skip to Main Content

Valtix for Egress Filtering

SECURE THE BACKDOOR OF
APP TO SERVICE COMMUNICATION.

Valtix enables egress filtering for AWS, Azure, GCP, and OCI through advanced domain (FQDN) and URL filtering combined with data loss prevention (DLP) to block unauthorized external connectivity and data exfiltration. Through a comprehensive platform that centralizes multi-cloud policy, Valtix FQDN/URL filtering eliminates the need for egress security point solutions.

5 Minutes To Deploy

Quickly connect to each cloud account, discover workloads, and enable security

100% Cloud Coverage

Connects discovery to defense so that every account, app & API is secured

Zero Ops Overhead

Eliminate constant upkeep, challenging upgrades, and the management of appliances

A NEW APPROACH TO APPS REQUIRES ADVANCED EGRESS FILTERING

A tectonic shift has taken place in-app architecture. More and more, apps are built with a services-based approach in mind, with microservices communicating over well-defined APIs. Often, these APIs are remote or external. The requirement to enable GitHub and other code repositories adds another layer of backdoor communication to the mix. Unfortunately, security teams historically didn’t need to cope with these challenges. So, they are often now scrambling to not leave egress open, unsecured, and unmonitored. However, until they get egress filtering and security solutions in place, they contend with unacceptable risks in the form of:

  • Allowing command-and-control (C2) for malware distribution, cryptocurrency mining, disrupting operations, DDoS attacks, etc.
  • Losing visibility to the exfiltration of data out of the virtual private cloud (VPC)

In order to regain the egress control they’d lost and meet compliance (PCI, HIPAA, SOX, etc), many organizations will try to employ Squid Proxy or other point solutions to implement egress filtering. They might even go to the extreme of deploying a hard-to-scale virtual appliance. What they realize is that the cloud is different, and ensuring that they gain complete visibility and control over egress at scale requires cloud-scale solutions. And getting in the path of traffic is not always possible or practical.

A cloud-native and multi-cloud solution for Egress Filtering didn’t exist.

Until now.

Here are the egress security challenges we hear from customers.
Sound familiar? Valtix can help with cloud egress filtering.

1

The Cloud Service Providers (CSPs) don’t provide egress filtering in a scalable way across 10s-100s of VPCs and accounts belonging to a variety of teams (dev, test, prod/compliance).

2

Virtual Appliance NGFWs are very difficult to manage and create a chokepoint that doesn’t scale and adds risk.

3

Squid Proxy and other Egress point solutions are difficult to implement, fragment security, lack critical features, and introduce blind spots.

EGRESS FILTERING BUILT FOR A MULTICLOUD WORLD

Valtix gives you a visibility and control plane that was built for the security of cloud workloads including comprehensive egress filtering and security. Fully Qualified Domain Name (FQDN) or URL-based Policy can be easily defined against category level threat intelligence for malicious or unauthorized domains. Exfiltration of sensitive information can be blocked or alerted based on network-based data loss prevention (DLP).

Valtix provides comprehensive cloud egress filtering and the ability to block attacks that come from the internet or data exfiltration attempts.

Gain Outbound Visibility

Understand outgoing traffic patterns to identify anomalous activity or known malicious connectivity that could indicate compromise

Stop Malicious Connections

Apply proactive policies to prevent unauthorized external connectivity or to filter outgoing traffic by domain or IP reputation

Accelerate Incident Response

Quickly pivot to block known command and control (c2) threats such as crypto mining, ransomware, or botnets through egress policy

Egress Filtering on URL and Domain (FQDN)

Having control over outbound destinations from your cloud workloads is a fundamental best practice, but too few organizations actually implement this basic security best practice. If they do, it’s usually with so many holes and compromises to be almost completely ineffective.

Valtix provides egress filtering on both FQDN and URL. These capabilities work in tandem to provide a comprehensive approach to egress security. FQDN filtering alone is inadequate since it allows access to all public GitHub repositories, some of which are known to contain malware and data loss mechanisms. URL filtering combined with tags, attribute-based access control, and the use of custom lists for Domain categories (80+), makes this highly manageable at scale.

Category-level Domain Intelligence (Powered by Bright Cloud)

Valtix egress filtering uses threat intelligence from WebRootTM BrightCloud to categorize web sites based on their risk score. This includes fully qualified domain names (FQDNs), sometimes referred to as domain names, and URLs. This provides sites across 84 categories when traffic from your public cloud environment makes outbound connections (egress) to these sites:

FQDN / Domains – 842+ Million domains
URL – 37+ Billion URLs

Network-based Data Loss Prevention (DLP)

As companies make the move to the cloud, they are bringing more and more critical applications that include sensitive data. Given one degree of separation from the public internet, it’s essential that these applications are monitored to ensure that sensitive data doesn’t travel to unauthorized destinations.

Valtix egress filtering provides the ability to specify policy rules to detect and take action upon finding exfiltration patterns based on common signals or custom indicators.

Unified Contextual, Dynamic Policy

Over 60% of organizations are multi-cloud today, with the vast majority who are not becoming multi-cloud within 2 years. Security is a top issue when making the move to multi-cloud. For those who are single cloud, multi-account security can be just as challenging.

With Valtix, teams gain a single policy framework for security including egress filtering that works across multiple clouds and multiple accounts. Build contextual security policies tailored by deployment type (dev, test, prod/compliance) and application type

Egress Filtering – Critical Capabilities to Consider:

Functions NAT Gateway Squid Proxy1 Aviatrix FQDN Valtix Egress
Security        
URL Filtering*
FQDN Filtering**
Forward/Reverse Proxy (as needed)
Custom Lists for Domain Category
Auto-Scaling
Auto Discovery (App-Tag-based)
Auto Malware Detection
Data Loss Prevention (DLP)
Application Tagging
Flow Log Visibility
Multi AZ High Availability
Allowed/Denied Session Logs
Automation and Management        
Terraform Support
API Support
Managed Service (SaaS)
Enterprise Support

Solution Brief

Egress Security for Public Cloud

Egress Security in public cloud comprises a significant portion of the total security posture toward protecting public cloud workloads handling or using sensitive data. Also, access to public internet resources for software updates, patches, public repositories, API calls, 3rd party interconnects, and sensitive data logging to external sources.
Learn More

eBook

The Cloud Architect’s Guide to Network Security

Cloud architects already understand the benefits of public cloud (AWS, Azure, GCP, OCI) and are trying to help their organizations reap the benefits. But most network security solutions cannot provide enterprise-grade threat prevention or adequately defend highly dynamic public cloud environments from advanced threat vectors. This eBook is designed to help cloud architects, cloud security architects, and others responsible for the security of cloud infrastructure with some of the more important factors to consider.
Read More
Back To Top