This feature enables the detection, analysis, and alert generation for external traffic (North-South). This can significantly improve your overall security posture. Faddom can give you a view of all servers with external connectivity (whether incoming or outgoing), along with the ability to set up allowed traffic policies and blacklisted countries both of which you will get Notifications and Alerts.
For this feature to work, you need to first enable external traffic for the relevant subnet(s) by following our guide How to Amend Subnets Discovery.
Traffic Policies for External Servers
You can define and manage policies for your detected external traffic to tell Faddom what is allowed providing you more control over your attack surface. In conjunction with the blacklist this provides you with a granular way to setup rules on your network to understand the external traffic.
You can set an allowed policy based on detected connections, or from scratch. By setting a policy, you can be notified of any abnormal or potentially harmful activity.
Policies can be set separately for either incoming or outgoing traffic.
β
β
To set this up you need to do the following
Go to Settings > External Traffic Policy
Click on Apply Current As Policy to automatically set the current detected traffic as allowed. Only traffic not matching this rule for Inbound or Outbound will be notified on
Click on Add New Rule to manually add an allowed connection
If you want to remove or edit an existing policy, click on the Edit icon, and you will see the policy settings. Here you can amend the rule to match your requirements.
Setting Up Blacklisted Countries
To set up the blacklist of countries you wish to see, you go to Settings > External Traffic
You can select the countries by searching or scrolling and selecting the tick box. You can also collapse the continent grouping. As you select them they appear at the top and you can remove the country by clicking the X
Click Save
Updating the Public IPs
Faddom maintains a database to map public IP addresses to their respective countries. You can update this database under Settings -> External Traffic. There are options to update this database online or offline depending on whether you have internet access.
β
External Traffic Dashboard
On the main dashboard of Faddom, it will show you how many servers you are receiving external traffic for. The number is clickable and will take you to the External Traffic dashboard. You can also access it by selecting Secure > External Traffic. In this screen, you will see the servers listed along with the ports and countries of each connection.
You will see an alert for traffic that violates the Traffic Policies, and by clicking on the
If the blacklist has been set up, any countries that have been added to the blacklist will appear at the top with a pink background.
You can also see the results of what Faddom is found by navigating to the Security tab from the Server Properties
Click on a server from a map, search, or click on the properties icon - from any list view
In the properties panel, click Security in the bottom right
This will take you to the Server Security Dashboard where you can see all the security information on a server including any external traffic.