Identity-Based Microsegmentation Guide
LAST UPDATED: October 8, 2021

Securing host communications

About securing host traffic

When you deploy the enforcer as a Linux or Windows service, Microsegmentation creates a processing unit that represents the host, allowing you to control and monitor all host communications.

We deploy enforcers in discovery mode, a very permissive initial configuration. This allows the host to function as it was before you deployed the enforcer, with no impact to its accustomed communications or applications.

We recommend allowing your host to run in discovery mode for some time, perhaps a week. During this interval, Microsegmentation collects the URLs, IP addresses, protocols, and ports it communicates with. A comprehensive list of its communications ensures that you don’t miss anything when you allow the connections, ensuring a seamless experience when you disable discovery mode. After disabling discovery mode, your host rejects any traffic not explicitly allowed.

IMPORTANT

Do not disable discovery mode before allowing the desired traffic. Doing so could cause you to lose access to the host.

We provide guidance for the most common and critical traffic. You should gain enough familiarity with the process to be able to allow additional traffic on your own, according to the specificities of your circumstances.

TIP

While the port numbers used in the following procedures should match up with yours, there is a small chance that they will not. You may need to modify the port numbers if the host deviates from well-known defaults.

Before you begin

We recommend reviewing basic network ruleset concepts.

In the Microsegmentation Console web interface, select Enforcers under Manage, and navigate to the namespace of the enforcer. Expand the details of your target enforcer. Review the Microsegmentation tags of the enforcer and determine which one you want to use to identify it. In our examples, we use the enforcer’s ID, which is the 5f1f2ad0f0fe17061e24ed7d value in the following tag: $id=5f1f2ad0f0fe17061e24ed7d

Review the flows

Take a few moments to review your host’s communication patterns.

  1. In the Microsegmentation Console web interface, select Platform.

  2. Click the dashed green flows from the host to Somewhere.

  3. Select the Access tab.

  4. Scroll through the list of connections, paying particular attention to the ports.

Allow SSH connections

IMPORTANT

For Linux hosts, SSH often represents the primary means of access. Neglecting to allow inbound SSH connections to Linux hosts may lock you and others out of the host when you disable discovery mode.

  1. In the Microsegmentation Console web interface, expand Defend, select Network, select External networks, and click the Create Create button.

  2. Type ssh in the Name field and click Next.

  3. Type 0.0.0.0/0 in the Networks field, press ENTER, and click Next.

  4. Click Create.

  5. Select Rulesets and click the Create Create button.

  6. Type a descriptive name like Allow incoming SSH connections in the Name field and click Next.

  7. Type the tag you wish to use to identify the enforcer in the Applies to field. If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d

  8. Under Incoming, click Add Ingress Rule.

  9. Click the From field, click in the empty box, type externalnetwork:name=ssh, and click outside of the dialog to close it.

  10. Click the Protocols/Ports field, delete Any, type tcp/22, and click outside of the dialog to close it.

  11. Click Create.

  12. SSH into the host.

  13. Select Platform.

  14. You should see a new external network named ssh with a solid green flow to your host, as shown below.

SSH traffic allowed

Allow network time protocol communications

IMPORTANT

Microsegmentation requires accurate time-keeping. If you have not already configured the host to synchronize times with authoritative sources, take a few moments to do so now.

Complete the following steps to allow network time protocol (NTP) traffic from the host to UDP port 123.

  1. In the Microsegmentation Console web interface, expand Defend, select Network, select External networks, and click the Create Create button.

  2. Type ntp in the Name field and click Next.

  3. Type 0.0.0.0/0 in the Networks field, press ENTER, and click Next

  4. Click Create.

  5. Select Rulesets and click the Create Create button.

  6. Type a descriptive name such as Allow outgoing NTP traffic in the Name field and click Next.

  7. Type the tag you wish to use to identify the enforcer in the Applies to field. If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d

  8. Under Outgoing, click Add Egress Rule.

  9. Click the To field, click in the empty box, type externalnetwork:name=ntp, and click outside of the dialog to close it.

  10. Click the Protocols/Ports field, delete Any, type udp/123, and click outside of the dialog to close it.

  11. Click Create.

  12. Select Platform.

  13. After some time, you should see a new external network named ntp with a solid green flow from your host, as shown below.

    TIP

    To see the results immediately, you can restart the NTP service.

    NTP traffic allowed

You should observe UDP port 123 flows from the host to the Somewhere external network, as well as to the the ntp external network. Compare the time stamps. The flows to the ntp external network are newer. The ntp external network contains all of the UDP port 123 flows from now on.

Allow domain name system communications

IMPORTANT

Microsegmentation requires domain name system (DNS) resolution. If you do not allow DNS, the enforcers won’t be able to connect to the Microsegmentation Console.

Complete the following steps to allow DNS connections.

  1. In the Microsegmentation Console web interface, expand Defend, select Network, select External networks, and click the Create Create button.

  2. Type dns in the Name field and click Next.

  3. Type 0.0.0.0/0 in the Networks field, press ENTER, and click Next.

  4. Click Create.

  5. Select Rulesets and click the Create Create button.

  6. Type a descriptive name such as Allow outgoing DNS queries in the Name field and click Next.

  7. Type the tag you wish to use to identify the enforcer in the Applies to field. If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d

  8. Under Outgoing, click Add Egress Rule.

  9. Click the To field, click in the empty box, type externalnetwork:name=dns, and click outside of the dialog to close it.

  10. Click the Protocols/Ports field, delete Any, type udp/53, and click outside of the dialog to close it.

  11. Click Create.

  12. Select Platform.

  13. After some time, you should see a new external network named dns with a solid green flow from your host, as shown below.

    TIP

    To see the results immediately, you can flush the DNS cache and run ping google.com.

    DNStraffic allowed

You should observe UDP port 53 flows from the host to the Somewhere external network, as well as to the the dns external network. Compare the time stamps. The flows to the dns external network are newer. The dns external network contains all of the UDP port 53 flows from now on.

Allow dynamic host configuration protocol communications

If your host uses dynamic host configuration protocol (DHCP), you must enable it by creating an external network to represent UDP ports 67-68. Then create two bidirectional network policies with source and target inverted.

IMPORTANT

Failure to allow communications between the host and the DHCP server can result in a total lack of access to the host. If the host is using DHCP, ensure that you allow this traffic to prevent yourself from getting locked out. If you’re not sure, after allowing the host to run in discovery mode for some time, click the Somewhere flow, select the Access tab, click the search icon, select Port, press ENTER twice, type "67" and "68" as filters.

  1. In the Microsegmentation Console web interface, expand Defend, select Network, select External networks, and click the Create Create button.

  2. Type dhcp in the Name field and click Next.

  3. Type 0.0.0.0/0 in the Networks field, press ENTER, and click Next.

  4. Click Create.

  5. Select Rulesets and click the Create Create button.

  6. Type a descriptive name such as Allow bidirectional DHCP traffic in the Name field and click Next.

  7. Type the tag you wish to use to identify the enforcer in the Applies to field. If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d

  8. Under Incoming, click Add Ingress Rule.

  9. Click the From field, click in the empty box, type externalnetwork:name=dhcp, and click outside of the dialog to close it.

  10. Click the Protocols/Ports field, delete Any, type udp/67, press ENTER, then type udp/68, and click outside of the dialog to close it.

  11. Under Outgoing, click Add Egress Rule.

  12. Click the To field, click in the empty box, type externalnetwork:name=dhcp, and click outside of the dialog to close it.

  13. Click the Protocols/Ports field, delete Any, type udp/67, press ENTER, then type udp/68, and click outside of the dialog to close it.

  14. Click Create.

  15. Select Platform.

  16. After some time, you should see a new external network named dhcp with a solid green flow from your host, as shown below. This could take up to a half hour.

    TIP

    To see the results immediately, you can install and run sudo dhcping against the IP address of your DHCP server.

    DHCP traffic allowed

Allow lightweight directory access protocol communications

If the host needs to connect to an lightweight directory access protocol (LDAP) server, you must enable TCP communications, typically over port 389. We assume in this procedure that your LDAP servers use IPv4 addresses.

NOTE

If you are using LDAPS, open ports 636, 3268, and 3269 instead of port 389.

  1. In the Microsegmentation Console web interface, expand Defend, select Network, select External networks, and click the Create Create button.

  2. Type ldap in the Name field and click Next.

  3. Type 0.0.0.0/0 in the Networks field, press ENTER, and click Next.

  4. Click Create.

  5. Select Rulesets and click the Create Create button.

  6. Type a descriptive name such as Allow outgoing LDAP queries in the Name field and click Next.

  7. Type the tag you wish to use to identify the enforcer in the Applies to field. If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d

  8. Under Outgoing, click Add Egress Rule.

  9. Click the To field, click in the empty box, type externalnetwork:name=ldap, and click outside of the dialog to close it.

  10. Click the Protocols/Ports field, delete Any, type tcp/389, and click outside of the dialog to close it.

  11. Click Create.

  12. Select Platform.

  13. After some time, you should see a new external network named ldap with a solid green flow from your host, as shown below.

LDAP traffic allowed

You should observe TCP port 389 flows from the host to the Somewhere external network, as well as to the the ldap external network. Compare the time stamps. The flows to the ldap external network are newer. The ldap external network contains all of the TCP port 389 flows from now on.

Allow internet control message protocol

To prevent denial of service and other attacks, we recommend allowing just the internet control message protocol (ICMP) types and codes used for troubleshooting, as described below.

  1. If you do not already see ICMP connections, SSH into the enforcer host and issue a ping request.

  2. In the Microsegmentation Console web interface, expand Defend, select Network, select External networks, and click the Create Create button.

  3. Type icmp in the Name field and click Next.

  4. Type 0.0.0.0/0 in the Networks field, press ENTER, and click Next.

  5. Type externalnetwork:name=icmp, press ENTER, and click Create.

  6. Select Rulesets and click the Create Create button.

  7. Type a descriptive name such as Allow bidirectional ICMP traffic in the Name field and click Next.

  8. Type the tag you wish to use to identify the enforcer in the Applies to field. If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d

  9. Under Incoming, click Add Ingress Rule.

  10. Click the From field, click in the empty box, type externalnetwork:name=icmp, and click outside of the dialog to close it.

  11. Click the Protocols/Ports field, delete Any, type icmp/8/0, press ENTER, type icmp/0/0, press ENTER, type icmp/11/0, press ENTER, type icmp/3/4, and click outside of the dialog to close it.

  12. Under Outgoing, click Add Egress Rule.

  13. Click the To field, click in the empty box, type externalnetwork:name=icmp, and click outside of the dialog to close it.

  14. Click the Protocols/Ports field, delete Any, type icmp/8/0, press ENTER, type icmp/0/0, press ENTER, type icmp/11/0, press ENTER, type icmp/3/4, and click outside of the dialog to close it.

  15. Click Create.

  16. Access the enforcer host and issue a ping request.

  17. Return to the Microsegmentation Console web interface and select Platform. .

  18. You should see a new external network named icmp with a solid green flow from your host, as shown below.

ICMP traffic allowed

You should observe ICMP flows from the host to the Somewhere external network, as well as to the the icmp external network. Compare the time stamps. The flows to the icmp external network are newer. The icmp external network contains all of the ICMP flows from now on.

Allow cloud instance metadata queries

Instances hosted in public clouds like AWS, GCP, and Azure make periodic requests to a link-local address at 169.254.169.254 over port 80. This is the cloud instance metadata endpoint. Complete the following steps to allow these connections.

  1. In the Microsegmentation Console web interface, expand Defend, select Network, select External networks, and click the Create Create button.

  2. Type metadata in the Name field and click Next.

  3. Type 169.254.169.254 in the Networks field, press ENTER, and click Next.

  4. Click Create.

  5. Select Rulesets and click the Create Create button.

  6. Type a descriptive name such as Allow outgoing metadata requests in the Name field and click Next.

  7. Type the tag you wish to use to identify the enforcer in the Applies to field. If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d

  8. Under Outgoing, click Add Egress Rule.

  9. Click the To field, click in the empty box, type externalnetwork:name=meta, and click outside of the dialog to close it.

  10. Click the Protocols/Ports field, delete Any, type tcp/80, and click outside of the dialog to close it.

  11. Click Create.

  12. Select Platform.

  13. After some time, you should see a new external network named metadata with a solid green flow from your host, as shown below. These connections may occur infrequently, such as once an hour. You can trigger one immediately with the following command curl http://169.254.169.254

Metadata traffic allowed

You should observe TCP port 80 flows from the host to the Somewhere external network, as well as to the the metadata external network. Compare the time stamps. The flows to the metadata external network are newer. The metadata external network contains all of the cloud metadata flows from now on.

Allow additional communications

After completing the procedures above, you should observe a much shorter list of flows from your host to the Somewhere external network. Next, you must decide which of the remaining flows you want to allow and which you want to deny. Create external networks and policies for the protocol and port(s) you want to allow, as in the previous procedures.

If you see connections to Somewhere on port 443, expand Monitor, select Logs, and click DNS Lookup Logs. If you see domain names listed which seem legitimate, create external networks and network policies to allow the traffic, using the domain name. For example, Ubuntu instances may make periodic requests to api.snapcraft.io to check for snap package updates.

To assist you, a list of common additional traffic follows, along with hyperlinks to their common ports.

The Internet Assigned Numbers Authority (IANA) provides a searchable Service Name and Transport Protocol Port Number Registry that may be useful as you complete your list of allowed traffic.

Harden further

You may also wish to further harden your security by modifying the external networks from 0.0.0.0/0 to a specific IP or CIDR. We recommend this when you have static IPs or at least a known range.

Disable discovery mode

Prerequisites: to disable discovery mode, you must have namespace administrator privileges in the namespace above the VM namespace and apoctl installed.

  1. Set a VM_NS to the namespace of your host. This should be a grandchild-level namespace. An example follows.

    export VM_NS=/acme/aws-dev/vm
    
  2. Set a CLOUD_NS to the namespace above the host’s namespace. This should be a child-level namespace. An example follows.

    export CLOUD_NS=/acme/aws-dev
    
  3. Issue the following command to disable discovery mode.

    cat <<EOF | apoctl api update namespace $VM_NS -n $CLOUD_NS -f -
    name: $VM_NS
    namespace: $CLOUD_NS
    defaultPUIncomingTrafficAction: Reject
    defaultPUOutgoingTrafficAction: Reject
    EOF
    
  4. You may see a new external network named Somewhere with red flows or red flows between pods. If you click on the red lines you can see that the connections were denied due to Microsegmentation’s default Reject all ruleset.

Congratulations! You have secured your host. Microsegmentation denies any traffic not explicitly allowed by a network ruleset.