Enabling host protection in a permissive mode
Create a host service for the host
Create a host service to represent the entire host.
Expand Nodes, select Host Services, and click the Create button.
hostin the Name field and click Next.
Select Protect the entire host and click Next.
hs:name=hostin the Tags field and click Create.
Edit the host service mapping policy
Modify the host service mapping policy you created earlier to include the new host service that you just defined.
Under Nodes, select Host Service Policies, locate the Enable host protection policy, and click the Edit button.
Click Next and then click Next again.
In the Host Services page, click the plus sign on the right to add a new line.
hs:name=hostin the new line.
Confirm that the two tags are connected by an or.
Verify SSH access and host mode protection
Access the host via SSH.
In the App page of the Aporeto web interface, select Platform. You should see a green line showing the successful SSH connection you just made from TCP all ports to the SSH host service.
Returning to the terminal of your host, issue the following command.
It should return:
PING google.com (184.108.40.206) 56(84) bytes of data. ping: sendmsg: Operation not permitted
Return to the Aporeto web interface. You should see something like the following.
pingrequest fails because you did not enable the ICMP protocol, just TCP and UDP.
Congratulations! You've enabled host mode in a very permissive initial configuration. The host should continue to function as it was before, with no impact to its accustomed communications or applications.
We recommend allowing your protected host to run in this initial, permissive configuration for some time, perhaps a week. During this interval, the IP addresses, protocols, and ports of the allowed communications collect in Aporeto. You can use this information to compose a comprehensive whitelist of the minimum necessary communications, ensuring a seamless experience when you disable the
Allow all incoming and outgoing TCP/UDP trafficpolicy.
When you're ready to set more restrictive policies, refer to the next section: Hardening host protection.