Network Transformation with AWS and Valtix for Workload Segmentation and Compliance
By Shiva Vaidyanathan, Sr. Cloud Infrastructure Architect – AWS
By Vaishali Ghiya, Head of Sales and Business Development – AWS Marketplace
By Jigar Shah, VP Products – Valtix
As you look to manage network security on Amazon Web Services (AWS), there are multiple tools you can use to protect your resources and keep data safe.
For example, Amazon Virtual Private Cloud (VPC), security groups, network access control lists (NACLs), AWS WAF, and the AWS Network Firewall all offer layered security of protection for your AWS workloads.
Conventional security products such as next generation firewall (NGFW) and web application firewall (WAF) appliances provide a lot of data about attacks and vulnerabilities, but they lack workload context such as application tier, application type, and deployment status: dev, test, production, compliance.
Lacking this context increases challenges in incorporating network security at scale in the cloud. Valtix addresses this by providing granular visibility of existing traffic flows and security controls based on the workload context.
As a multi-cloud network security platform, Valtix is an AWS Partner whose service enables teams to meet the most stringent security requirements in a cloud-first and simple way.
Valtix is designed to deliver on four key objectives:
- Comprehensive advanced network security that includes deep packet inspection on encrypted payloads for WAF; intrusion detection and prevention system (IDS/IPS); antivirus and antimalware; FQDN and URL filtering; and data loss prevention (DLP).
- Enabling security teams to operate with speed and agility.
- Continuously adapting security to workload context.
- Operational efficiency of deploying and operating network security at scale without requiring multiple resources with deep expertise across multiple clouds, networking, security, and automation.
In this post, we’ll walk through the transformation of the network security use case leveraging Valtix for segmentation of workloads and to help meet compliance requirements.
We’ll also walk through an example of how to enforce consistent security across tens and hundreds of VPCs spanning multiple regions and AWS accounts.
This enables customers to adhere to compliance and regulatory measures with continuous visibility. It also helps achieve workload segmentation and prevent attacks from the internet, which prevents exfiltration and stops lateral movement of attacks.
Current State and Challenges
From the early days of cloud adoption to now, many AWS customers have scaled their presence using VPCs with a variety of teams involved for deployment. In the majority of cases, they have anywhere from tens to hundreds of VPCs across multiple accounts deployed in multiple AWS regions.
There are overlapping spheres of management, governance, and compliance, and some of the challenges tend to slow down the network and security transformation:
- Bringing an on-premises security mindset to public clouds. This results in designs that have a single point of failure (active-passive deployments in a single AWS Availability Zone, for example) and static network security policies based on IP addresses.
- Building a consistent network security architecture across a large number of VPCs, regions, and accounts.
- Setting up segmentation across application types, tiers, deployment stages, and trust levels.
- Fulfilling compliance requirements in securing a dynamic cloud environment while enabling application teams to meet business objectives.
- It’s an industry best practice to implement a layered defense approach to mitigate against known vulnerabilities and zero-day attacks. The challenge comes from enabling defense at scale and in a dynamic cloud environment.
- Finding skilled resources who have expertise in cloud networking and security is difficult. Organizations often adapt existing tools and practices from on-premises networks and data centers.
In this section, we map the above-mentioned challenges to two use cases: workload segmentation at scale, and compliance.
Workload Segmentation at Scale
This use case includes the need to apply granular segmentation controls in terms of access control and inspection of traffic. They cover:
- Policy-based access control: Allow or deny access across the different application tiers or subnets inside a VPC, between VPCs, connections to on-premises networks, and cloud services accessed via AWS PrivateLink.
- Advanced network security: Inline inspection of encrypted and unencrypted traffic for intrusion prevention and anti-malware to stop advanced threats from exploiting public-facing applications. Then, stopping lateral movement of attacks inside your application environment, such as protecting north-south and east-west flows.
- Context-aware policies: Traffic inspection policies that are based on workload context can automatically adapt to a continuously changing environment, rather than requiring constant policy changes. Segmentation should be based on the workload context and not static, pre-defined IP addresses.
- Operate at scale: Access controls, advanced network security inspection, and context-aware policies must operate across a large scale of VPCs, regions, and AWS accounts.
The goal of compliance is that each compliant system meets minimum levels of security to protect sensitive applications and data.
Compliance standards and regulations require implementation of a set of policies and prescriptive controls. Meeting compliance requirements brings additional challenges, such as resources dedicated to compliance projects, expertise to adapt compliance requirements for public clouds, and collection of documentary evidence.
Commonly required compliance standards include PCI-DSS for applications that involve credit card payments, HIPAA and HITRUST for healthcare, security control requirements of SOX for publicly traded companies, SOC2 for service providers, and ISO 27001 for an organization’s internal controls.
How Does Valtix Operate?
Valtix Controller is a Valtix-operated service running on AWS that provides a centralized management interface for network security across your AWS accounts. It manages account onboarding, cloud asset discovery, network orchestration, deployment and management of Valtix Gateways, policy management, alerting, and logging.
A Valtix Gateway is an auto scaling cluster of Amazon Elastic Compute Cloud (Amazon EC2) instances that provide advanced network security for encrypted and unencrypted traffic flows. A Valtix Gateway consists of two or more instances deployed across two or more Availability Zones (AZs) for scalability, high availability.
Figure 1 – Valtix deployment on AWS.
A Valtix Gateway instance uses a single-pass pipeline to provide higher performance inspection. The pipeline consists of multiple stages (decryption, WAF, IDS/IPS, antivirus, DLP) that perform inspection based on customer-specified policies.
There’s no need to manage individual firewall instances with custom scripts and templates, as customers can use the Valtix Controller to deploy and manage a Valtix Gateway as a service.
Target State of Transformed Network with Valtix on AWS
The transformed state shows the network security architecture once Valtix is deployed in your AWS environment. Many target architectures are possible depending on your requirements.
The diagram below shows two different AWS regions serving as regional network hubs for their respective geographical area connected via AWS Transit Gateway. This architecture allows you to minimize latency to applications hosted on AWS, and improve user experience.
Figure 2 – Security use case of Network Transformation with Valtix.
This figure shows a subset of traffic flows to give you an overview of how this target state interconnects various networks with Valtix:
- Access to a workload from the internet through the Ingress Valtix Gateway.
- Access from a workload to the internet through the Egress and East-West Valtix Gateway.
- Access between workloads through the Egress and East-West Valtix Gateway.
Note that the Egress and East-West Valtix Gateway is a single gateway that can inspect traffic going outbound to the internet and east-west traffic inside the cloud environment.
Consistent and Scalable Network Security Architecture
There are two primary architecture options: distributed, or hub-and-spoke. In the distributed architecture, each VPC is secured by Valtix Gateways deployed by the Valtix Controller to protect all traffic going in and out of the VPC, and between subnets. This model is preferred in a high security environment.
In the hub-and-spoke architecture, Valtix Controller will deploy a security VPC and AWS Transit Gateway to connect multiple spoke VPCs. All traffic going in and out of the VPCs from the internet and between VPCs is inspected by the security VPC serving as the hub. This model is preferred for protecting multiple application VPCs and can be replicated on a per-region basis.
Layered Security Approach (Defense in Depth)
Defense in depth allows attacks to be detected or prevented by enabling controls at different layers by enabling security profiles to detect threats at the web application, domain, and IP layers.
This comprehensive approach disrupts the cyber kill chain even when a single security control fails or is inadequate. Valtix supports a layered set of granular profiles for inspection of encrypted and unencrypted traffic: WAF, IDS/IPS, antivirus and anti-malware, geographic and malicious IP lists, FQDN and URL filtering, and DLP.
Valtix combines the segmentation controls of east-west with appropriate perimeter inspection for ingress and egress (north-south) traffic flows. For example, when a zero-day vulnerability occurs or attackers deploy a new ransomware toolkit, it may take a few days or weeks before a patch is available and can be deployed.
Using this allow list of domains and URLs is a practical and scalable way to prevent exfiltration and stopping command-and-control (C2) connections.
Meeting compliance requirements is often tedious due to the comprehensive scope of their coverage and need to provide documented evidence for implementation. Third-party services used must also meet specific compliance criteria.
As a service, Valtix is SOC2 Type2 compliant and has been validated for PCI Data Security Standard DSS version 3.2.1.
PCI-DSS compliance requirement 1.2.1 states that “Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.” To meet this requirement, enterprises traditionally used an allow/deny list of IP addresses which was difficult to manage. Valtix lets customers create specific policies to restrict outbound destinations using FQDN and URL filtering.
For compliance and production environments, it’s recommended to use URL filtering which uses deep packet inspection on encrypted payloads to limit the destination to the exact URL paths.
Workload Segmentation Using Tag-Based Dynamic Security Policies
The data center concept of a few security zones does not match the cloud requirements of connecting to a variety of cloud services and multiple cross-account VPCs at scale.
Segmentation and inspection in traditional firewalls have been done with static policies, based on IP addresses or security zones such as trust, untrust, and demilitarized zone (DMZ). This approach also doesn’t scale in public clouds, as IP addresses are ephemeral and change as new workloads are created and destroyed dynamically.
Valtix improves on this by using the workload context (that is, tags associated with your AWS environment). By using the continuous cloud asset discovery of Valtix, customers can create policies using user-defined tags on your instances and VPCs such as dev, test, prod, compliance, pci-app1, hr, erp, and crm.
As instances, load balancers, or VPCs are created, the policies apply automatically. As soon as a new workload is created or its tag is updated, Valtix detects this in near real-time and applies the appropriate security policy. This capability also aligns with AWS customers already using tags for proper cost allocation of their cloud resources.
The table below provides a few examples of policies for workload segmentation and compliance use cases where the workload tags are shown in quotes. Traffic from any workload that’s not in the policies gets blocked.
The policies can be global, across all of your VPCs and AWS accounts or can be specific to individual VPCs and accounts.
|Valtix policy||Source||Destination||Rule||Inspection rules|
|Allow + Log||Forward proxy with TLS decryption, URL filtering, DLP (no credit cards)|
|East-West Segmentation for Prod||“prod”
|Allow + Log||Forward proxy with TLS Decryption, IDS/IPS, antivirus, DLP (max 1 SSN per session)|
|East-West Segmentation for Dev||“dev”||“shared services VPC” (AD servers, fileshare) common-s3-buckets||Allow + Log||Forward proxy with TLS decryption, IDS/IPS, antivirus, DLP|
|East-West ERP-App1||“ERP-App1”||“CRM-system”||Allow + Log||Forward proxy with TLS decryption, IDS/IPS, antivirus, DLP|
|Block Malware Bots and C2||Any||Malicious FQDN categories, malicious IP list||Deny + Log||Forwarding, FQDN filtering|
Network Security as Code – Automation Workflow
Application and DevOps teams now provision their AWS deployments with infrastructure as code (IaC). Using Valtix, customers can automate network security as part of this workflow.
First, tag-based security policies can be created for dev, test, prod, or compliance workloads, and for specific applications such as HR, CRM, or ERP. These can be done from the Valtix Controller portal or the Terraform provider for Valtix. The hub-and-spoke architecture with a security hub VPC containing auto scaling Valtix Gateways can also be created using the Terraform provider.
As workloads are created as part of IaC or auto scaling, with the correct tags context-aware security policies are enforced automatically by Valtix. This enables teams to meet operational efficiency and compliance requirements with advanced network security.
Valtix for Workload Segmentation and Compliance
Valtix is implemented in three steps:
- Discover: Onboard your cloud accounts to enable continuous cloud asset discovery and get visibility into existing flows from Route 53 DNS queries and VPC flow logs. A cross-account AWS Identity and Access Management (IAM) role is required to enable this step. Valtix correlates cloud asset information, VPC flow logs, and threat intelligence to help you identify which instances and VPCs show indicators of compromise (IoCs).
- Deploy: Using a cross-account IAM role, Valtix Controller allows customers to deploy a security VPC with Valtix Gateways that serves as a hub protecting spoke VPCs containing applications. As new VPCs are created, you can select unprotected spoke VPCs with a couple of clicks to attach them to an existing security hub.
- Defend: Define security policies based on context-specific inspection requirements, including reverse proxy with TLS decryption for internet-facing web applications, forward proxy with TLS decryption for egress and east-west (inter-VPC or inter-subnet using more specific routing) traffic, or forwarding for unencrypted traffic. The policies are dynamic policies using the context-specific tags of your cloud assets across all of your AWS accounts. These are updated based on the continuous cloud asset discovery process.
A detailed implementation guide is available in the Valtix documentation.
Voice of the Customer
PayByPhone is one of the fastest-growing mobile payment companies in the world, processing more than 135 million transactions totaling more than $550 million USD in payments annually.
Through the company’s mobile web, smartphone, and smartwatch applications, PayByPhone, owned by Volkswagen Financial Services AG, helps millions of consumers easily and securely pay for parking without the hassles of waiting in line, having to carry change, or risking costly fines.
“Immediately, we saw the promise of a cloud-first approach to network security, but what impressed us above all else was Valtix’s ability to provide customer support well as their attention to working with us to fully satisfy our PCI requirements,” says Kevin Neufield, Sr. Cloud Developer at PayByPhone.
We have seen an increase in customers adopting the Valtix and network transformation on AWS to implement network security use cases.
In this post, we showed how to transform your network by leveraging Valtix, and outlined the benefits Valtix brings to your business for network security use cases for workload segmentation and compliance.
To get started with your network security use case, AWS and Valtix will jointly support the architecture and design, total cost of ownership (TCO) calculation, integration with your existing network, and Valtix deployment. Network transformation on AWS is included in the AWS Migration Acceleration Program (MAP).
If you need any further assistance, you can work with AWS ProServe or Valtix Professional Services.
Valtix – AWS Partner Spotlight
Valtix is an AWS Partner whose service enables teams to meet the most stringent security requirements in a cloud-first and simple way.
*Already worked with Valtix? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.