Is it considered best practice to disable the Windows Firewall on an Amazon EC2 instance, and control traffic only via EC2 Security Groups?

If I open a port on the server firewall, and then open the same port on the security group, it requires double maintenance.

EDIT:

I found an advantage of doing both. Actually when you filter by IP and port at AWS level , you have more performance as AWS server will do the deny job and the requests do not even reach your server and that saves you more RAM, CPU and bandwidth .

EDIT2:

Actually when you configure windows firewall by mistake to disable 3389 RDP port, your machine is gone.

What do you think ?


Solution 1:

I always do both. It's a matter of who you trust more, Amazon, or yourself.

Perhaps one day the AWS security groups may be broken, disabled, circumvented. In that (unlikely) case, I have a second barrier I can rely on.

And if I accidentally leave something open on one, the other one will still block it. It's a bit like double opt-in, or two-factor authentication.

As far as administering a double set of firewall rules goes, for me it's worth it. It's not that many rules. If you have lots, then you should ask yourself whether that one instance is doing too much anyway, which adds a variety of possible points of failure and complexity.

If you do chose to only set up one, I would do the one you have full control of, the one on your instance.

Solution 2:

Disabling one or the other is not best practice for long term network security. Best security practice is to maintain both a host-resident firewall and an AWS security group on your instance always. This practice is based on the security concept called Defense in Depth. It is a very sound way to build security redundancy in your network.

If you are using a VPC, there is another security layer to consider: Network Access Control List (ACL). A network ACL acts as a firewall for controlling traffic in and out of a subnet.

A useful technique when implementing your initial security architecture on AWS, is to rely only on security groups and/or a host-resident firewall during the design and test phase, to simplify management. As the implementation matures you can add ACL rules as another layer to further protect your network.