Back to Digital Garden
Network Firewall VPC EC2 Systems Manager Security

Malware Protection & Intrusion Prevention using AWS Network Firewall

📌 Project Overview

This project demonstrates the implementation of perimeter-level threat prevention using AWS Network Firewall within an Amazon VPC environment. The primary objective was to detect and block malicious outbound traffic before potentially harmful content could reach internal systems.

The implementation focused on configuring a stateful intrusion prevention workflow using Suricata-compatible inspection rules. Custom rules were created to identify and block HTTP requests associated with simulated malware payloads, helping prevent unauthorized or unsafe downloads from external sources.

🛠️ Tech Stack & AWS Services

  • Network Security: AWS Network Firewall, Amazon VPC.
  • Compute & Orchestration: Amazon EC2, AWS Systems Manager (Session Manager).
  • Security Concepts: Intrusion Prevention System (IPS), Stateful vs Stateless Filtering, Deep Packet Inspection (DPI), Suricata Rule Syntax, Malware Traffic Mitigation, HTTP Traffic Inspection.

🏢 Scenario

A company experienced incidents where employees unintentionally downloaded malicious files from unsafe websites. The objective was to strengthen network perimeter security by preventing access to known malicious resources at the VPC level rather than relying solely on endpoint-based protection.

As part of the solution, AWS Network Firewall was configured to inspect outbound HTTP traffic and block requests matching predefined malicious URI patterns.

🚀 Implementation

1. Threat Simulation & Initial Validation

  • Accessed an isolated EC2 instance securely through AWS Systems Manager Session Manager.
  • Simulated user activity by attempting to download mock malware files using: 
    wget http://malware.wicar.org/data/js_crypto_miner.html
  • Verified that the initial environment allowed unrestricted access to the malicious resources, confirmed by successful HTTP 200 OK responses.

2. AWS Network Firewall Policy Configuration

  • Reviewed the existing firewall policy configuration.
  • Updated stateless rule handling to forward traffic to the stateful inspection engine.
  • Enabled deeper inspection of network traffic using stateful rule evaluation.

3. Stateful Suricata Rule Configuration

  • Created a dedicated stateful rule group for traffic inspection.
  • Implemented custom Suricata-compatible rules to block requests targeting known malicious payload paths.

Example rule:

drop http $HOME_NET any -> $EXTERNAL_NET 80 (
    msg:"MALWARE custom solution";
    flow:to_server,established;
    classtype:trojan-activity;
    sid:2002001;
    content:"/data/js_crypto_miner.html";
    http_uri;
    rev:1;
)
  • Attached the stateful rule group to the active AWS Network Firewall policy.
  • Configured the firewall to actively drop matching HTTP requests.

AWS Network Firewall 1

4. Post-Implementation Validation

  • Re-tested the malicious download attempts from the isolated EC2 instance.
  • Observed that HTTP requests targeting the blocked URIs no longer completed successfully.
  • Confirmed that the AWS Network Firewall was actively dropping matching traffic before the payloads could be downloaded.
  • Removed residual test files from the environment after validation.

🎯 Key Takeaways

  • Implemented centralized network-layer threat prevention using AWS Network Firewall.
  • Gained practical experience configuring stateful traffic inspection and firewall policies within Amazon VPC.
  • Developed and applied custom Suricata rules for HTTP traffic filtering based on URI signatures.
  • Demonstrated the operational difference between stateless packet forwarding and stateful deep packet inspection.
  • Validated how network-level controls can reduce exposure to malicious outbound traffic before it reaches endpoint devices.