Discover Your AWS Applications and Enable Advanced Network Security in a Few Clicks with Valtix Network Security-as-a-Service
Valtix is driven to solve customer problems in securing their public cloud applications. Our goal is to simplify the operational burden of enabling consistent network security across all your cloud deployments. Valtix provides advanced network security as-a-service with leading edge IPS and WAF engines, with built-in TLS support, as the distributed dataplane managed from a SaaS cloud controller. The dataplane is a cluster of auto scaling Valtix Cloud Firewalls (VCF), called Valtix gateway, that run in the customer’s AWS account beside the applications in the same VPC or connected via AWS Transit Gateway.
Based on customer feedback we’ve made several improvements in our upcoming release to include:
- Visualization of their Valtix deployments across their cloud infrastructure
- User experience to discover applications quickly and then secure them with a few clicks
- Protecting multiple Internet-facing web sites behind a single public IP
- API rate limiting for mitigating Layer 7 DoS attacks
- PagerDuty integration for sending alerts
These features are part of the version 2.0 update releasing in March 2020. Let’s dive into the details.
Improved Visualization of Your Cloud Deployments
A new user experience lays out all the controls in the following way: top-level controls (Dashboard, Investigate, Manage, Settings) are available as tabs at top, and tab-specific controls are shown on the left-pane. A left-pane item may have context-specific collapsible panels that are available when needed. A key improvement is to show all your AWS resources in the dashboard, including regions, availability zones along with the busiest applications and threats. From the dashboard customers can directly take specific actions to add more AWS accounts, deploy Valtix Cloud Firewall (VCF) clusters aka gateway or investigate threats.
Discover, Deploy and Defend in a Few Clicks
As applications teams develop and deploy applications Valtix administrators can discover them, deploy network security and configure security policies in a single flow. Below are the steps for securing an Internet-facing web application. Future posts will elaborate security for egress traffic to prevent exfiltration, and east-west scenarios between VPC’s using AWS Transit Gateway.
- From the Dashboard of your Valtix Cloud Controller (SaaS portal) click on ‘View All Applications’ to see discovered applications
- Review the list of applications that are secured by Valtix and those that are not secured, and select the one to secure based on the AWS load balancer name or the tag value assigned to it and click ‘Create Rules’.
- Deploy the network security by selecting the Valtix gateway and adding details on the frontend and backend ports, TLS profile and the firewall cluster to use. The selected gateway will include existing customer defined security policies for the web application firewall (WAF). Note: This step assumes that you’ve previously deployed a Valtix gateway in the same region and enables you to select it for protecting the newly discovered application. If this is a new region, you can deploy a new Gateway from the Manage tab > Gateways > Manage Gateways (left panel).
- (optional) Customize the security policy details from the Manage tab > Profiles > Web Protection profile.
- (optional) Publish this application directly from Valtix. Click on Manage > DNS to create/update an AWS Route53 DNS record so that the Valtix gateway becomes the frontend to your application (myapp.com in the example above) and inspects all traffic going to the web site. This step can also be performed directly from the Route 53 settings in AWS EC2 Management console.
Protect Multiple Web Sites based on SNI
It is a common design pattern to host multiple web sites from a single public IP based on the server name indication (SNI) extension of the TLS certificate for each site. This is usually done by SaaS vendors, service providers, hosting companies and large enterprises. Valtix now supports this by allowing you to configure site-specific security policies. A single Valtix gateway deployment can be protecting multiple sites with site-specific security policies.
Layer 7 DoS for API Rate Limiting
Layer 7, i.e. application layer, attacks are asymmetric in terms of their impact on the application provider relative to the resources used by an attacker. The ability of attackers to create botnets has made this a popular form of disruption. Valtix now enables customers to define API rate limits on a per-application basis for Internet-facing web applications.
PagerDuty integration allows customers to receive alerts on customer-defined events generated by the Valtix controller and gateways. Customers can configure their PagerDuty credentials in the Valtix Controller and set specific filtering rules on the logs (system events, traffic logs or threat events) that trigger the alert to be sent to PagerDuty for notification.
These features are driven by customer feedback to make advanced network security in public clouds dead simple. You can sign up for a free trial at valtix.com/trial/ to protect your applications. A sandbox environment in AWS Marketplace is also available to test Valtix in our AWS account with sample applications without any access to your environment. For more information on the sandbox or suggestions on how we can improve, contact us at firstname.lastname@example.org.