Valtix for Egress Filtering
SECURE THE BACKDOOR OF
APP TO SERVICE COMMUNICATION.
Valtix enables egress filtering for AWS, Azure, GCP, and OCI through advanced domain (FQDN) and URL filtering combined with data loss prevention (DLP) to block unauthorized external connectivity and data exfiltration. Through a comprehensive platform that centralizes multi-cloud policy, Valtix FQDN/URL filtering eliminates the need for egress security point solutions.
5 Minutes To Deploy
Quickly connect to each cloud account, discover workloads, and enable security
100% Cloud Coverage
Connects discovery to defense so that every account, app & API is secured
Zero Ops Overhead
Eliminate constant upkeep, challenging upgrades, and the management of appliances
A NEW APPROACH TO APPS REQUIRES ADVANCED EGRESS FILTERING
A tectonic shift has taken place in-app architecture. More and more, apps are built with a services-based approach in mind, with microservices communicating over well-defined APIs. Often, these APIs are remote or external. The requirement to enable GitHub and other code repositories adds another layer of backdoor communication to the mix. Unfortunately, security teams historically didn’t need to cope with these challenges. So, they are often now scrambling to not leave egress open, unsecured, and unmonitored. However, until they get egress filtering and security solutions in place, they contend with unacceptable risks in the form of:
- Allowing command-and-control (C2) for malware distribution, cryptocurrency mining, disrupting operations, DDoS attacks, etc.
- Losing visibility to the exfiltration of data out of the virtual private cloud (VPC)
In order to regain the egress control they’d lost and meet compliance (PCI, HIPAA, SOX, etc), many organizations will try to employ Squid Proxy or other point solutions to implement egress filtering. They might even go to the extreme of deploying a hard-to-scale virtual appliance. What they realize is that the cloud is different, and ensuring that they gain complete visibility and control over egress at scale requires cloud-scale solutions. And getting in the path of traffic is not always possible or practical.
A cloud-native and multi-cloud solution for Egress Filtering didn’t exist.
Until now.
Here are the egress security challenges we hear from customers.
Sound familiar? Valtix can help with cloud egress filtering.
The Cloud Service Providers (CSPs) don’t provide egress filtering in a scalable way across 10s-100s of VPCs and accounts belonging to a variety of teams (dev, test, prod/compliance).
Virtual Appliance NGFWs are very difficult to manage and create a chokepoint that doesn’t scale and adds risk.
Squid Proxy and other Egress point solutions are difficult to implement, fragment security, lack critical features, and introduce blind spots.
EGRESS FILTERING BUILT FOR A MULTICLOUD WORLD
Valtix gives you a visibility and control plane that was built for the security of cloud workloads including comprehensive egress filtering and security. Fully Qualified Domain Name (FQDN) or URL-based Policy can be easily defined against category level threat intelligence for malicious or unauthorized domains. Exfiltration of sensitive information can be blocked or alerted based on network-based data loss prevention (DLP).
Valtix provides comprehensive cloud egress filtering and the ability to block attacks that come from the internet or data exfiltration attempts.
Gain Outbound Visibility
Understand outgoing traffic patterns to identify anomalous activity or known malicious connectivity that could indicate compromise
Stop Malicious Connections
Apply proactive policies to prevent unauthorized external connectivity or to filter outgoing traffic by domain or IP reputation
Accelerate Incident Response
Quickly pivot to block known command and control (c2) threats such as crypto mining, ransomware, or botnets through egress policy
Egress Filtering on URL and Domain (FQDN)
Having control over outbound destinations from your cloud workloads is a fundamental best practice, but too few organizations actually implement this basic security best practice. If they do, it’s usually with so many holes and compromises to be almost completely ineffective.
Valtix provides egress filtering on both FQDN and URL. These capabilities work in tandem to provide a comprehensive approach to egress security. FQDN filtering alone is inadequate since it allows access to all public GitHub repositories, some of which are known to contain malware and data loss mechanisms. URL filtering combined with tags, attribute-based access control, and the use of custom lists for Domain categories (80+), makes this highly manageable at scale.
Category-level Domain Intelligence (Powered by Bright Cloud)
Valtix egress filtering uses threat intelligence from WebRootTM BrightCloud to categorize web sites based on their risk score. This includes fully qualified domain names (FQDNs), sometimes referred to as domain names, and URLs. This provides sites across 84 categories when traffic from your public cloud environment makes outbound connections (egress) to these sites:
FQDN / Domains – 842+ Million domains
URL – 37+ Billion URLs
Network-based Data Loss Prevention (DLP)
As companies make the move to the cloud, they are bringing more and more critical applications that include sensitive data. Given one degree of separation from the public internet, it’s essential that these applications are monitored to ensure that sensitive data doesn’t travel to unauthorized destinations.
Valtix egress filtering provides the ability to specify policy rules to detect and take action upon finding exfiltration patterns based on common signals or custom indicators.
Unified Contextual, Dynamic Policy
Over 60% of organizations are multi-cloud today, with the vast majority who are not becoming multi-cloud within 2 years. Security is a top issue when making the move to multi-cloud. For those who are single cloud, multi-account security can be just as challenging.
With Valtix, teams gain a single policy framework for security including egress filtering that works across multiple clouds and multiple accounts. Build contextual security policies tailored by deployment type (dev, test, prod/compliance) and application type
Egress Filtering – Critical Capabilities to Consider:
| Functions | NAT Gateway | Squid Proxy1 | Aviatrix FQDN | Valtix Egress |
|---|---|---|---|---|
| Security | ||||
| URL Filtering* | 
|
|
|
|
| FQDN Filtering** |
|
|
|
|
| Forward/Reverse Proxy (as needed) |
|
|
|
|
| Custom Lists for Domain Category |
|
|
|
|
| Auto-Scaling |
|
|
|
|
| Auto Discovery (App-Tag-based) |
|
|
|
|
| Auto Malware Detection |
|
|
|
|
| Data Loss Prevention (DLP) |
|
|
|
|
| Application Tagging |
|
|
|
|
| Flow Log Visibility |
|
|
|
|
| Multi AZ High Availability |
|
|
|
|
| Allowed/Denied Session Logs |
|
|
|
|
| Automation and Management | ||||
| Terraform Support |
|
|
|
|
| API Support |
|
|
|
|
| Managed Service (SaaS) |
|
|
|
|
| Enterprise Support |
|
|
|
|