Skip to content

Lab 3: Defend

In this lab, you will create a policy to:

  • prevent social security information from being exported from one of the spoke instances.
  • allow connections to approved github accounts only.

Procedure

  1. On your Terraform execution server, navigate to GCP-workshop/valtix-tutorial folder.

  2. Enable the Terraform files objects.tf, security_profiles.tf, and policy.tf

    mv objects.tf.disabled objects.tf
mv security_policy.tf.disabled security_policy.tf
mv policy.tf.disabled policy.tf
    • The following Terraform files should be enabled:
    Files State Description
    provider.tf enabled Define the Terraform Provider package
    discover.tf enabled Onboard GCP Account onto Valtix
    service_vpc.tf enabled Creates Service VPC, Valtix Gateway
    protect_vpc.tf enabled VPC peering between Valtix Service VPC and spoke/application VPC
    objects.tf enabled Address Object and Service Object needed for the policy
    security_profiles.tf enabled Security Profiles used in this tutorial (IPS, DLP, URL Filtering)
    policy.tf enabled Policy rule definition
    • All Terraform files in the folder should now be enabled.

  3. Here are the content of the files being enabled.

    objects.tf - all the objects resource blocks

#### Internet Address Objects ####
data "valtix_address_object" "internet_ag" {
  name = "internet"
}

#### User Define Tag Address Objects ####
resource "valtix_address_object" "production_ag" {
  name        = "production"
  description = "Dynamic User Defined Tag"
  type        = "DYNAMIC_USER_DEFINED_TAG"
  tag_list {
      tag_key       = "environment"
      tag_value     = "production"
      resource_type = "RESOURCE_INSTANCE"
  }
}

#### HTTPS Service Object ####
resource "valtix_service_object" "https_service" {
  name = "https-service"
  description = "HTTPS forward proxy."
  service_type = "ForwardProxy"
  protocol = "TCP"
  source_nat = false
  tls_profile = 2
  transport_mode = "HTTPS"
        port {
                destination_ports = "443"
        }
}

    security_profiles.tf - security profiles resource blocks

#### IPS/IDS Security Profile ####
resource "valtix_profile_network_intrusion" "balanced_alert" {
  name = "gcp-workshop-balanced-alert"
  action = "Allow Log"
  policy = "BALANCED"
  policy_action = "NONE"
  auto_update = true
  delay_by_days = 0
}

#### DLP Security Profile ####
resource "valtix_profile_dlp" "block_SSN" {
  name = "block-SSN"
  description = ""
  dlp_filter_list {
    count = 2
    action = "Deny Log"
    static_patterns = ["US Social Security Number"]
  }
}

#### URL Filtering Security Profile ####
resource "valtix_profile_urlfilter" "allow_valtix_github" {
  name = "allow-valtix-security-github"
  description = "allow only valtix-security github"
  url_filter_list {
    url_list = ["http.*github.com/valtix-security.*"]
    policy = "Allow Log"
  }
  url_filter_list {
    url_list = ["http.*github.com/.*"]
    policy = "Deny Log"
    return_status = 502
  }
  uncategorized_url_filter {
    policy = "Deny Log"
    return_status = 503
  }
  default_url_filter {
    policy = "Deny No Log"
    return_status = 503
  }
}

    policy.tf - policy resource block

###################################
# 3a. Policy
###################################
resource "valtix_policy_rules" "egress_policy_rules" {
  rule_set_id = valtix_policy_rule_set.egress_rule_set.rule_set_id
  rule {
    name        = "allow_only_production"
    action      = "ALLOW_LOG"
    state       = "ENABLED"
    service     = valtix_service_object.https_service.service_id
    source      = valtix_address_object.production_ag.address_id
    destination = data.valtix_address_object.internet_ag.address_id
    type        = "ForwardProxy"
    network_intrusion_profile = valtix_profile_network_intrusion.balanced_alert.profile_id
    url_filter  = valtix_profile_urlfilter.allow_valtix_github.profile_id
    dlp_profile = valtix_profile_dlp.block_SSN.profile_id
  }
}

  4. Perform a terraform init.

  5. Perform a terraform apply --auto-approve.
    • This will create the Service VPC and deploy Valtix Gateway inside the Service VPC. After gateway deployment completes, VPC peering is created between spoke VPC and Service VPC. Routing table orchestration is also performed to route traffic through the Valtix Gateway for protection.



Verification

  1. SSH to the compute instance created in the sample_app.
  2. Execute curl https://www.example.com -kv -d "613-63-6333 613-63-6333 613-63-6333" -o /dev/null
  3. Check that you get a 502 Bad Gateway error
  4. Go to Investigate -> Flow Analytics -> Network Threats
  5. You will note logs for the DLP dropped requests with a message: Sensitive Data was Transmitted Across the Network
  6. Download a file from valtix-security repository on spoke1-vpc. wget https://github.com/valtix-security/tutorials/raw/main/test.zip. This connection should be allowed.
  7. Download a file from a different github account. eg wget https://github.com/michaelvaltix/tutorials/blob/main/test_file.txt. This connection should be denied.
  8. Navigate to Investigate -> Flow Analytics -> URL Filtering.
  9. You should see both the allow session and the deny session for the 2 wget from github.

  10. Try the following command from the sample_app. These are FQDNs that will match a malicious category and will be blocked by Valtix.

    wget -O /dev/null -o /dev/null http://mspy.com
wget -O /dev/null -o /dev/null http://17ebook.com
wget -O /dev/null -o /dev/null http://purplehoodie.com

  11. Now generate some traffic to google.com curl www.google.com. This traffic will go through.

  12. Navigate to Investigate -> Flow Analytics -> Traffic Summary and look for the FQDN for mspy.com, 17ebook.com, purplehoodie.com. They should all be deny.
  13. Look for the FQDN google.com. Since this is search engine and not malicious categories, this is allow.