Lab 3: Defend¶
In this lab, you will create a policy to:
- prevent social security information from being exported from one of the spoke instances.
- allow connection to approved github accounts only.
Procedure¶
-
Go to the AWS console and add the tags to the spoke EC2 instances
- Add a tag to the EC2 instance spoke-z1-app with key "Category" and value "prod"
- Add a tag to the EC2 instance spoke-z2-app with key "Category" and value "dev"
-
Navigate back to Valtix Dashboard and go to Manage -> Security Policies -> Addresses
- Click Create Address.
- Select Src/Dest.
- Provide a name (e.g vm-tag-dev)
- Select the object type as User Defined Tag
- Under the Instances Tag table, select the key Category and value prod
- Click Save to save the address object
- Go to Manage -> Profiles -> Network Threats.
- Click Create Intrusion Profile
- Select Data Loss Prevention
- Provide a name (e.g block_social_security)
- In the DLP Filter List table, type US Social Security Number in the Patterns text column/field
- Set 2 in the Count (sending more than 2 SSNs in the traffic would trigger the action)
- Select Deny Log as the Action
- Save the profile
- Navigate to Manage -> Profiles -> URL Filtering.
- Click on Create button.
- Provide a name for the URL profile. (eg. allow-valtix-security-github)
- Fill in the following information:
Parameter | Value |
---|---|
URLs/Categories | http.*github.com/valtix-security.* |
Methods | ALL |
Policy | Allow Log |
- Click Manage -> Security Policies -> Rule Sets
- Click the "valtix-sample-egress-policy-ruleset" ruleset.
- Click Add Rule to create a new rule. A new rule editor opens in the slide over panel on the right
- Fill in the following information:
Parameter | Value |
---|---|
Name | block_credit_card |
Type | Forward Proxy |
Service | valtix-sample-egress-forward-proxy |
Source | any |
Action | Deny Log |
Network Intrusion | valtix-sample-ips-balanced-alert |
Data Loss Prevention | block_social_security |
URL Filtering | allow-valtix-security-github |
- Click Save.
- Move the newly created rule above the valtix-sample-egress-forwarding-allow-snat rule by dragging the rule to the top.
- Click Save Changes.
Verification¶
- SSH to the EC2 instance created in the spoke1-vpc, spoke-z2-app
- Execute
curl https://www.example.com -kv -d "613-63-6333 613-63-6333 613-63-6333" -o /dev/null
- Check that you get a 502 Bad Gateway error
- Go to Investigate -> Flow Analytics -> Network Threats
- You will note logs for the DLP dropped requests with a message: Sensitive Data was Transmitted Across the Network
- Download a file from valtix-security repository on spoke1-vpc.
wget https://github.com/valtix-security/tutorials/raw/main/test.zip
. This connection should be allowed. - Download a file from a different github account. eg
wget https://github.com/michaelvaltix/tutorials/blob/main/test_file.txt
. This connection should be denied. - Navigate to Investigate -> Flow Analytics -> URL Filtering.
- You should see both the allow session and the deny session for the 2 wget from github.
- Notice that we did not specify any IP address in the policy, but the vm instance still matches the policy. This is because of the tag-based object that we used in the policy. This policy will be applied to any instance that has the tag prod. This allows for the policy to be dynamic. Future instances that is considered as prod environment will by this rule applied simply by adding tag value {Category: prod}