Cloud Adoption for the Canadian Public Sector: Accelerate cloud migration and apply advanced network security

Valtix FAQ

1. What is Edge, Hub, Ingress, Egress?

Ingress:​ You have an application running in the VPC. The traffic enters the VPC from outside (Internet) into the VPC. You will deploy an ​Ingress ​gateway to protect the application from external users.

Egress:​ There are clients/ec2-instances/apps that need to communicate with the external world (Internet). You want to protect/control these clients from sending traffic to the internet. You may want to restrict these to communicate only with certain websites like payment gateways, or only to a few source code repositories. You will deploy an Egress​ gateway to control the outgoing traffic.

Edge: ​The gateways (egress and ingress) can be deployed in edge or hub mode. In the edge mode, the gateway is deployed in the same VPC as the application runs. If you have 5 VPCs running applications, then you would deploy 5 gateways. This is best suited if you have a small number of VPCs.

Hub: ​Valtix creates a new VPC (called service VPC) and deploys the gateways inside this Service VPC. All the VPCs that are running the applications and the service VPC that runs the gateways are connected via AWS Transit Gateway. Valtix takes care of the orchestration of the Transit Gateway, VPC attachments and manages the routing automatically. The customer has to edit the VPC route tables to make the default gateway point to the Transit Gateway.

Valtix requires that you deploy different gateways for Ingress and Egress use cases. A single gateway ​cannot​ be used to protect ingress and egress traffic.

2. What is Forward Proxy and Reverse Proxy?

Forward Proxy rules and services are used by Egress gateways. The gateways act as proxy servers in both ingress and egress modes. In the Ingress case users access the proxy endpoint provided by the Valtix Gateway. In the egress scenario, the proxy is transparent. The clients inside the VPC access external sites (internet) and with the magic of routing by Valtix, the traffic is routed through the gateways. Gateways respond to the clients. You will be asked to provide a root certificate that the gateway uses to sign the external sites’ certificates. The clients need to have this root certificate installed as a trusted source.

Reverse Proxy rules and services are used by Ingress Gateways. The service definition defines the port number the proxy listens on and the target application/host to forward the traffic.

3. What is URL filtering?

URL filtering is used in Egress gateways only. A URL profile is a list of URLs and an action for each of the URLs. You create a URL profile and associate that with a policy rule. When the traffic matches a rule that has a URL profile, URL filtering processing starts. The list is traversed in order and the action of the first item in the list that matches the traffic’s URL is performed. The default policy if none of the URLs match is to allow the URL. There is an implicit (Default ALLOW) in the profile. The URLs can be provided as a string or a regular expression. You would not normally need an ALLOW rule, unless there is a regex match for a DENY in the list. For e.g if you want to allow https://website.com/news and DENY everything else from the same website, you can can define 2 items in the profile:

  1. https://www.website.com/news ALLOW
  2. https://www.website.com/.* DENY

When the URL is dropped, an event is logged in the URL Filtering events in the Investigate page of the Valtix Dashboard.

4. Can I use regular expressions in URL filtering?

Yes

5. If the default action in URL filtering is to allow, why do we need ALLOW action?

The default action in URL filtering if there is no match is to ALLOW. Specific action to ALLOW is useful if there is a very generic DENY further down in the list. To make a default action is DENY you can add a rule.

.* DENY 502

This causes all the URLs to be dropped. Now to open a specific URL to be allowed you can add a rule above this to have an allow. For example, if you want all the traffic to google.com to be allowed and rest all denied:

https://www.google.com ALLOW .* DENY 500

This can also be used to restrict the broader pages on a website but to allow a specific page to be ALLOWED.

https://www.website.com/news ALLOW https://www.website.com/.* DENY

6. What should a URL look like in the URL profile?

The URL in the URL list should be a complete string including http or https. You can use regular expressions like .* (dot star) to define a generic scheme, like .google.com.. This matches http or https and any prefix before google.com and any suffix after google.com.

7. What is L7 DOS?

L7 DOS is used in Ingress gateways only. When the gateway acts as an ingress proxy targeting a backend application, you can enforce rate limits for the URLs. The limits can be set at a URL level for each of the HTTP actions (GET, POST etc). The rate limit is at a firewall instance level and not at the whole gateway cluster level. So if the rate limit is set 1000 reqs/sec and the gateway has 3 firewall instances, your application would receive 3000 reqs/sec.

8. How do I create a HUB mode Gateway and protect my VPCs?

HUB mode gateway helps in a centralized security management of your cloud environment. If you have multiple VPCs (lets call them spoke VPCs) running the applications, HUB mode is the preferred method of protecting all the VPCs. The security management is in a single place. The services VPC that hosts the gateways is managed by the Valtix controller. But all the VPCs must have non-overlapping CIDRs so that they can be attached to the Transit Gateway. During the Gateway creation choose either Ingress or Egress (the process is same) and select the Hub mode option. Select if you want to use a Transit Gateway that you already have or choose to create a new Transit Gateway. Select a service vpc if you have already created one or choose to create a new one. While creating a new service vpc, provide a CIDR that does not overlap with any of the spoke VPCs that you plan to protect. Continue the gateway creation process. You don’t have to provide any other subnet, security groups etc. Those are all managed by Valtix. Provide the key pair and the firewall role that was created as part of onboarding.

Once the gateway is created, edit the gateway to add the spoke vpcs that you want to protect. In the Edit gateway option, scroll down to the ‘Protect VPCs’ and select all the VPCs that you want to protect. Valtix creates Transit Gateway attachments to all the selected VPCs. It randomly picks a subnet from the VPCs to do the attachment. Once the VPCs are attached, change the route table that’s attached to the app subnets and add/set the default route to the transit gateway. For Ingress Hub mode gateway, you can be specific and set the route to the service vpc CIDR instead of the default route. For Egress gateway default route is the preferred option, but for SSH/management tasks you can set specific routes for those to go via Internet Gateway and everything else via the transit gateway.

9. How do I add my AWS account to the Valtix Controller?

Valtix Controller needs access to your AWS account in order to create gateway, access to the inventory and other tasks on the account. One way to do this is to give the controller your access key and secret. But this is not recommended. So the option is to create a cross account IAM role with the Valtix account getting access to your account. A CF Template (Cloud Formation) is provided by Valtix that creates the role. You will be provided with the Valtix account number as part of the onboarding process. The IAM role gives permissions to this account. Look at the documentation for the permissions assigned to this role.

10. What is a gateway and firewall?

The terms gateway and firewall are used interchangeably throughout the product and the documentation. A Gateway is a cluster of firewall instances that are managed as a single entity. A Network Load Balancer (NLB) is created as part of the gateway deployment that has all the firewall VM instances as the targets of this load balancer. A user never manages instances and gateway independently. It’s all managed by the controller. The NLB makes sure that the session traffic reaches the same firewall instance. Firewall instance is the security enforcer.

11. Does Valtix Firewall support HA, scaling?

Valtix Security platform is born in the cloud. So HA and scaling is built into the system right from day 1. This is not an afterthought idea. During the gateway creation you are given the option to create firewall instances in multiple zones. Just like you run your applications in multiple zones (AZs), you run the firewall instances in multiple zones. It’s recommended by Valtix to run firewall instances in at least 2 zones. You also get to choose how many instances of firewall you would like to run. You can choose minimum and maximum instances. Look at the next question for more details in auto-scaling.

12. What is auto-scaling or how does Valtix scale with traffic?

During the gateway creation you are given an option to choose the number of firewall instances to run. The minimum number is always 1. The maximum number can be upto 10. This is per zone. So if you start with a minimum of 2 and you have 2 zones, then 4 instances in total would be running in your account. Controller keeps track of the usage of the firewall instances and once the firewall gets busier, it automatically creates new instances until it reaches the maximum number. Once the traffic slows down, the instances are automatically deleted. So you are creating resources on demand and pay only when they are used/required. If there is no usage for the instances, they are deleted and you are not charged.

13. How do I prepare my AWS environment to get started with Valtix?

Valtix security service works in Hub mode or Edge mode. Hub mode is used when you have multiple VPCs that you want to protect. AWS Transit Gateway is used to attach all the VPCs. For this mode, you need to provide a non-overlapping CIDR so Valtix can create a new services-VPC and deploy all the firewalls here. The Service-VPC is completely managed by the Valtix controller.

In Edge mode deployment, the gateway is installed in the same VPC as your app. For this deployment, Valtix needs 2 public subnets (management and datapath) and 2 security-groups (management and datapath). Both the security groups need rules to allow outbound traffic. datapath security-group can allow all the traffic or you can enable specific ports that you configure in services on Valtix Controller.

For both the modes of deployment, Valtix needs a few IAM roles: cross account IAM role for controller to access your AWS account, IAM role assigned to gateway instances to access KMS, secrets manager and S3 to write pcap files.

Valtix provides a cloud formation template that helps in creating the IAM roles and has details about the permissions. You can also look at the documentation for this info.

14. How do I prepare my Azure environment to get started with Valtix?

Valtix security service works in Hub mode or Edge mode. Hub mode is used when you have multiple VNets that you want to protect. Azure UDRs are used for this purpose.

In Edge mode deployment, the gateway is installed in the same VNet as your app. For this deployment, Valtix needs 2 public subnets (management and datapath) and 2 network security-groups (management and datapath). Both the security groups need rules to allow outbound traffic. datapath security-group can allow all the traffic or you can enable specific ports that you configure in services on Valtix Controller.

For both the modes of deployment, Valtix needs an Azure Active Directory Id (tenant id), subscription id, an application in AD with a client key and secret, a custom role assigned to the application that has permissions to create resources, access vault etc.

Please look at the documentation for more info.

15. What is Sessionid in flow logs?

Valtix firewalls act as a proxy for both ingress and egress. In the ingress scenario, an external user from the internet accesses the gateway endpoint and the gateway initiates a new session to the backend (target). These are 2 different traffic flows. Sessionid correlates these 2 flows and ties them together for display in the flow logs.

16. How do I provide the certificate for my proxied applications?

A TLS Decryption Profile needs to defined where there is an option to generate a self-signed certificate or import contents of an already generated certificate.

TLS Decryption Profile can be tied up as listener decryption profile for reverse proxy for applications proxied for in the backend.

TLS Decryption Profile can be tied up as rootCA decryption profile for forward proxy where the rootCA certificate and private key have been installed on the client which is going out to the internet via the forward proxy.

17. How do I protect my private keys not giving to Valtix Controller?

In the definition of the TLS decryption profile there are multiple ways to import the private key.

(a) Import the contents in clear

(b) AWS KMS encrypted private key

(c) AWS Secrets Manager secret name

(d) Credstash key name from the given credential store

(e) Azure key name from the given key vault

(b), (c), (d), (e) are the recommended choices if the customer doesn’t want to leave private keys with Valtix Controller.

18. What are all the different protocol options I see in the Reverse Proxy Service?

Proxy Type Decryption Profile Frontend Protocol Backend Protocol
TCP-TCP No TCP TCP
TLS-TLS Yes TCP TCP
HTTP-HTTP No TCP HTTP
HTTPS-HTTPS Yes TCP HTTPS
HTTPS-HTTP Yes TCP HTTP

19. How should I configure Reverse proxy for an SSH application?

Use proxy type TCP-TCP in #18.

20. What’s the difference between HTTPS and TLS in the Reverse Proxy Target?

In the TLS proxy, the TCP payload received from the client or server is preserved byte for byte during decryption followed by re-encryption. There are applications like RDP which depend on NTLM where this preservation of TCP payload bytes is mandatory.

In the HTTPS proxy, proxy terminates the HTTP connection and moves the HTTP payload from one leg of the proxy to the other leg with additional proxy headers attached to the HTTP PDU. HTTPS proxy lets you send responses at HTTP level for deep packet security related actions. It also lets specification of rate limiters at URL level.

21. How do I apply the same policy rules to multiple gateways?

Policy Rules are always defined in the context of a Policy Rule Set. A Policy Rule Set defines a set of rules. This Policy Rule Set can be associated with multiple gateways. A gateway can only have one Policy Rule Set.

22. My target application IPs are different in each region/can change, how can I configure my backend target in the service?

Define a user-defined-tag which is associated with the instances where the application is running. Use this tag to define a backend address object. Associate this backend address object as the target of a service. Controller automatically maintains the membership of the set of IPs of the instances with that tag. Membership changes are also automatically handled by the controller when the instances with that user-defined-tag come up and go down or the IP address on the instance with that user-defined-tag changes.

23. What is SNI in the service object?

SNI stands for Server Name Indication. There is a TLS client hello extension called server_name​ ​which contains the FQDN of the server. This can be then be used in the definition of the service object to route the traffic to the appropriate backend using this. The set of SNIs defined in the service object can also be used to allow access from the clients to only those services.

Examples of SNIs in the definition of service object : service1.enterprise.com

This makes sense only for reverse proxy where the backend services and the associated FQDNs are well-defined.

24 My backend/target hosts multiple websites. I want them proxied on the same port by the Valtix Gateway. How can I achieve this?

Define a service object per website with the same listener port and SNI = website FQDN.

25. I have multiple web backends/targets that need to be proxied by the Gateway. How do I configure this?

Define a service object per web backend with the same listener port and
  SNI = web backend FQDN and
  target = backend FDQNs or ALB FQDN frontending the web backends

26. What’s the relation between decryption profile and certificate?

Decryption profile is one-one with a certificate. This decryption profile can be associated with service objects which in turn are used as part of the Policy Rules. This level of indirection helps in easier certificate management to renew expired certificates or to rotate certificates on a periodic basis , where in you update the decryption profile without having to update all the Policy Rules/Services dependent on this certificate.

27. I need different IPS protection rules for each of my backends. How do I do this?

Every gateway can have only 1 IPS profile. Even though this is configured at the rule level, it is per gateway. So it is not possible to have multiple IPS profiles using the same gateway. You need to create multiple gateways

28. Where are the IPS rules and how often do you update? Are the updates automatically pushed to the gateway?

Cisco Talos Rules are periodically polled at bi-weekly intervals and even shorter time periods based on critical rule update notifications. These updates are automatically made available in the controller to customers who then have the option of picking and choosing the right ruleset version to push.

29. IPS Profile has many configuration options. Can you elaborate?

IPS Profile lets the user choose the set of rules from the ruleset based on the snort policy, category or class-type.

In addition there is a knob to enable threat based PCAP.

You can enable rule suppression for false positives based on trusted source CIDRs.

There is also the ability to enable rule level event filters for chatty rules or a global profile level event filter across all rules.

30. I want to get PCAP (packet captures) files of every attack, is it possible?

Yes. Enable threat based PCAP checkbox in the Network Intrusion Profile or Web Protection Profile.

31. I have my own log analysis infra. Can I forward the logs to it?

Yes you can.

Today you send the firewall events via controller to Splunk or directly from the firewall to syslog server.

32. I configured a reverse proxy to a backend application. Now what else do I need to do?

(a) Change DNS record to point to the Valtix gateway’s FDQN

(b) Change existing application load balancer to private to avoid direct public access

33. What’s the DNS profile and records and why would I use it?

Web based applications in AWS are typically referred to by an internal FQDN dynamically generated when creating a load balancer. In order for Valtix to be in the ingress path of that application for inspection, we would advise customers to update the DNS record of that application to refer to the Valtix gateway.

For example, a DNS record for app.xyz.com points to the CNAME of the internal application load balancer. With Valtix gateway to be in the ingress path of this application, we would update the DNS record to point to a CNAME of the Valtix gateway endpoint. Valtix DNS profile allows one to specify the route53 domain name associated with the application where you can configure this application’s record and select the appropriate ingress Valtix gateway from the list of gateways.