

System Hardening


System Hardening

▪ Process of enhancing security by reducing vulnerabilities in a

system, network, or application

▪ Involves configuring systems to minimize the potential attack

surface
 

Key Steps – System Hardening

 

Disabling Unnecessary Services

and Ports
Close unused ports and disable unnecessary services to limit access points for
attackers.
 

User Access Controls

Implement strict user permissions, enforce strong passwords, and use multi-
factor authentication to prevent unauthorized access.
 

Patch Management
Regularly update the operating system, applications, and firmware with security
patches to address known vulnerabilities.
 

Firewall Configuration
Configure firewalls to filter inbound and outbound traffic, allowing only essential
communication.
 

Logging and Monitoring

Enable logging to track access and changes to the system. Use monitoring tools
to detect and respond to suspicious activity, traffic, allowing only essential
communication.
 

File and Directory Permissions

Set appropriate permissions to restrict unauthorized access and prevent data
tampering.
 

Intrusion Detection Systems

(IDS)
Deploy IDS tools to identify and respond to potential security breaches.
 

Data Encryption
Encrypt sensitive data at rest and in transit to protect it from unauthorized access.
 

System hardening aims to create a robust defence-in-depth

strategy, reducing the likelihood of successful attacks.
 

Patch Manager

Patch Manager

▪ Patch Manager, a capability of AWS Systems Manager,

automates the process of patching managed instances with both
security-related and other types of updates.

▪ You can use Patch Manager to apply patches for both operating
systems and applications.
 
Patch Manager

▪ Patch Manager uses patch baselines, which include rules for auto-
approving patches within days of their release, in addition to a list of
approved and rejected patches.

▪ You can install patches on a regular basis by scheduling patching to run

as a Systems Manager maintenance window task.

▪ You can also install patches individually or to large groups of instances

by using Amazon EC2 tags.
 

Network
Hardening

Network Hardening

Process of securing a network by implementing various

measures to protect against unauthorized access, attacks, and
vulnerabilities
 

Common Network Hardening

Techniques


Firewall Configuration


Network Segmentation


Access Control
 

Intrusion Detection and Prevention

Systems(IDPS)
 

Regular Patch Management

▪


Secure Remote Access

 

Disabled Unused Services and Ports



Encryption


Logging and Monitoring



Wireless Network Security

 

Network hardening reduces the attack surface, improves

threat detection, and strengthens overall network
security, making it harder for attackers to exploit
weaknesses.



Amazon Inspector
 

Amazon Inspector
▪ Amazon Inspector: Automated service for assessing
AWS app security and compliance.
▪ Function: Scans for exposure, vulnerabilities, and best
practice deviations.
▪ Results: Provides prioritized security findings by
severity.
▪ EC2 Focus: Checks network accessibility and security
state of EC2 instances.
 

Amazon Inspector

▪ Purpose: Identifies unintended network access and vulnerabilities on EC2.

▪ Review: Findings are viewable directly or via reports on the console/API.

▪ Automation: Enables automated vulnerability checks in development and

deployment.

▪ Benefit: Integrates security testing into regular development and operations.

 

Benefits

▪ Configuration scanning and activity monitoring

engine: Amazon Inspector provides an agent that
analyzes system and resource configuration.

▪ Built-in content library: Amazon Inspector includes a

built-in library of rules and reports.

▪ Automation through an API: Amazon Inspector can be

fully automated through an API.


Amazon Inspector Agent

▪ Amazon Inspector also offers predefined software called an agent that
you can optionally install in the operating system of the EC2 instances
that you want to assess.

▪ The agent monitors the behaviour of the EC2 instances, including

network, file system, and process activity. It also collects a wide set of
behaviour and configuration data (telemetry).
 

Rules and Packages

▪ You can use Amazon Inspector to assess your

assessment targets (collections of AWS resources) for
potential security issues and vulnerabilities.

▪ Amazon Inspector compares the behavior and the

security configuration of the assessment targets to
selected security rules packages.
 

Rules and Packages

▪ In the context of Amazon Inspector, a rule is a security

check that Amazon Inspector performs during the
assessment run.

▪ Amazon Inspector assessments are offered to you as

pre-defined rules packages mapped to common security
best practices and vulnerability definitions.
 

Rules and Packages

▪ Examples of built-in rules include checking for access to your EC2

instances from the internet, remote root login being enabled, or
vulnerable software versions installed.

▪ These rules are regularly updated by AWS security researchers.

▪ An Amazon Inspector assessment can use any combination of the

following rules packages - Network Reachability, Common
vulnerabilities and exposures (CVEs), Center for Internet
Security (CIS) Benchmarks and Security best practices for
Amazon Inspector.


AWS Network
 Firewall
 

AWS Network Firewall

AWS Network Firewall is a managed service that provides

a way to filter and monitor network traffic at scale. It helps
secure your Virtual Private Clouds (VPCs) by enabling you
to set up customizable firewall rules for traffic going to and
from your workloads.
 

Managed Service

Fully managed, so no need for infrastructure management;

AWS handles updates, scaling, and high availability.
 

Traffic Control

Allows control over both inbound and outbound traffic at

the VPC level. You can set policies to allow, deny, or log
specific types of traffic.
 

Flexible Rules

Supports custom firewall rules including stateless rules

(simple allow/deny based on IP, port, or protocol)
and stateful rules (more complex inspection and tracking
of connection states).
 

Integration with AWS Services

Easily integrates with AWS CloudWatch, AWS VPC Traffic

Mirroring, AWS Transit Gateway, and other networking and
monitoring tools for detailed visibility and centralized
management.
 

Threat Intelligence Feeds

AWS Network Firewall can use threat intelligence feeds to

block known malicious IP addresses and domains.
 

Logging and Monitoring

Logs all network traffic and sends logs to Amazon

CloudWatch, S3, or Amazon Kinesis for real-time
monitoring and analytics.
 

Scalability

Scales automatically to handle fluctuating traffic loads,

making it suitable for high-demand environments.


This service is especially useful in regulated industries or high-security

environments, where fine-grained control and visibility over network
traffic are critical.



Stateful Rules

Stateful Rules

▪ Connection Tracking: Stateful rules keep track of the

connection’s state, allowing the firewall to make decisions based
on the context of the connection (e.g., if it's part of an
established session).

▪ Granular Control: Can inspect both the initial request and any
related responses, providing more detailed control over multi-
packet flows.

Stateful Rules

▪ Advanced Filtering: Supports deeper inspection capabilities,

such as matching based on patterns or protocol-specific criteria.

▪ Bidirectional: Automatically manages both directions of a

connection. For example, if an outbound request is allowed, the
return traffic is also allowed without needing separate rules.

Stateful Rules

▪ Common Use Cases: Ideal for situations that require complex

rule sets or tracking ongoing sessions, like web applications,
database connections, and other interactive services.



Stateless Rules

Stateless Rules

▪ No Connection Tracking: Stateless rules apply only to

individual packets, without tracking the session or connection
state.

▪ Simple Filtering: Based on simple criteria such as IP address,

port, and protocol; does not support advanced inspection or
context awareness.

Stateless Rules

▪ Unidirectional: Rules are applied independently for each

direction. If you want to allow a response for an allowed request,
you must create a separate rule for the response direction.

▪ High Throughput and Low Latency: Stateless filtering is

generally faster and more efficient, making it suitable for high-
throughput scenarios.

Stateless Rules

▪ Common Use Cases: Best for basic traffic control, such as

blocking known bad IP addresses or allowing specific ports.
Often used as the first line of defence for simple filtering.

Summary

▪ Stateful rules are more resource-intensive but provide detailed,

context-aware filtering suitable for complex traffic flows.

▪ Stateless rules are simpler, faster, and are typically used for
straightforward allow/deny actions without tracking connection
states.


Together, stateful and stateless rules allow AWS Network Firewall to

support both high-performance packet filtering and fine-grained
security control.


Combining Stateless
 and Stateful

Combining Stateless and Stateful

In AWS Network Firewall, configuring stateless default

actions and forwarding packets to stateful rule groups serves to
efficiently manage and secure network traffic with a layered
approach.

Stateless Rules for Basic Filtering

▪ Stateless rules are faster and less resource-intensive, as they

inspect each packet individually without tracking connection
state.

▪ This makes them ideal for handling straightforward allow/deny

actions on common traffic patterns (e.g., blocking known bad
IPs).

Default Actions for Initial Filtering

▪ Stateless default actions apply first, providing a baseline filter

that can quickly drop or allow packets.

▪ This helps to eliminate unwanted traffic early, reducing the

workload on more complex, resource-intensive stateful rule
groups.

Selective Packet Forwarding

▪ By forwarding selected packets from stateless rules to stateful

rule groups, only traffic needing deeper inspection is handled by
stateful rules.

▪ This optimizes firewall performance by reducing the load on

stateful processing.

Multi-Layer Defense

▪ Combining stateless and stateful filtering allows you to set up a

layered security approach.

▪ The stateless layer provides a quick filter for common, easily

identifiable traffic, while the stateful layer handles traffic that
requires a more detailed inspection.

Summary

▪ Stateless default actions: Act as the first filter, quickly allowing

or blocking basic traffic.

▪ Forwarding to stateful rule groups: Allows deeper inspection

only for specific traffic, balancing security and performance.

This setup maximizes efficiency while still providing robust security

through detailed, context-aware filtering on the stateful layer.