IDENTITY-BASED MICROSEGMENTATION DOCUMENTATION

Securing host communications

About securing host traffic

When you deploy the enforcer as a Linux or Windows service, Microsegmentation creates a processing unit that represents the host, allowing you to control and monitor all host communications.

We deploy enforcers in discovery mode, a very permissive initial configuration. This allows the host to function as it was before you deployed the enforcer, with no impact to its accustomed communications or applications.

We recommend allowing your host to run in discovery mode for some time, perhaps a week. During this interval, Microsegmentation collects the URLs, IP addresses, protocols, and ports it communicates with. A comprehensive list of its communications ensures that you don’t miss anything when you allow the connections, ensuring a seamless experience when you disable discovery mode. After disabling discovery mode, your host rejects any traffic not explicitly allowed.

IMPORTANT

Do not disable discovery mode before allowing the desired traffic. Doing so could cause you to lose access to the host.

We provide guidance for the most common and critical traffic. You should gain enough familiarity with the process to be able to allow additional traffic on your own, according to the specificities of your circumstances.

TIP

While the port numbers used in the following procedures should match up with yours, there is a small chance that they will not. You may need to modify the port numbers if the host deviates from well-known defaults.

Before you begin

We recommend reviewing basic network policy concepts.

In the Microsegmentation section of the Prisma Cloud web interface, navigate to the namespace of the enforcer, expand Manage, select Enforcers, and expand the details of your target enforcer. Review the Microsegmentation tags of the enforcer and determine which one you want to use to identify it. In our examples, we use the enforcer’s ID, which is the 5f1f2ad0f0fe17061e24ed7d value in the following tag: $id=5f1f2ad0f0fe17061e24ed7d

Review the flows

Take a few moments to review your host’s communication patterns.

  1. In the Microsegmentation section of the Prisma Cloud web interface, select Platform.

  2. Click the dashed green flows from the host to any-tcp and any-udp. You may also see an any-icmp external network.

  3. Select the Access tab.

  4. Scroll through the list of connections, paying particular attention to the ports.

Allow SSH connections

IMPORTANT

For Linux hosts, SSH often represents the primary means of access. Neglecting to allow inbound SSH connections to Linux hosts may lock you and others out of the host when you disable discovery mode.

  1. In the Microsegmentation section of the Prisma Cloud web interface, under Defend, select Network, select External networks, and click the Create Create button.

  2. Type ssh in the Name field and click Next.

  3. Type 0.0.0.0/0 in the Networks field and press ENTER.

  4. Type tcp/22 in the Protocols/Ports field, press ENTER, click Next, then click Create.

  5. Switch to the Network policies tab and click the Create Create button.

  6. Type a descriptive name like Allow incoming SSH traffic in the Name field.

  7. Select Incoming traffic from the Network Policy Mode list box and click Next.

  8. Type externalnetwork:name=ssh in the Source field and click Next.

  9. Type the tag you wish to use to identify the enforcer in the Target field. If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d

  10. Click Next, then click Create.

  11. SSH into the host.

  12. You should see a new external network named SSH with a solid green flow to your host, as shown below.

SSH traffic allowed

Allow network time protocol communications

IMPORTANT

Microsegmentation requires accurate time-keeping. If you have not already configured the host to synchronize times with authoritative sources, take a few moments to do so now.

Complete the following steps to allow network time protocol (NTP) traffic from the host to UDP port 123.

  1. Expand Defend, select Network, select External networks, and click the Create Create button.

  2. Type ntp in the Name field and click Next.

  3. Type 0.0.0.0/0 in the Networks field and press ENTER.

  4. Type udp/123 in the Protocols/Ports field, press ENTER, click Next, then click Create.

  5. Switch to the Network policies tab and click the Create Create button.

  6. Type a descriptive name such as Allow outgoing NTP traffic in the Name field.

  7. Select Outgoing traffic from the Network Policy Mode list box and click Next.

  8. Type externalnetwork:name=ntp in the Source field and click Next.

  9. Type the tag you wish to use to identify the enforcer in the Target field. If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d

  10. Click Next, then click Create.

  11. After some time, you should see a new external network named NTP with a solid green flow from your host, as shown below.

    TIP

    To see the results immediately, you can restart the NTP service.

    NTP traffic allowed

You should observe UDP port 123 flows from the host to the any-udp external network, as well as to the the NTP external network. Compare the time stamps. The flows to the NTP external network are newer. The NTP external network contains all of the UDP port 123 flows from now on.

Allow domain name system communications

IMPORTANT

Microsegmentation requires domain name system (DNS) resolution. If you do not allow DNS, the enforcers won’t be able to connect to the Microsegmentation Console.

Complete the following steps to allow DNS connections.

  1. Expand Defend, select Network, select External networks, and click the Create Create button.

  2. Type DNS in the Name field and click Next.

  3. Type 0.0.0.0/0 in the Networks field and press ENTER.

  4. Type udp/53 in the Protocols/Ports field, press ENTER, click Next, then click Create.

  5. Remaining under Network, select Network policies, and click the Create Create button.

  6. Type a descriptive name such as Allow outgoing DNS traffic in the Name field.

  7. Select Outgoing traffic from the PolicyMode list box and click Next.

  8. Type externalnetwork:name=dns in the Source field and click Next.

  9. Type the tag you wish to use to identify the enforcer in the Target field. If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d

  10. Click Next, then click Create.

  11. After some time, you should see a new external network named DNS with a solid green flow from your host, as shown below.

DNStraffic allowed

You should observe UDP port 53 flows from the host to the any-udp external network, as well as to the the DNS external network. Compare the time stamps. The flows to the DNS external network are newer. The DNS external network contains all of the UDP port 53 flows from now on.

Allow dynamic host configuration protocol communications

If your host uses dynamic host configuration protocol (DHCP), you must enable it by creating an external network to represent UDP ports 67-68. Then create two bidirectional network policies with source and target inverted.

IMPORTANT

Failure to allow communications between the host and the DHCP server can result in a total lack of access to the host. If the host is using DHCP, ensure that you allow this traffic to prevent yourself from getting locked out. If you’re not sure, after allowing the host to run in discovery mode for some time, click the any-udp flow, select the Access tab, click the search icon, select Port, press ENTER twice, type "67" and "68" as filters.

  1. Expand Defend, select Network, select External networks, and click the Create Create button.

  2. Type dhcp in the Name field and click Next.

  3. Type 0.0.0.0/0 in the Networks field and press ENTER.

  4. Type udp/67 in the Protocols/Ports field, press ENTER, then type udp/68 and press ENTER.

  5. Click Next, then click Create.

  6. Remaining under Network, select Network policies, and click the Create Create button.

  7. Type a descriptive name such as Allow outgoing DHCP traffic in the Name field.

  8. Select Outgoing traffic in the PolicyMode list box and click Next.

  9. Type externalnetwork:name=dhcp in the Source field and click Next.

  10. Type the tag you wish to use to identify the enforcer in the Target field. If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d

  11. Click Next, then click Create.

  12. Remaining under Network, select Network policies, and click the Create Create button.

  13. Type a descriptive name such as Allow incoming DHCP traffic in the Name field.

  14. Leave Incoming traffic selected in the PolicyMode list box and click Next.

  15. Type the tag you wish to use to identify the enforcer in the Source field. If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d

  16. Type externalnetwork:name=dhcp in the Target field and click Next.

  17. Click Next, then click Create.

  18. After some time, you should see a new external network named DHCP with a solid green flow from your host, as shown below. This could take up to a half hour.

    TIP

    To see the results immediately, you can install and run dhcping against the IP address of your DHCP server.

    DHCP traffic allowed

Allow lightweight directory access protocol communications

If the host needs to connect to an lightweight directory access protocol (LDAP) server, you must enable TCP communications, typically over port 389. We assume in this procedure that your LDAP servers use IPv4 addresses.

NOTE

If you are using LDAPS, open ports 636, 3268, and 3269 instead of port 389.

  1. Expand Defend, select Network, select External networks, and click the Create Create button.

  2. Type LDAP in the Name field and click Next.

  3. Type 0.0.0.0/0 in the Networks field and press ENTER.

  4. Type tcp/389 in the Protocols/Ports field, press ENTER, click Next, then click Create.

  5. Remaining under Network, select Network policies, and click the Create Create button.

  6. Type a descriptive name such as Allow outgoing LDAP traffic in the Name field.

  7. Select Outgoing traffic from the PolicyMode list box and click Next.

  8. Type externalnetwork:name=LDAP in the Source field and click Next.

  9. Type the tag you wish to use to identify the enforcer in the Target field. If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d

  10. Click Next, then click Create.

  11. After some time, you should see a new external network named LDAP with a solid green flow from your host, as shown below.

LDAP traffic allowed

You should observe TCP port 389 flows from the host to the any-tcp external network, as well as to the the LDAP external network. Compare the time stamps. The flows to the LDAP external network are newer. The LDAP external network contains all of the TCP port 389 flows from now on.

Allow internet control message protocol

To prevent denial of service and other attacks, we recommend allowing just the internet control message protocol (ICMP) types and codes used for troubleshooting, as described below.

  1. If you do not already see an any-icmp external network, SSH into the enforcer host and issue a ping request.

  2. Open the Microsegmentation section of the Prisma Cloud web interface, expand Defend, select Network, select External networks, and click the Create Create button.

  3. Type icmp in the Name field and click Next.

  4. Type 0.0.0.0/0 in the Networks field and press ENTER.

  5. in the Protocols/Ports field, type icmp/8/0, press ENTER, type icmp/0/0, press ENTER, type icmp/11/0, press ENTER, type icmp/3/4, and press ENTER.

  6. Click Next, then click Create.

  7. Remaining under Network, select Network policies, and click the Create Create button.

  8. Type a descriptive name such as Allow outgoing ICMP traffic in the Name field.

  9. Select Outgoing traffic from the PolicyMode list box and click Next.

  10. Type the tag you wish to use to identify the enforcer in the Source field, then click Next. If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d

  11. Type externalnetwork:name=icmp in the Target field and click Next.

  12. Click Next, then click Create.

  13. Click the Create Create button again to create another network policy.

  14. Type a descriptive name such as Allow incoming ICMP traffic in the Name field.

  15. Select Incoming traffic from the PolicyMode list box and click Next.

  16. Type externalnetwork:name=icmp in the Source field and click Next.

  17. Type the tag you wish to use to identify the enforcer in the Target field. If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d

  18. Click Next, then click Create.

  19. Access the enforcer host and issue a ping request.

  20. Return to the Microsegmentation section of the Prisma Cloud web interface and select Platform. You should see a new external network named ICMP with a solid green flow from your host, as shown below.

ICMP traffic allowed

You should observe ICMP flows from the host to the any-icmp external network, as well as to the the ICMP external network. Compare the time stamps. The flows to the ICMP external network are newer. The ICMP external network contains all of the ICMP flows from now on.

Allow cloud instance metadata queries

Instances hosted in public clouds like AWS, GCP, and Azure make periodic requests to a link-local address at 169.254.169.254 over port 80. This is the cloud instance metadata endpoint. Complete the following steps to allow these connections.

  1. Expand Defend, select Network, select External networks, and click the Create Create button.

  2. Type metadata in the Name field and click Next.

  3. Type the IP address of the metadata endpoint Networks field and press ENTER. Typically, this is 169.254.169.254.

  4. Type tcp/80 in the Protocols/Ports field, press ENTER, click Next, then click Create.

  5. Remaining under Network, select Network policies, and click the Create Create button.

  6. Type a descriptive name such as Allow outgoing cloud metadata traffic in the Name field.

  7. Select Outgoing traffic from the PolicyMode list box and click Next.

  8. Type the tag you wish to use to identify the enforcer in the Source field and click Next. If we were using the enforcer’s ID, we would type $enforcerid=5f1f2ad0f0fe17061e24ed7d

  9. Type externalnetwork:name=metadata in the Target field and click Next.

  10. Click Next, then click Create.

  11. After some time, you should see a new external network named metadata with a solid green flow from your host, as shown below. These connections may occur infrequently, such as once an hour. You can trigger one immediately with the following command curl http://169.254.169.254

Metadata traffic allowed

You should observe TCP port 80 flows from the host to the metadata external network, as well as to the the any-tcp external network. Compare the time stamps. The flows to the metadata external network are newer. The metadata external network contains all of the cloud metadata flows from now on.

Allow additional communications

After completing the procedures above, you should observe a much shorter list of flows from your host to both the any-tcp external network and the any-udp external network. Next, you must decide which of the remaining flows you want to allow and which you want to deny. Create external networks and policies for the protocol and port(s) you want to allow, as in the previous procedures.

If you see connections to any-tcp on port 443, expand Monitor, select Logs, and click DNS Lookup Logs. If you see domain names listed which seem legitimate, create external networks and network policies to allow the traffic, using the domain name. For example, Ubuntu instances may make periodic requests to api.snapcraft.io to check for snap package updates.

To assist you, a list of common additional traffic follows, along with hyperlinks to their common ports.

The Internet Assigned Numbers Authority (IANA) provides a searchable Service Name and Transport Protocol Port Number Registry that may be useful as you complete your list of allowed traffic.

Harden further

You may also wish to further harden your security by modifying the external networks from 0.0.0.0/0 to a specific IP or CIDR. We recommend this when you have static IPs or at least a known range.

Disable discovery mode

  1. Open the Microsegmentation section of the Prisma Cloud web interface, navigate to the namespace of your enforcer, and select Platform.

  2. Click the green flows from the host to any-tcp and any-udp.

  3. Select the Access tab.

  4. Scroll through the list of connections, paying particular attention to the ports. Make sure that you do not want to allow the connections listed. As soon as you disable discovery mode, they will be rejected. You may wish to take a few moments to allow further traffic before continuing.

  5. When you’re ready, toggle discovery mode off, using the button in the top right corner.

    Discovery off

  6. Soon, you may see a new external network named Somewhere with red flows. If you click on the red line you can see that the connections were denied due to Microsegmentation’s default Reject all policy.

    Discovery disabled

Congratulations! You have secured your host. Microsegmentation denies any traffic not explicitly allowed by policy.