1080*80 ad
Home » Blog » Improve TLS Inspection with SNI Session Holding in AWS Network Firewall

Improve TLS Inspection with SNI Session Holding in AWS Network Firewall

Benhcmark Administrator Benhcmark Administrator
05/10/2025
1 View 0
Improve TLS Inspection with SNI Session Holding in AWS Network Firewall

Unlock Faster, Smarter AWS Security: A Guide to TLS Inspection with SNI Session Holding

In today’s digital landscape, inspecting encrypted traffic is no longer a luxury—it’s a security necessity. With the vast majority of web traffic now encrypted using TLS, bad actors increasingly hide malware, ransomware, and data exfiltration attempts within these secure channels. However, decrypting and inspecting every single packet can create significant performance bottlenecks, increase operational costs, and even break critical applications.

Fortunately, there’s a more intelligent way to manage this challenge. AWS Network Firewall has introduced a powerful capability known as SNI session holding for TLS inspection, transforming how organizations can secure their cloud environments without compromising on speed or compatibility. This feature allows for a more granular, efficient, and robust security posture.

The Traditional Challenge of TLS Inspection

Historically, network firewalls have relied on a brute-force approach to TLS inspection. To see inside encrypted traffic, the firewall must perform a “man-in-the-middle” (MITM) action, where it decrypts the traffic, inspects it for threats, and then re-encrypts it before sending it to its destination.

While effective for security, this process has several major drawbacks:

  • Performance Degradation: The computational overhead of decrypting and re-encrypting every packet introduces latency, slowing down applications and impacting the end-user experience.
  • Increased Costs: The intensive processing required drives up the cost of firewall infrastructure and operations.
  • Compatibility Issues: Many modern applications use certificate pinning, a security measure where an application is hard-coded to only trust a specific server certificate. When a firewall presents its own certificate during a MITM inspection, it breaks the trust chain, causing the application to fail. This is common with services like Windows Updates, Dropbox, and other sensitive software.

A Smarter Approach: How SNI Session Holding Works

SNI Session Holding provides an elegant solution to these problems by making inspection decisions before the costly decryption process even begins.

The magic lies in the Server Name Indication (SNI), an extension of the TLS protocol. During the initial connection handshake, the client sends the hostname (e.g., www.example.com) it wants to connect to in plaintext. AWS Network Firewall can intercept this initial request and read the SNI value.

Here’s the step-by-step process:

  1. Intercept: The firewall intercepts the initial ClientHello packet from the client.
  2. Hold and Inspect SNI: It temporarily holds the TCP session and extracts the SNI hostname from the packet.
  3. Apply Policy: The firewall checks the SNI against its configured stateful rule set to make an intelligent decision.
  4. Execute Action: Based on the rule match, the firewall takes one of three actions:
    • PASS: If the SNI matches a trusted domain (e.g., *.microsoft.com), the firewall releases the session and allows the client and server to establish a direct, encrypted connection. No decryption occurs, eliminating performance overhead and preserving certificate pinning.
    • DROP: If the SNI matches a known malicious or prohibited domain, the firewall drops the connection entirely, preventing any communication.
    • INSPECT (Forward to decrypt): If the rule dictates that the traffic should be inspected, the firewall proceeds with the full TLS decryption and inspection process.

This selective approach ensures that resources are only used to inspect traffic that is unknown, untrusted, or explicitly marked for deep-packet analysis.

Key Benefits of Adopting SNI Session Holding

Implementing this feature offers immediate and significant advantages for your cloud security architecture.

  • Drastically Improved Performance: By bypassing decryption for trusted traffic, you can significantly reduce latency and improve the performance of your applications. Traffic to well-known, safe destinations flows unimpeded.
  • Significant Cost Savings: Less processing directly translates to lower costs. By reducing the computational load on your Network Firewall, you can optimize your AWS spending without sacrificing security coverage.
  • Enhanced Security and Application Compatibility: This is a game-changer for solving the certificate pinning problem. You can now create explicit pass rules for applications that rely on pinned certificates, ensuring they function correctly while still inspecting all other traffic.
  • Granular and Simplified Policy Management: You can now write highly specific, domain-based rules. This allows for creating clear and effective policies, such as allowing traffic to all your corporate subdomains while inspecting traffic to new or uncategorized websites.

Actionable Tips for Implementation

Getting started with SNI-based policies in AWS Network Firewall is straightforward. The key is to build a well-structured stateful rule group that prioritizes your rules correctly.

Consider this best-practice approach to rule ordering:

  1. Create PASS Rules for Trusted Domains: Start by defining rules that explicitly pass traffic to known-good destinations that don’t require inspection. This is critical for services that use certificate pinning.

    • Example: pass tls *.your-trusted-partner.com
    • Example: pass tls updates.microsoft.com

  2. Create DROP Rules for Malicious Domains: Next, add rules to block connections to domains on your deny list or threat intelligence feeds.

    • Example: drop tls *.known-malicious-domain.net

  3. Create INSPECT Rules for General Traffic: Finally, create a broader rule that sends all other traffic for full TLS inspection. This acts as a catch-all to ensure that any traffic not explicitly passed or dropped is thoroughly analyzed for threats.

    • Example: tls_inspection tls . (This inspects traffic to any domain)

By structuring your rules in this order, you create an efficient logic flow: first allow what’s known-good, then block what’s known-bad, and finally, inspect everything else.

A Proactive Security Strategy for the Modern Cloud

Inspecting encrypted traffic is non-negotiable for a strong security posture. SNI session holding in AWS Network Firewall moves security from a resource-intensive, “decrypt everything” model to an intelligent, efficient, and policy-driven framework.

By leveraging this feature, organizations can build a more robust, cost-effective, and high-performance security architecture that protects against modern threats without disrupting business-critical applications. It’s a vital tool for any team looking to secure their AWS environment effectively.

Source: https://aws.amazon.com/blogs/security/enhance-tls-inspection-with-sni-session-holding-in-aws-network-firewall/

900*80 ad

Related Articles
      1080*80 ad
      About Hosterdojo

      Hosterdojo reviews server performance, network capabilities, and other related benchmarks. If you are a provider interested in submitting your VPS products, feel free to reach out to me.

      Email: [email protected]
      Telegram Channel: https://t.me/hosterdojo

      Follow

      Useful Link

      Girl in a jacket