Validate Appliance Inspection

Let us enable inspection on the appliance.

1. Distributing the security policy.

  • In the Network Security Console select Network > Appliances.
  • Click on the Group/Appliance Name.

ns_policy1 ns_policy1

2. On the Appliance page, click in Distribute Policy and wait until it distribution has finished.

ns_policy1

2.1 Once it finish it will look like the image below.

ns_policy1

3. Navigate to the AWS Console

  • Navigate to EC2
  • Select the EC2 instance named: DVWA
  • Copy the Public IPv4 Address/DNS

ns_policy1

4. Access the web application using the Public IP/DNS.

  • In a new browser tab, navigate to the DVWA application. Remember that it will be over HTTP.
  • User: admin
  • Password: password
  • Login

ns_policy1

5. DVWA SQL Injection

  • Select: SQL Injection

  • User ID:

      admin ' OR 1=1--'

ns_policy1 ns_policy1

5.1 Remember we configured the SQL Injection filters to Permit, if you want to you can change it to Block. Let’s check our CloudWatch dashboard for the SQL event.

If you decide to change this intrusion prevention filter from permit to BLOCK you will need to redistribute the policy before it will take effect.

  • In AWS Console navigate to CloudWatch
  • From the left-hand menu select Dashboards
  • Select: Cloud_One_Network_Security_Panel
  • Check under Cloud One Network Security - PERMIT Action

ns_policy1

6. DVWA Command Injection

  • Select: Command Injection
  • User ID: 127.0.0.1; cat /etc/passwd

ns_policy1

6.1 Remember we configured the Command Injection filter to Block, so instead of the attack being permitted a timeout will occur.

ns_policy1

6.2 Let’s check our CloudWatch dashboard for the RCE event.

  • In AWS Console navigate to CloudWatch
  • From the left-hand menu select Dashboards
  • Select: Cloud_One_Network_Security_Panel
  • Check under Cloud One Network Security - BLOCK Action

ns_policy1

7. SSH to bastion machine

  • In the AWS Console navigate to EC2
  • Select EC2 instance: BastionLinux
  • Click Connect
  • Select tab: SSH client
  • Use the SSH Client to connect to the BastionLinux machine.

ns_policy1 ns_policy1 ns_policy1

7.1 Wget Retrieval Attempt - Download Files

7.2 Remember we configured the intrusion prevention filter to Block, so instead of the file being permitted the Network Security Appliance drops the file attempt and another timeout will occur.

ns_policy1

7.3 Let’s check our CloudWatch dashboard for Wget Retrieval Attempt - Download File

  • In AWS Console navigate to CloudWatch
  • From the left-hand menu select Dashboards
  • Select: Cloud_One_Network_Security_Panel
  • Check under Cloud One Network Security - BLOCK Action

ns_policy1