How Deloitte is helping to protect the State of Indiana’s ecosystem using AWS Network Firewall

This blog describes how State of Indiana’s Family and Social Service Administration embarked on a successful, transformative modernization journey powered by the implementation of AWS Network Firewall service.

Hemant Ahire
Amazon Employee
Published Jul 25, 2024
The State of Indiana’s Family and Social Service Administration (FSSA) is on a transformative initiative to modernize its applications and expand its digital footprint. As FSSA ventured into this ambitious endeavor of digital transformation, it recognized the importance of trusted partners to navigate the complexities of modernization and could harness the power of cloud technology and innovation to drive progress. The State of Indiana's FSSA forged a strategic partnership with Deloitte and AWS to pave the way for innovation and transformation.
Deloitte is an AWS Premier Tier Services Partner and Managed Service Provider (MSP) with more than 20 competencies. As an AWS Partner Network (APN) Premier Consulting Partner, Deloitte provides specialization in a host of AWS-enabled business solutions, each of which can be efficiently integrated to meet clients’ needs when and where they need it most.
As FSSA charts its course towards modernization, Deloitte and AWS are at the helm, steering the ship with innovative strategies, cloud-native technologies, and deep commitment to FSSA's mission. Together, their contributions go beyond the realm of technology implementation; they encompass the creation of a comprehensive digital ecosystem that embraces change enhance services and optimize operations.
Central to FSSA's mission was the desire to design a security capability that was not only robust and effective but also modern, easy to use, and operate. By utilizing AWS Network Firewall, it not only provided advanced threat detection and prevention capabilities but also offered a cloud-native architecture that aligned perfectly with FSSA's vision of modernization. The choice of AWS Network Firewall allowed to fortify its security posture with a solution that was not only powerful but also intuitive and operationally efficient.
Benefits of AWS Network Firewall
  • Customized Threat Detection: The flexible Suricata custom rules allow to fine tune threat detection to match their unique network traffic patterns.
  • Managed Service: It eliminates the need for product-specific engineers and reduces costs by handling the deployment, configuration, and ongoing management of firewall, allowing the security team to focus on broader security strategies and concerns.
  • Availability and Scalability: The solution offers built-in redundancies to ensure all traffic is consistently inspected and monitored.
  • Stateful Inspection: AWS Network Firewall provides the ability to write thousands of firewall rules based on source/destination parameters such as IP, port, protocol etc.
  • Alert and flow logs: The Network Firewall's alert and flow logs provide quick insight to key information such as session, state, traffic flow, and direction. The logs can be natively stored in Amazon S3 & Amazon Cloud Watch.
Solution Overview:
Custom Suricata rules played a pivotal role in improving FSSA cybersecurity posture. By tailoring custom rules, Deloitte was able to align with the State of Indiana's specific patterns such as egress filtering, maintaining strict allow list, East-West filtering, North-South VPC to on-premises traffic. The architecture diagram below depicts a centralized traffic filtering capabilities that was deployed using AWS Network Firewall Manager.
AWS Network Firewall Overview
Key best practices considered as part of the architecture -
  • Centralized traffic filtering: Use of Transit gateway and associated route tables to reduce the number of AWS Network Firewall endpoints needed and thereby reduce cost of operations.
  • Stateful rule deployment: Enabling deep packet inspection and along with standard firewall logging.
  • Strict rules with whitelisting: Enabling the Suricata rules engine to process rule based on priority defined and deny all traffic by default.
Example:
  • Routes to local AZ Network Firewall endpoint: This pattern ensure that cross AZ data transfer costs are not incurred.
Operational Highlights
The solution ensured that all requests entering and leaving the VPC were routed through the gateways to the AWS Network Firewall endpoints for inspection. The stateful rules engine evaluates rules based on their action setting in a specific sequence: pass rule takes precedence, followed by drop rule, and finally alert rules. Processing halts as soon as match is found. Additionally, the firewall considers the order of rules within the rule group and, if applicable, the assigned priority. AWS Cloud Formation template was utilized to provision the firewall resources and policies, thus ensuring that the assets are easily reusable and configurable across the organization.
The Alert and Flow logs provided by AWS Network Firewall were invaluable insights in inspecting traffic, designing, and implementing custom rules. Team was able to easily find blocked request, dropped packets, rejected connections, TLS error etc. Along with native Amazon S3 and Amazon Cloud Watch integrations such as Cloud Watch Contributor Insights to log and monitor rules, Deloitte also configured Splunk to ingest firewall logs to identify top contributors and enable SIEM alerts.
Since AWS Network Firewall rules engine is managed by AWS, AWS handles the resource deployments, oversee patches, and guarantees scalable performance, reducing the operational load of State of Indiana’s security team.
Summary
In partnership with Deloitte and leveraging the cloud-native tools and services offered by AWS, the State of Indiana’s Family and Social Service Administration embarked on a transformative modernization journey. Key to this endeavor was the implementation of AWS Network Firewall, a cutting-edge solution that not only provide advanced threat detection but also integrate into the FSSA’s evolving cloud ecosystem.
AWS and Deloitte empower customers to transform their business, innovate faster, and grow ahead of the curve by combining AWS’s industry-leading cloud technologies with Deloitte’s deep industry experience, established customer relationships, and position as advisor to the C-suite.
Deloitte is a strategic global systems integrator with thousands of certified AWS practitioners across the globe. It continues to raise the bar through participation in the AWS Competency Program with 25 designations. Learn more by visiting the AWS and Deloitte page.
Contributors:
Ajith Joseph, Manager, Deloitte Consulting
Jayasankar Chakravarthy, Specialist Leader, Deloitte Consulting
Hemant Ahire, WW Principal Solutions Architect, AWS
 

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Comments