Valtix brings Advanced Network Security into Cloud Era with AWS Gateway Load Balancer
Valtix Cloud Security Service
Valtix offers a cloud-native advanced network security service that can be deployed to add additional protection for your cloud workloads. This prevents lateral movement of threats between VPCs and stops exfiltration on outbound flows. Valtix is a security-as-a-service (SaaS) that can be deployed from the SaaS portal or using Terraform. Valtix is available with usage-based metering and billing through AWS Marketplace and AWS private offers. This avoids complex licensing activation/deactivation of traditional virtual appliances. Valtix offers a simple discover, deploy and defend approach to protect cloud-native and lift-n-shift applications. This provides a consistent and comprehensive network security approach that complements the baseline protections of security groups and replaces multiple legacy vendor appliances like virtual next-generation firewalls (NGFW) and web application firewalls (WAF).
Valtix Integration with AWS Gateway Load Balancer
AWS Gateway Load Balancer (GWLB) brings a cloud-native approach for inspecting network traffic with advanced network security services. Customers can simply select the VPCs that need to be protected, and enable AWS Gateway Load Balancer. That is all the customer needs to enable, Valtix does the rest behind the scenes: receives the traffic from the spoke/application VPC connected to an AWS Transit Gateway, inspects the traffic based on customer-configured policies, and then permits or drops the traffic. This provides a network security capability similar to how AWS provides load balancing as a service with the Application Load Balancing (ALB). Gateway Load Balancer simplifies network security architecture by providing a single entry point for all deep packet inspection requirements, and together with Valtix it enables a service-oriented approach for security.
Valtix is participating in the launch of AWS Gateway Load Balancer, a new service from AWS that makes it easy to deploy and scale network security services in the cloud - including systems for deep packet inspection for ingress, egress and east-west traffic flows. With this integration, Valtix provides a simple way for customers to quickly enable advanced network security as-a-service to protect their workloads without requiring complex templates, lots of Lambda functions and Python scripts to deploy, license and manage virtual firewall appliances.
Valtix Deployment for Securing Egress and East-West Traffic Using Gateway Load Balancer and Transit Gateway
Valtix provides AWS Gateway Load Balancer integration into both the Valtix Controller (management) and Valtix Gateway instances (dataplane). Valtix Controller provides a SaaS portal to discover customer’s AWS environments, deploy Valtix Gateways, and defend customer applications with dynamic security policies based on workload attributes, i.e. tags.
Valtix Gateways are deployed into a customer’s cloud account to provide a single-pass, high throughput, auto scaling architecture with deep packet inspection:
- TLS decryption - followed by a layered set of inspection policies listed below, and then re-encryption
- IDS/IPS - Intrusion detection and prevention system
- URL filtering and FQDN filtering - based on 82 web classification categories from BrightCloud or customer created lists to only allow outbound traffic to approved destinations, instead of malware or command-and-control (C2) sites
- TLS decryption exceptions - to disable TLS decryption for privacy or regulatory compliance sensitive FQDN and URL categories or custom lists
- Data loss prevention (DLP) - for protecting data-in-motion using 30+ predefined patterns and regular expressions
- Web application firewall (WAF) - with OWASP Top 10, core rule set (CRS), advanced rule set to protect web applications
- Application ID using client or server identifiers and packet payload
- Malicious sources block list - using customer provided lists or third-parties
- Attribute-based access control (ABAC) - create policies using tags of discovered cloud assets. This enables globally consistent security policies across all your VPC’s and AWS accounts.
Customer Workflow with Valtix using AWS Gateway Load Balancer
- Customers on-board their AWS accounts into Valtix with an IAM role.
- Valtix continuously discovers, in near real-time, all applications and assets (load balancers, VPC, subnets, instances etc) running in all the customer VPCs. This includes default cloud asset attributes and user-defined tags (“prod”, “dev”, “pci”) associated with the workloads.
- Customers select which VPCs and traffic flows (ingress, egress, east-west) need to be inspected. Valtix deploys and manages the Security VPC that contains all the needed components: AWS Transit Gateway, AWS Gateway Load Balancer, and an auto scaling fleet of Valtix Gateways that perform the single-pass deep packet inspection (DPI) based on configured security policies.
- Customers define security policies based on workload attributes, and/or IP addresses. These policies are designed to be consistent across all workloads in any VPC or account.
Enabling AWS Gateway Load Balancer for Valtix Gateways with One-Click to Inspect Egress & East-West Traffic from tens of Spoke VPCs
For example, attribute-based access control policies can be layered with deep inspection policies such as:
- Egress: All instances tagged “prod” and “pci” can only connect to a specific safe list of destinations such as github.com/orgRepo and payment gateway sites. This uses TLS decryption with URL filtering to inspect the traffic. FQDN filtering alone is not sufficient as “dev” systems maybe allowed to access all of GitHub, but “prod” should be limited to a few repository URLs. Customers can enable IDS/IPS inspection to ensure that no malware is spread out. And, customers can apply data loss prevention (DLP) to ensure credit card numbers and social security numbers are not passed on outbound traffic to the Internet.
- East-West: “dev” instances or VPCs connecting to “shared” services must be inspected with IDS/IPS to prevent lateral movement of attacks.
- Ingress: Traffic from the Internet to “prod” “web-frontend” is inspected with a web application firewall (WAF) that includes OWASP Top 10, core rule set (CRS) and advanced ruleset.
The integration of Valtix with AWS Gateway Load Balancer is supported with AWS Transit Gateway (TGW) to provide a centralized hub-n-spoke architecture whereby the Security VPC can be used to secure multiple spoke VPC’s running applications. All outbound and east-west traffic is inspected in the Valtix security VPC by the Valtix Gateways, running in the customer’s AWS account. Customers use the Valtix Controller to deploy the Security VPC, the Transit Gateway, and GWLB with a few clicks or using Terraform.
Other Deployment Models
Over the coming weeks, Valtix will support additional deployment architectures using AWS Gateway Load Balancer. This will enable additional use cases that don’t use Transit Gateway.
- One-click enablement of AWS Gateway Load Balancer with all relevant orchestration and management handled by the Valtix Controller.
- Protect a large number of spoke VPCs attached to the Transit Gateway with no change to their application/spoke VPCs.
- A single fleet of auto scaling Valtix Gateway instances provide inspection for both east-west (between VPCs) and egress to the Internet.
AWS spoke about these solutions saying:
“The integration between AWS Gateway Load Balancer and Valtix cloud security service builds on an existing relationship,” said Dave Ward, General Manager of Elastic Load Balancing, Amazon Web Services, Inc. “The integration between these services helps customers bring additional protection to their workloads without the need for complex management scripts to deploy, scale, and manage virtual firewall appliances.”
Valtix Cloud Security Service simplifies network security for applications deployed in public clouds, empowering security teams to deliver on your digital transformation goals. Valtix uses cloud-style automation that replaces multiple legacy vendor appliances like virtual next-generation firewalls (NGFW) and web application firewalls (WAF). Valtix is used by customers across a wide range of verticals, including financial services, healthcare, SaaS and technology companies to protect their public cloud workloads. Valtix is an Advanced Technology Partner of AWS. To request a free 30-day trial visit AWS Marketplace. For more information about the latest Valtix updates visit: https://www.valtix.com/blog