This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NeilDavey
Collaborator
Tuesday

Blocking Potential Malicious IP's

Hello

I was wondering if someone could advise on the best way to block unwanted IP's from trying to access external systems (FW's, RDP servers, websites, Citrix ADC's, etc)?

Option 1, would be to create a host object with the IP and put this at the top of the rule base.  Could put this in source and destination to drop any traffic for this particular IP.

Option 2, would be to use External Network Feeds.  This would do the same as option 1 in theory.

The issue with both of these (I believe), is that implied rules would still allow this traffic that we want to drop as both of these options are after the implied rules.

What is the best method to block traffic before the rule base and before implied rules?

Thanks

0 Kudos
5 Replies
Tal_Paz-Fridman
Employee
Employee
Tuesday

There are also IoC Feeds https://support.checkpoint.com/results/sk/sk132193

 

As for Implied Rules, they are designed to allow traffic from either known objects (Management Servers, Log Servers etc.). If an IP is not allowed - using a Network Feed / IoC Feed / Specific Network Object - and that IP is not mapped to a known object it will be dropped.

In the case where Any is allowed it is typically for specific protocol. In that case you can perhaps:

1) Change Implied Rule from Global Properties and use an Explicit Rule instead:

https://support.checkpoint.com/results/sk/sk179346

2) Control access to the Security Gateway's portals by setting them to be accessible only through internal interfaces or according to the firewall policy.

 

the_rock
Legend
Legend
Tuesday

Seee if below post I made earlier this year makes sense (about network feeds)

I find its better than IoCs, since you dont need to enable AB or AV blade to use them and they work right away. I spoke with a client back then (hospital) and guy told me they keep adding all bad IPs manually and had maybe 50k hits in 6 months. I gave him the link and he calls me 2 days later "Holly smokes Andy, we got 60 million hits already in 2 days"

I think thats good enough proof it works lol

Andy

https://community.checkpoint.com/t5/Security-Gateways/Network-feed/m-p/212407#M40317

0 Kudos
Lesley
Mentor Mentor
Mentor
Tuesday
In response to the_rock

Agree don't do it by ''hand'' waste of time.

Only do if there is for example a new CVE with some new ''known'' IP's that you should block.

Sometimes IoC is then a bit behind. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend
Tuesday
In response to Lesley

Yea, thing is lots of people dont know better way : - (

@NeilDavey 

I would also check out below.

Andy

https://support.checkpoint.com/results/sk/sk132193

 

https://community.checkpoint.com/t5/Security-Gateways/IOC-feeds/m-p/211186#M40007

0 Kudos
Tomer_Noy
Employee
Employee
Wednesday

As some people mentioned, both IOC Feeds and Network Feeds are great options for blocking large lists of potentially malicious IPs. They are definitely better than creating many unnecessary host objects and managing them in large groups for your policy.

Regarding implied rules accepting the traffic before the feed blocking, I'd definitely look into https://support.checkpoint.com/results/sk/sk105740. From experience with a few customers, it's a common reason for seeing "Accepts" of traffic heading towards your gateways, and there are explanations in the SK for mitigating it.

If you are going to use IOC feeds, one option is to host them on some web/file server of your own, but you need to maintain, secure and keep it backed up. Another option is to leverage the IOC hosting capabilities of the Infinity Portal. This can be accessed via the Infinity XDR app, but doesn't require an XDR license. You can add your IPs there, or point it to multiple external feeds.

A third option (which I think is very cool), is to leverage Infinity Playblocks. Once you activate "Quantum Enforcement", your policies will have an ordered layer for blocking malicious sources or quarantining compromised machines. This works in parallel to your existing layers / policies, and similar to Network Feeds, it's an "Access Policy" feature that doesn't require any of the Threat Prevention blades.

The list of malicious sources can be populated automatically by Playblocks as it monitors your IPS activity (which does require the IPS blade) and will flag any IP that is performing high confidence IPS attacks on your gateways. An attack on a single gateway, will cause that IP to be blocked across all your gateways.

Another way to populate the list (which not many are familiar with) is via Playblocks APIs. You can either manually script something that will add IPs to the list, or you can attach it to your SIEM / SOAR to do it automatically in real time. You can also add IPs via the Playblocks UI in the Infinity Portal application.

Using Playblocks relieves you of the burden of hosting the Network Feed, but it also brings useful features like expiration (TTL) for the added IPs, audit logs and more.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events