This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NorthernNetGuy
Advisor
‎2023-02-06 08:04 AM

Blocking all Possible bad IPs

Hi all,

 

Our security architect would like to block any IP that is listed as bad or possibly bad by our SIEM or virustotal.

This ends up involving a lot of manual IP blocking. 

I think the better approach would be to ensure our public sites are hardened, and client devices secured, but they would first like to take an IP block list approach, regardless of possible impact.

We're using a slightly modified optimized IPS profile, and import a couple indicator ip lists.

 

I'm wondering what others have done in this type of situation to help reduce the amount of alerts seen, and automatically block as much as possible.

 

Thank you

0 Kudos
4 Replies
Joseph_Audet
Ambassador
Ambassador
‎2023-02-06 08:56 AM

From an automation perspective you can do a couple of things:

R81+ (needed on both mgmt and GW) - Generic data centers:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

From R81.20 (needed on both mgmt and GW) we have added External Network Feeds:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

These options could allow you to have your SIEM automatically (or manually after review) update files on a server that the GW will ingest on a regular basis much like the public update-able objects, saving you from having to do a policy install on each update.

 

0 Kudos
NorthernNetGuy
Advisor
‎2023-02-06 09:42 AM
In response to Joseph_Audet

Hi Joseph,

 

Thanks for the quick reply

I'm on r81.10 so I can take advantage of the data centers object.  I'll revie and schedule to upgrade to r81.20 soon. I'll be working on getting an exported list from our SIEM.

 

For the Generic Data center object I'm having some difficulty identifying a good set of vendors who offer a good json list for us to review. Is there a set of recommended feeds, or examples that others are using?


Also, does this support STIX 2.0 (uses JSON)? 

0 Kudos
Joseph_Audet
Ambassador
Ambassador
‎2023-02-06 10:10 AM
In response to NorthernNetGuy

The generic datacenter object is a custom JSON format you have to follow when you create your own file.

The network feeds are one of two types:

  • Flat List: You create a file and populate it, you can select which lines to ignore and what to use for delimeter
  • JSON: You have to build a JQ query to parse the file output, which means STIX2 shouldn't be an issue as long as the output stays standardized to match your query (http://stedolan.github.io/jq/ )

I do not have specific recommendations for external IOC / block list feeds. All of the intelligence Check Point has available is already at your disposal if you are using the various threat engines and have them configured to prevent mode.

0 Kudos
the_rock
Legend
Legend
‎2023-02-06 11:54 AM

Hey @NorthernNetGuy ,

Have a look at below post, see if it helps you. Not sure if response I gave there makes sense to you, but thats what I found is decent approach.

Andy

https://community.checkpoint.com/t5/Security-Gateways/BLOCK-BAD-REPUTATION-IPS-IN-A-DYNAMIC-WAY/m-p/...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top