Skip to content

Lab 3: Defend

In this lab, you will create a policy to:

  • Prevent social security information from being exported from one of the spoke instances
  • Allow connection to approved github accounts only

Procedure

  1. Go to the AWS console and add the tags to the spoke EC2 instances

    • Add a tag to the EC2 instance spoke-z1-app with key "Category" and value "prod"
    • Add a tag to the EC2 instance spoke-z2-app with key "Category" and value "dev"

  2. Navigate back to Valtix Dashboard and go to Manage -> Security Policies -> Addresses

  3. Click Create Address, then select Src/Dest
  4. Provide a name (e.g vm-tag-dev)
  5. Select the object type as User Defined Tag
  6. Under the Instances Tag table, select the key Category and value prod
  7. Click Save to save the address object
  8. Go to Manage -> Profiles -> Network Threats
  9. Click Create Intrusion Profile and select Data Loss Prevention
  10. Provide a name (e.g block_social_security)
  11. In the DLP Filter List table, type US Social Security Number in the Patterns text column/field
  12. Set 2 in the Count (sending more than 2 SSNs in the traffic would trigger the action)
  13. Select Deny Log as the Action, and save the profile
  14. Navigate to Manage -> Profiles -> URL Filtering and click on Create button.
  15. Provide a name for the URL profile. (eg. allow-valtix-security-github)

  16. Fill in the following information:

    Parameter Value
    URLs/Categories http.*github.com/valtix-security.*
    Methods ALL
    Policy Allow Log

  17. Click Manage -> Security Policies -> Rule Sets

  18. Select the "valtix-sample-egress-policy-ruleset" ruleset
  19. Click Add Rule to create a new rule. A new rule editor opens in the slide over panel on the right

  20. Fill in the following information:

    Parameter Value
    Name block_credit_card
    Type Forward Proxy
    Service valtix-sample-egress-forward-proxy
    Source any
    Action Deny Log
    Network Intrusion valtix-sample-ips-balanced-alert
    Data Loss Prevention block_social_security
    URL Filtering allow-valtix-security-github

  21. Click Save

  22. Move the newly created rule above the valtix-sample-egress-forwarding-allow-snat rule by dragging the rule to the top
  23. Click Save Changes

Verification

  1. SSH to the EC2 instance created in the spoke1-vpc, spoke-z2-app
  2. Execute curl https://www.example.com -kv -d "613-63-6333 613-63-6333 613-63-6333" -o /dev/null
  3. Check that you get a 502 Bad Gateway error
  4. Go to Investigate -> Flow Analytics -> Network Threats
  5. You will note logs for the DLP dropped requests with a message: Sensitive Data was Transmitted Across the Network
  6. Download a file from valtix-security repository on spoke1-vpc. wget https://github.com/valtix-security/tutorials/raw/main/test.zip. This connection should be allowed.
  7. Download a file from a different github account. eg wget https://github.com/michaelvaltix/tutorials/blob/main/test_file.txt. This connection should be denied.
  8. Navigate to Investigate -> Flow Analytics -> URL Filtering.
  9. You should see both the allow session and the deny session for the 2 wget from github.
  10. Notice that we did not specify any IP address in the policy, but the vm instance still matches the policy. This is because of the tag-based object that we used in the policy. This policy will be applied to any instance that has the tag prod. This allows for the policy to be dynamic, and further instances in the prod environment may be protected via Valtix by simply adding the tag value {Category: prod}