Real-time Cloud-Native Network Protection Against Unknown Cloud Threats

Upgrade Your AWS Firewall with Blue Hexagon Agentless AI Security Cloud-Native Integration

By Arun Raman and Song Wrensch, Blue Hexagon

The modern threat landscape consists of threat actors using automation [AV-TEST  Jan-Feb 2021] to create evasive threat variants at scale and to unleash targeted threats and campaigns using custom ephemeral infrastructure (IPs/domains/URLs) that they control. Such threats are incredibly hard to detect in a timely fashion using legacy signature-based network controls such as IDPS or sandbox. AWS customers use AWS Network Firewall to deploy essential network protections for their Amazon Virtual Private Clouds (VPCs). While AWS Network Firewall provides good protection against known vulnerability exploits using signature matching and web filtering for known bad IPs/domains/URLs, protection against variants of known threats and unknown threats is limited.

To defend against the modern threat landscape, we recently released the cloud-native integration of Blue Hexagon’s industry-leading real-time deep learning-based threat detection with AWS Network Firewall for real-time protection against known threats, variants of known threats, as well as unknown 0-day threats for which no signatures exist (read the full Miercom report here). Blue Hexagon Agentless AI Security provides the most accurate threat detection from the network vantage point and supersedes legacy signature-based network controls and sandbox technologies. Blue Hexagon dynamically detects novel threats that may be trying to infiltrate and spread in your cloud environment and creates and updates IP/domain block-rules within AWS Network Firewall in real-time in order to drop connections and stop threats in their tracks. In conjunction with AWS Firewall Manager, you can apply these policies with block-rules uniformly across VPCs and accounts. 

In this blog, we describe the integration in detail and explain how you can set it up in your AWS environment. But first, let’s understand the benefits and use cases of such an integration.

Use Cases

A variety of threats including ransomware, cryptojacking, supply chain backdoors, etc. manifest behaviors observable in the network at different stages in their attack kill chains. Blue Hexagon Agentless AI Security detects such threats in real-time using Deep Learning AI, and in conjunction with AWS Network Firewall enables the following use cases:

  • Stop known and unknown malware/ransomware downloads
  • Terminate Command-and-Control (C&C or C2) connections over multiple protocols such as HTTP, HTTPS, DNS
    • Terminate data exfiltration via hard-to-detect TTPs such as DNS exfil
  • Terminate Cryptomining detected via network behaviors
  • Terminate unauthorized activity such as port scans, lateral movement, E-W discovery and attacks over SMB and other protocols
  • Stop malicious Cloud Activity (asset discovery, enumeration, privilege escalation) from malicious IPs


The benefits of adding Blue Hexagon Agentless AI Security to the AWS Network Firewall are as follows:

  • Based on pre-trained Deep Learning models, the Blue Hexagon platform is able to identify both known and unknown threats, and therefore it goes beyond what’s possible with approaches based purely on signatures, sandboxes, or known threat intelligence.
  • The Deep Learning models give verdicts in real-time and at scale – this is what fundamentally makes the integration with AWS Network Firewall valuable as it enables you to stop threats before they can detonate within your cloud environment.
  • Any new previously unknown threats detected by Blue Hexagon are analyzed while the adversarial threat infrastructure is still up and active to generate highly relevant and timely threat IOCs (IPs, domains, URLs, etc.) that are fed back into the Blue Hexagon platform. The Blue Hexagon platform manages the block/deny rulesets for your AWS Network Firewall policies, lifting the burden off your Ops teams and helping automate faster incident response, in real time.

Solution Architecture

There are multiple excellent blogs on the various architectures for deploying AWS Network Firewall in your cloud network. For the purposes of this integration blog, we assume a representative architecture shown in Figure 1, with all traffic ingressing/egressing the Customer Subnet routed via the Firewall endpoint in the Firewall Subnet. The network security module of Blue Hexagon Agentless AI Security is deployed in your environment in a security VPC / subnet. Through VPC Traffic Mirroring, Blue Hexagon gets a copy in real-time of all network traffic hitting EC2 VMs and containers. Blue Hexagon inspects the traffic – packet headers, metadata, and payloads – using Deep Learning AI and detects threats in real-time. On detecting a threat, Blue Hexagon automatically adds the malicious IP / domain to a block/drop/deny rule group in AWS Network Firewall. The rule group updates are propagated automatically to all firewalls within the policy domain, and the impacted connections are terminated.

Figure 1 – Blue Hexagon integrates natively with AWS Network Firewall in your cloud network – Deploy in minutes and manage the solution via a CloudFormation stack

Solution Deployment


  • VPC with AWS Network Firewall and associated Firewall Policy
  • To get started with Blue Hexagon Agentless AI Security, you can sign up for a free trial and get a license key to deploy Blue Hexagon in your environment. Once you have your license key, deploy Blue Hexagon in standalone mode by launching the CloudFormation stack below. To deploy Blue Hexagon in high-availability mode, contact a Blue Hexagon representative to get the template.


Step 1: Identify AWS Network Firewall to integrate with.

Figure 2 – Identify AWS Network Firewall to integrate with

Step 2: Get AWS Network Firewall Policy associated with the firewall to integrate with.

Figure 3 – Get AWS Network Firewall Policy associated with the firewall to integrate with

Step 3: Specify the CloudFormation stack details to deploy Blue Hexagon Agentless AI Security for AWS. Provide Firewall Policy name.

Figure 4 – Provide CloudFormation stack details, including AWS Network Firewall Policy name

Step 4: Once created, the Blue Hexagon stack will automatically connect with AWS Network Firewall and perfore rule group updates in the firewall policy as necessary – this is described in the following section. 

Block Threats at Runtime

Upon detecting a threat, Blue Hexagon instantly sends a finding to an SNS topic created by the CloudFormation stack. An AWS Lambda function subscribed to the topic is automatically triggered which in turn performs the response action within the AWS Network Firewall Policy. Optionally, as an AWS SecurityHub partner, the Blue Hexagon Lambda function also sends the finding to AWS SecurityHub. The following two actions are currently taken within the AWS Network Firewall Policy:

  • Malicious IPs are added to block/deny rule group.

Figure 5 – Malicious IPs are added to block/deny rule group.

  • Malicious domains are added to block/deny rule group.

Figure 6 – Malicious domains are added to block/deny rule group.

Figure 7 – Blue Hexagon portal showing access to malicious IP used for malware Command-and-Control (C&C, C2)


Use Blue Hexagon Agentless Cloud-Native AI Security with AWS Network Firewall to effectively discover and block network-based cloud threats in your environment at scale. With the solution integration described in this blog, you can apply network-based protection across all configured AWS Network Firewalls within your accounts. Powered by its proprietary HexNet™ deep learning engine, Blue Hexagon provides actionable visibility, real-time threat defense, and continuous compliance for your cloud workloads and S3 storage in AWS. It is platform-agnostic, works in real-time, and can be quickly configured for an autonomous response. You can try/buy Blue Hexagon Cloud Security in the AWS Marketplace, or sign up for a limited-time free trial.