In a previous article, I introduced Zenarmor SWG as part of a Secure Access Service Edge (SASE) architecture and we briefly discussed how Zenarmor SWG can be used to filter and control the traffic originating from cloud assets destined for the internet. In this article, we are going to drill down into this topic, and explore why Zenarmor SWG should be the first product to come to mind, when looking for a rapid-to-deploy, low-cost, cloud egress traffic filtering and control solution, with the ability to control all Zenarmor SWG deployments from a centralized control panel.
Why do we need egress traffic filtering and control for cloud-based assets?
Simply put, cloud assets with unrestricted internet access can potentially put your environment at risk of being attacked by opening the environment to:
- Easily enabling threat actors, that potentially gain a foothold on one of your cloud assets, to establish reverse shells or to call home to their remote command-and-control infrastructure.
- Potentially enabling the exfiltration of precious and confidential company data.
- Not being able to satisfy organizational and regulatory compliance requirements such as PCI-DSS, HIPPA, and SOC2.
- Potentially allowing unknown or unapproved cloud applications originating from the cloud assets access to the internet, is known as shadow IT and is undesirable in most cases.
- Not having proper visibility of egress network connections or the ability to easily monitor and log cloud egress traffic.
To add further complications to this scenario, most cloud service providers, out of the box, don’t offer a comprehensive or granular means to manage and control traffic leaving the VPC or VNET via their internet gateways. Usually, these gateways filter on an IP address basis only, not being aware of FQDNs. If you have multiple VPCs or VNETS across your environment or even as part of a multi-cloud provider deployment, these filter policies will need to be replicated across all these environments which could open security gaps in your infrastructure, due to human error or negligence, and in general, could become a management nightmare for security and operations teams.
How can Zenarmor SWG combined with the Zenconsole dashboard secure your cloud environment by filtering and controlling cloud egress traffic?
The Zenarmor Secure Web Gateway (SWG) was specifically designed to provide an almost instant means to deploy and provide security against zero-day web-based threats, filter web content, and block ransomware, social engineering threats, and malware, wherever you may need it.
Through Sunny Valley Networks’ agile software-driven approach to cybersecurity, Zenarmor can easily be installed on most of the popular Unix-based operating systems, including Amazon Linux with a simple CURL command. All Zenarmor SWG instances are managed through Zenconsole, a single pane of glass dashboard, allowing for easy centralized policy management and synchronization between all your deployments. Reporting and seamless integration with SIEMs and Active Directory come standard with the business plan. Speaking about subscription plans, there is one for everyone, ranging from Free to Business, and there are no complex licenses or activations.
Let’s consider the below multi-cloud network architecture, and see how Zenarmor SWG can be used to secure this environment:
The architecture consists of three different cloud service providers, Azure, AWS, and DigitalOcean. Each VPC/VNET has Zenarmor SWG at the edge filtering cloud egress traffic originating from each respective network. Because Zenarmor has zero dependencies on vendor-specific hardware and is totally software-based, I have decided to show its versatility by installing an instance on Ubuntu Server, Amazon Linux, and lastly on FreeBSD.
All the Zenarmor SWG instances are managed through the Zenconsole dashboard which is free to use regardless of which subscription plan you are on. Zenconsole makes policy management across all Zenarmor instances easy.
Figure 1: Zenconsole dashboard – Home default view
You have the choice of creating unique policies on an instance-by-instance basis or you can deploy centralized policies that synchronize to all Zenarmor SWG instances in your network, a blanket type policy essentially. Zenconsole also gives you the ability to clone policies and export/import them for reuse with other secure web gateways in your network. Another great feature is the ability to create restore points for your policies, allowing you to easily revert to a previous version of the policy if you run into any issues. All policies are synchronized in real-time.
Figure 2: Policy configuration view
In this multi-cloud architecture, I have chosen to assign a unique egress policy to each Zenarmor SWG instance because each network has its own unique filtering requirements based on the APIs and update servers that require access, everything that is not explicitly allowed will be blocked by Zenarmor.
Now that you have a better understanding of the above network architecture, let’s readdress the security issues I described at the beginning of the article, and how we can mitigate these issues by deploying Zenarmor SWG into our network.
- By making use of the security and app controls built into Zenarmor, we can disable the threat actors’ ability to communicate with their command-and-control infrastructure by denying remote access like secure shell or telnet.
Figure 3: Egress Policy view – App Controls – blocking remote access services - The threat of data exfiltration can be minimized by denying access to popular file transfer applications and services using similar app controls targeting those categories.
- Organizational and regulatory compliance can now be satisfied by safeguarding your cloud assets using Zenarmor SWG.
- We now have ultimate control over shadow IT, by once again using the built-in app controls in Zenarmor we can block any unauthorized application traffic from leaving our network, rendering them useless.
Figure 4: Egress Policy view – App Controls – Categories View - While Zenarmor has a very comprehensive list of already builtin app and web control categories, there may come a time when you need to create your own exclusions or inclusions in your policy, for this, Zenarmor allows you to create black and white lists, where you can filter by an FQDN or IP address.
Figure 5: Egress Policy view – Exclusions – White/Black List - Finally, not having proper visibility of your network traffic is now a thing of the past, with Zenarmor, you have the ability to view all live network sessions traversing the network. There are also comprehensive reporting features included, giving you app breakdowns, threat detections, and top blocked connections to name a few.
Figure 6: Live sessions view – active traffic traversing the network
Figure 7: Reporting view – Blocked Traffic over time
With many enterprises relying on the cloud to remain competitive, threat actors are increasingly ready to take advantage of security gaps in this modern business landscape. Sunny Valley Networks offers a zero CAPEX subscription model, with no upfront capital expenses or exorbitant hardware or annual maintenance contracts. Simply get up and running in minutes by deploying Zenarmor on the UNIX platform of your choice, and benefit immediately from the cybersecurity on offer.
Can you really afford to not secure your cloud workloads using Zenarmor SWG? Try Zenarmor SWG for free for 15 days, with full access to the business plan, sign up today!