Managing Edge Access Lists and Policies

This guide shows you how to create and manage Edge Access lists and policies through the Peakhour dashboard to implement comprehensive zero trust access control for your applications.

Before you begin: Understand Zero Trust Architecture and have admin access to your Peakhour dashboard.

Understanding Access Lists and Policies

Edge Access uses a combination of lists and policies to implement zero trust security:

• Access Lists: Define collections of IP addresses, strings, or other identifiers
• Policies: Define rules that determine access based on conditions and actions
• Rules: Wirefilter expressions that reference lists and trigger policy actions

Core Components

Access Lists:

• IP Lists: Collections of IP addresses and CIDR blocks
• String Lists: Collections of text values (domains, user agents, etc.)
• Integer Lists: Collections of numeric values (ports, user IDs, etc.)

Policy Actions:

• Allow: Grant access without additional verification
• Block: Deny access completely
• Bypass: Skip certain security checks
• Service Auth: Require service token authentication
• Login Gate: Require interactive user authentication

Create and Manage Access Lists

Navigate to Access Lists

1. Log into Peakhour Dashboard
2. Select Your Domain from the domain list
3. Go to Security → Edge Access
4. Click Access Lists Tab in the interface

Create IP Access Lists

Scenario: Create a trusted partner IP list

1. Click "Create Access List"

2. Configure List Details:

3. Name: Trusted Partners

4. Type: IP Addresses

5. Description: IP addresses of trusted business partners

6. Add IP Addresses:

   203.0.113.0/24     # Partner A office network
   198.51.100.50      # Partner B specific server
   192.0.2.0/25       # Partner C VPN range
   

7. Configure Options:

8. Enable List: ✓ Active immediately

9. Auto-Update: Configure if using dynamic IP feeds
10. Expiration: Set if list has time limits

Create String Access Lists

Scenario: Create a blocked user agent list

1. Create String List:

2. Name: Blocked User Agents

3. Type: String Values

4. Description: User agents to block or restrict

5. Add String Values:

   sqlmap*              # SQL injection tool
   nikto*               # Web scanner
   *bot*scanner*        # Generic scanning bots
   curl                 # Command line tool (if restricting)
   

6. Configure Matching:

7. Case Sensitive: Usually disabled for user agents

8. Wildcard Support: Enable for pattern matching
9. Regular Expression: Advanced pattern matching

Manage List Entries

Adding Bulk Entries:

1. Click "Bulk Import" in the list interface

2. Choose Import Method:

3. File Upload: CSV or text file

4. Copy/Paste: Direct text input
5. API Import: Programmatic list updates

Entry Management:

• Add Individual Entries: Single IP or string addition
• Edit Entries: Modify existing values
• Disable Entries: Temporarily remove from matching
• Delete Entries: Permanently remove values

Create Edge Access Policies

Navigate to Policies

1. Go to Security → Edge Access
2. Click Policies Tab in the interface
3. Review existing policies and their effectiveness

Create Basic Allow Policy

Scenario: Allow trusted partners unrestricted access

1. Click "Create Policy"

2. Configure Policy Details:

3. Name: Partner Access Allow

4. Description: Allow full access for trusted business partners
5. Action: Allow

6. Priority: High (evaluated first)

7. Set Rule Conditions:

   Rule Expression: ip.src in $trusted_partners
   

8. Configure Advanced Options:

9. Skip Additional Checks: Enable to bypass other security rules

10. Logging Level: INFO to track partner access
11. Session Duration: Not applicable for allow actions

Create Service Authentication Policy

Scenario: Require service token for API access

1. Create Service Auth Policy:

2. Name: API Service Authentication

3. Description: Require service tokens for API endpoints
4. Action: Service Auth

5. Priority: Medium

6. Configure Conditions:

   Rule Expression: starts_with(http.request.uri.path, "/api/") and 
                   not (ip.src in $trusted_partners)
   

7. Service Token Settings:

8. Token Lifetime: 24 hours (or as required)

9. Token Scope: Restrict to specific API endpoints
10. Renewal Policy: Automatic or manual renewal

Create Login Gate Policy

Scenario: Require user authentication for admin areas

1. Configure Login Gate:

2. Name: Admin Area Access

3. Description: Require user login for administrative functions
4. Action: Login Gate

5. Priority: High

6. Set Access Conditions:

   Rule Expression: (starts_with(http.request.uri.path, "/admin/") or
                    starts_with(http.request.uri.path, "/dashboard/")) and
                   not (ip.src in $admin_bypass_ips)
   

7. Authentication Settings:

8. Session Duration: 8 hours for admin sessions

9. Two-Factor Required: Enable for enhanced security
10. Allowed Email Domains: Restrict to company domains
11. Password Policy: Configure complexity requirements

Conditional Access Policies

Location-Based Access

Scenario: Restrict access based on geographic location

1. Create Geo-Restriction Policy:

2. Name: Geographic Access Control

3. Description: Block access from restricted countries

4. Action: Block

5. Configure Geographic Conditions:

   Rule Expression: ip.geoip.country in {"CN", "RU", "KP"} and
                   not (ip.src in $trusted_global_partners)
   

6. Set Exception Handling:

7. VPN Detection: Block known VPN exit points

8. Proxy Detection: Handle proxy and tunnel traffic
9. Business Exceptions: Allow for legitimate business needs

Time-Based Access

Scenario: Restrict access to business hours

1. Configure Time-Based Policy:

2. Name: Business Hours Access

3. Description: Allow admin access only during business hours

4. Action: Login Gate (require authentication outside hours)

5. Set Time Conditions:

   Rule Expression: starts_with(http.request.uri.path, "/admin/") and
                   (hour(now()) < 8 or hour(now()) > 18)
   

6. Time Zone Configuration:

7. Primary Time Zone: Company headquarters timezone

8. Multiple Zones: Support for global operations
9. Holiday Calendar: Integration with business calendar

Device-Based Access

Scenario: Control access based on device characteristics

1. Create Device Policy:

2. Name: Mobile Device Restrictions

3. Description: Enhanced verification for mobile devices

4. Action: Service Auth or Login Gate

5. Configure Device Detection:

   Rule Expression: http.user_agent matches ".*(Mobile|Android|iPhone|iPad).*" and
                   starts_with(http.request.uri.path, "/sensitive/")
   

6. Device Management:

7. Device Fingerprinting: Track device characteristics

8. Certificate Requirements: Require device certificates
9. Mobile Device Management: Integration with MDM systems

Policy Testing and Validation

Test Mode Configuration

Before deploying policies:

1. Enable Test Mode:

2. Select "Test Mode" when creating policies

3. Monitor behavior for 24-48 hours

4. Review access logs for policy effectiveness

5. Test Scenarios:

6. Valid Access: Confirm legitimate users can access

7. Blocked Access: Verify threats are properly blocked
8. Edge Cases: Test boundary conditions and exceptions

Access Validation

Validate policy effectiveness:

1. Access Pattern Analysis:

2. Successful Authentications: Track login success rates

3. Failed Access Attempts: Monitor blocked requests

4. False Positives: Identify legitimate users blocked

5. Performance Impact:

6. Authentication Latency: Time added by access checks

7. Cache Hit Rates: Efficiency of policy caching
8. Resource Usage: System resources consumed

User Experience Testing

Ensure smooth user experience:

1. Authentication Flow:

2. Login Process: Test email OTP delivery and verification

3. Session Management: Verify session persistence and renewal

4. Error Handling: Ensure clear error messages

5. Mobile Experience:

6. Mobile Authentication: Test OTP on mobile devices

7. Responsive Design: Verify login pages work on mobile
8. App Integration: Test with mobile applications

Advanced Policy Configuration

Multi-Factor Authentication

Scenario: Require additional verification for sensitive areas 1. Configure Enhanced Authentication:

• Primary Factor: Email OTP (standard)
• Secondary Factor: SMS or authenticator app

• Fallback Method: Security questions or admin override

• Risk-Based Authentication:

  Rule Expression: (starts_with(http.request.uri.path, "/financial/") or
                   starts_with(http.request.uri.path, "/hr/")) and
                  (ip.geoip.country != "US" or 
                   not ip.src in $known_user_ips)
  

Dynamic Policy Updates

Scenario: Automatically update policies based on threat intelligence

1. Threat Feed Integration:

2. IP Reputation Lists: Automatically block known bad IPs

3. Malware Signatures: Block requests with malware indicators

4. Bot Detection: Dynamically identify and block automated traffic

5. Automated List Updates:

   # Example: Daily update of threat IP list
   import requests
   
   def update_threat_list():
       threat_feed = requests.get('https://threat-intel.example.com/ips')
       malicious_ips = threat_feed.json()['ips']
   
       # Update Peakhour access list via API
       update_access_list('malicious_ips', malicious_ips)
   

Integration Policies

Scenario: Integrate with existing identity systems

1. LDAP/Active Directory Integration:

2. User Verification: Check against corporate directory

3. Group Membership: Apply policies based on AD groups

4. Attribute Mapping: Use AD attributes in policy decisions

5. Single Sign-On (SSO) Integration:

6. SAML Integration: Accept SAML assertions for authentication

7. OAuth2 Support: Integrate with OAuth2 providers
8. JWT Token Validation: Verify and trust JWT tokens

Monitoring and Management

Access Analytics

Monitor access patterns through the dashboard:

Usage Metrics:

• Authentication Success Rate: Percentage of successful logins
• Policy Effectiveness: Which policies are most triggered
• Geographic Access Patterns: Where users are accessing from
• Time-Based Patterns: When access attempts occur

Security Metrics:

• Blocked Attempts: Number of access denials
• Suspicious Patterns: Unusual access attempts
• Threat Detection: Malicious activity identified
• False Positive Rate: Legitimate users incorrectly blocked

Alert Configuration

Set up proactive monitoring:

1. Security Alerts:

2. Multiple Failed Logins: Potential brute force attacks

3. Geographic Anomalies: Unusual location-based access

4. High-Volume Requests: Potential DDoS or automated attacks

5. Operational Alerts:

6. Policy Failures: When policies can't be enforced

7. Authentication Service Issues: OTP delivery problems
8. Performance Degradation: Slow authentication responses

Compliance Reporting

Generate compliance reports:

Access Reports:

• User Access Logs: Who accessed what and when
• Geographic Access Patterns: Compliance with data residency
• Authentication Audit Trail: Complete login/logout history

Policy Reports:

• Policy Effectiveness: Success/failure rates by policy
• Coverage Analysis: Which resources are protected
• Exception Tracking: When and why policies were bypassed

Best Practices

List Management

• Regular Updates: Keep IP and string lists current
• Automation: Use APIs for dynamic list updates
• Documentation: Clearly document list purposes and sources
• Version Control: Track changes to critical lists

Policy Design

• Principle of Least Privilege: Grant minimal necessary access
• Defense in Depth: Layer multiple policies for comprehensive protection
• User Experience: Balance security with usability
• Testing: Thoroughly test policies before production deployment

Performance Optimization

• Policy Ordering: Place most frequently matched policies first
• Caching: Enable caching for frequently accessed resources
• List Size: Keep lists reasonably sized for performance
• Regular Cleanup: Remove unused policies and list entries

This comprehensive approach to Edge Access lists and policies provides robust zero trust security while maintaining flexibility and user experience for your applications.