall,
	}
	from 'aws-cdk-lib';
	import * as constructs from 'constructs';


	export interface FirewallRulesProps {
	cloudwanCidr: string;
	}


	export class FirewallRules extends constructs.Construct {

	readonly firewallPolicy: firewall.CfnFirewallPolicy;

	constructor(scope: constructs.Construct, id: string, props: FirewallRulesProps) {
	super(scope, id);

	/*
	* Stateless firewall rules
	* Allow ICMP both directions
	*/
	const fwStatefulAllowRuleGroup = new firewall.CfnRuleGroup(this, 'fwAllowStatelessRuleGroup', {
	capacity: 10,
	ruleGroupName: 'AllowStateless',
	type: 'STATELESS',
	ruleGroup: {
	rulesSource: {
	statelessRulesAndCustomActions: {
	statelessRules: [
	{
	priority: 1,
	ruleDefinition: {
	actions: ['aws:pass'],
	matchAttributes: {
	protocols: [1], // Protocol 1 is ICMP
	sources: [{
	addressDefinition: '0.0.0.0/0',
	}],
	destinations: [{
	addressDefinition: '0.0.0.0/0',
	}],
	},
	},
	},
	],
	},
	},
	},
	});

	/*
	* Statefull firewall rules
	* Allow HTTP/HTTPS anywhere from organisation network
	*/
	const fwAllowRuleGroup = new firewall.CfnRuleGroup(this, 'fwAllowRuleGroup', {
	capacity: 10,
	ruleGroupName: 'AllowRules',
	type: 'STATEFUL',
	description: 'Allow traffic to Internet',
	ruleGroup: {
	rulesSource: {
	statefulRules: [
	{
	action: 'PASS',
	header: {
	destination: 'ANY',
	destinationPort: '80',
	source: props.cloudwanCidr,
	sourcePort: 'ANY',
	protocol: 'TCP',
	direction: 'FORWARD',
	},
	ruleOptions: [{
	keyword: 'sid:1',
	}],
	},
	{
	action: 'PASS',
	header: {
	destination: 'ANY',
	destinationPort: '443',
	source: props.cloudwanCidr,
	sourcePort: 'ANY',
	protocol: 'TCP',
	direction: 'FORWARD',
	},
	ruleOptions: [{
	keyword: 'sid:2',
	}],
	},
	],
	},
	},
	});


	/*
	* Deny rule group
	* Drop all traffic that is not explicitly defined in allow rule groups
	*/

	const fwDenyRuleGroup = new firewall.CfnRuleGroup(this, 'fwDenyRuleGroup', {
	capacity: 10,
	ruleGroupName: 'DenyAll',
	type: 'STATEFUL',
	description: 'Deny all other traffic',
	ruleGroup: {
	rulesSource: {
	statefulRules: [
	{
	action: 'DROP',
	header: {
	destination: 'ANY',
	destinationPort: 'ANY',
	source: 'ANY',
	sourcePort: 'ANY',
	protocol: 'IP',
	direction: 'FORWARD',
	},
	ruleOptions: [{
	keyword: 'sid:100',
	}],
	},
	],
	},
	},
	});


	const managedStatefulGroups: string[] = [
	'AbusedLegitMalwareDomainsActionOrder',
	/**
	* Contains rules that allow you to block requests to a class of domains which are generally legitimate
	* but are compromised and may host malware. This can help reduce the risk of receiving malware
	* or viruses originating from these sources with poor reputation.
	*/

	'AbusedLegitBotNetCommandAndControlDomainsActionOrder',
	/**
	* Contains rules that allow you to block requests to a class of domains which are generally legitimate
	* but are compromised and may host botnets. This can help reduce the risk of resources accessing botnets
	* originating from these sources with poor reputation.
	*/

	'MalwareDomainsActionOrder',
	/**
	* Contains rules that allow you to block requests to domains that are known for hosting malware.
	* This can help reduce the risk of receiving malware or viruses originating from these known sources
	*/

	'BotNetCommandAndControlDomainsActionOrder',
	/**
	* Contains rules that allow you to block requests to domains that are known for hosting botnets.
	* This can help reduce the risk of resources accessing botnets originating from these known sources
	*/

	'ThreatSignaturesBotnetActionOrder',
	/**
	* Signatures that are autogenerated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts.
	*/

	'ThreatSignaturesBotnetWebActionOrder',
	/**
	* Signatures that detect http botnets.
	*/

	'ThreatSignaturesBotnetWindowsActionOrder',
	/**
	* Signatures that detect Windows botnets
	*/

	'ThreatSignaturesDoSActionOrder',
	/**
	* Signatures that detect Denial of Service attempts
	*/

	'ThreatSignaturesEmergingEventsActionOrder',
	/**
	* Signatures with rules developed in response to active and short-lived campaigns and other temporary, high-profile events.
	*/

	'ThreatSignaturesExploitsActionOrder',
	/**
	* Signatures related to attacks and vulnerabilities regarding exploits, ActiveX, FTP, ICMP, NetBIOS, RPC, ShellCode,
	* SNMP, SQL, Telnet, TFTP, and VoIP.
	*/

	'ThreatSignaturesFUPActionOrder',
	/**
	* Signatures to detect gaming traffic, potentially inappropriate websites, and P2P traffic as well as signatures that may indicate
	* violations to an organizations policy
	*/

	'ThreatSignaturesIOCActionOrder',
	/**
	* Signatures to detect activity related to Exploit Kits, their infrastructure, and delivery
	*/

	'ThreatSignaturesMalwareActionOrder',
	/**
	* Signatures that detect malware (tcp, udp, smtp, icmp, smb, ip) and worm *
	*/

	'ThreatSignaturesMalwareCoinminingActionOrder',
	/**
	* Signatures with rules that detect malware which performs coin mining
	*/

	//'//ThreatSignaturesMalwareMobileActionOrder',
	/**
	* Signatures that detect mobile malware
	*/
	'ThreatSignaturesMalwareWebActionOrder',
	/**
	* Signatures to detect malicious code in HTTP and TLS protocols
	*/
	//'ThreatSignaturesPhishingActionOrder', //4200
	/**
	* ThreatSignaturesPhishingActionOrder
	*/
	'ThreatSignaturesScannersActionOrder',
	/**
	* Signatures to detect reconnaissance and probing from scanning tools
	*/
	'ThreatSignaturesSuspectActionOrder',
	/** Signatures to fingerprint malicious SSL certificates using JA3 hashes, identify traffic
	* related to chat clients, and detect suspicious and anomalous user agents.
	*/
	'ThreatSignaturesWebAttacksActionOrder',
	/**
	* Signatures to detect attacks and vulnerabilities related to web clients, web servers, and web applications
	*/
	];

	const statefulRefs = [
	{ resourceArn: fwAllowRuleGroup.attrRuleGroupArn },
	{ resourceArn: fwDenyRuleGroup.attrRuleGroupArn },
	];

	managedStatefulGroups.forEach((group) => {
	statefulRefs.push(
	{
	resourceArn: `arn:aws:network-firewall:${cdk.Aws.REGION}:aws-managed:stateful-rulegroup/${group}`,
	},
	);
	});


	// Firewall policy to enable stateless and statefull rule groups
	this.firewallPolicy = new firewall.CfnFirewallPolicy(this, 'FWPolicy', {
	firewallPolicy: {
	statelessDefaultActions: ['aws:forward_to_sfe'],
	statelessFragmentDefaultActions: ['aws:forward_to_sfe'],
	statelessRuleGroupReferences: [
	{ resourceArn: fwStatefulAllowRuleGroup.attrRuleGroupArn, priority: 1 },
	],
	statefulRuleGroupReferences: statefulRefs,
	},
	firewallPolicyName: 'FirewallPolicy',
	});

	}
	}