Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NorthernNetGuy
Advisor

Blocking all Possible bad IPs

Hi all,

 

Our security architect would like to block any IP that is listed as bad or possibly bad by our SIEM or virustotal.

This ends up involving a lot of manual IP blocking. 

I think the better approach would be to ensure our public sites are hardened, and client devices secured, but they would first like to take an IP block list approach, regardless of possible impact.

We're using a slightly modified optimized IPS profile, and import a couple indicator ip lists.

 

I'm wondering what others have done in this type of situation to help reduce the amount of alerts seen, and automatically block as much as possible.

 

Thank you

0 Kudos
4 Replies
Joseph_Audet
Ambassador
Ambassador

From an automation perspective you can do a couple of things:

R81+ (needed on both mgmt and GW) - Generic data centers:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

From R81.20 (needed on both mgmt and GW) we have added External Network Feeds:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuid...

These options could allow you to have your SIEM automatically (or manually after review) update files on a server that the GW will ingest on a regular basis much like the public update-able objects, saving you from having to do a policy install on each update.

 

0 Kudos
NorthernNetGuy
Advisor

Hi Joseph,

 

Thanks for the quick reply

I'm on r81.10 so I can take advantage of the data centers object.  I'll revie and schedule to upgrade to r81.20 soon. I'll be working on getting an exported list from our SIEM.

 

For the Generic Data center object I'm having some difficulty identifying a good set of vendors who offer a good json list for us to review. Is there a set of recommended feeds, or examples that others are using?


Also, does this support STIX 2.0 (uses JSON)? 

0 Kudos
Joseph_Audet
Ambassador
Ambassador

The generic datacenter object is a custom JSON format you have to follow when you create your own file.

The network feeds are one of two types:

  • Flat List: You create a file and populate it, you can select which lines to ignore and what to use for delimeter
  • JSON: You have to build a JQ query to parse the file output, which means STIX2 shouldn't be an issue as long as the output stays standardized to match your query (http://stedolan.github.io/jq/ )

I do not have specific recommendations for external IOC / block list feeds. All of the intelligence Check Point has available is already at your disposal if you are using the various threat engines and have them configured to prevent mode.

0 Kudos
the_rock
Legend
Legend

Hey @NorthernNetGuy ,

Have a look at below post, see if it helps you. Not sure if response I gave there makes sense to you, but thats what I found is decent approach.

Andy

https://community.checkpoint.com/t5/Security-Gateways/BLOCK-BAD-REPUTATION-IPS-IN-A-DYNAMIC-WAY/m-p/...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events