Requirement:
The IP Reputation helps augment security posture by adding a dynamic IP reputation service to existing defenses. This service provides a real time feed of known malicious IP addresses broken down into 10 categories so IT security administrators can easily identify threats by type. These categories are: Windows Exploits, Web Attacks, Phishing, Botnets, Denial of Service, Scanners, Proxies, Reputation, Spam Sources, and Mobile Threats.
Security is increased with this service as the time required to identify new and existing IP threats is drastically reduced. Not only does the service decrease the time it takes to research IP addresses, it also provides visibility into the types of threats, as well as historical and geolocation data to help security admins make better threat decisions.
Solution:IP classification service helps in identifying the malicious IP addresses and the origin. With the reputation database, any inbound attack from these malicious end points can be stopped at the controller itself, thereby protecting the client devices behind the controller.
The geolocation database can provide granularity of the location of the IP address to the levels of country and city. It can provide powerful visualizations that can be used to demonstrate the top countries that originate malware/spyware traffic or top countries from where maximum DDOS attacks are received. This information can be used by customers to formulate geolocation firewall policies to protect the internal network resources and keep the network healthy.
The current firewall policy enforcement in AOS relies on L3/L4-L7 information with DPI/WebCC support. This feature extends this by allowing customers to define new IP classification based firewall policies.
The benefits of this feature include:
- Identify and prevent any attack from the malicious hosts.
- Identifying the geolocation of traffic originating from or destined to.
- Identifying the location from where maximum spyware/malware/DDOS attacks are originated from.
- Geolocation visibility information about the traffic flows.
- Ability to formulate firewall policies based on geolocation of IP address to permit/deny traffic.
Without this feature, the only way to prevent traffic coming from rogue nations is by knowing all the IP address ranges for each rogue nation and adding ACL rule for each range that needs to be blocked.
Configuration:This feature once enabled will cause all L3 traffic to be classified. All the sessions shall be classified with reputation (either malicious or clean) and geolocation (as originating from a specific location, which can be either country or more specific city) information. This classification shall be done in the datapath by SP during session creation before user-role policy enforcement. Datapath maintains IP classification table holding the reputation/geolocation information for various IP addresses. This table is downloaded from the control plane once the feature is enabled and fetched from the Webroot server.
When a new session is received, the source and destination IP addresses are fetched and table lookup is done for both the IP addresses to get the reputation/location information of these IP addresses. If the table lookup succeeds, then the session is marked as classified and subjected to IP classification based firewall policies. If table lookup fails, IP classification query message is sent to the control plane web_cc daemon for cloud lookup. Once the cloud lookup is resolved, entry will be added to the datapath table.
Once a session is IP classified, the datapath subjects the session through IP classification based firewall policies. If a match is seen, the action shall determine whether the session should be permitted or denied. Else the session shall be subjected through default role-based firewall policies.
Aruba7210) (config) #firewall ?
ip-classification Enable IP (reputation/geolocation) classification
Policy Configuration:
A new access-list type is defined for configuring IP geolocation based firewall policies.
(Aruba7210) (config) #ip access-list ?
eth Ethertype access list
extended Extended Access List
mac MAC access list
session Session Access List
standard Standard Access List
ip-geolocation IP geolocation access list
(Aruba7210) (config) #ip access-list ip-geolocation
The syntax for location based firewall policies is as follows:
(config-ip-geo-policy) #[permit | deny] [to | from] location
location can be any of the following:
any - Match any location
country - Match a single country
region - Match a group of countries
anonymous-proxy - Match anonymous proxy
The reputation rules can be configured as:
(Aruba7210) (config) #ip-reputation deny ?
inbound connections originated from outside
outbound connections originated by the controller
Customers can exempt traffic from IP classification based firewall policies using whitelist rules which can be configured as follows:
(Aruba7220) (config) #ip-classification whitelist-db add 1.0.171.35
(Aruba7220) (config) #ip-classification whitelist-db add 1.0.171.36
(Aruba7220) (config) #ip-classification whitelist-db del 1.0.171.36
(Aruba7220) (config) #ip-classification whitelist-db purge
VerificationShow commands:
show ip-geolocation – displays the geolocation config
show ip-geolocation countries – List of countries
show ip-reputation - displays the reputation config
show ip-classification whitelist-db - Lists whitelist Ips
show firewall – displays the ip-classification config
Datapath Commands :
show datapath ip-geolocation – displays the geolocation DB
show datapath ip-geolocation counters - displays the session counters
show datapath ip-reputation – displays the geolocation DB
show datapath ip-reputation counters - displays the session counters
show datapath ip-reputation rtc - displays real time cache
show datapath dns-cache – displays dns cache
Show datapath session ip-classification
- show datapath ip-reputation table
Datapath IP Reputation Table Entries
-------------------------------------------------
ThreatMask: S - spam source, E - windows exploits, W - web attacks
B - botnet, C - scanners, D - denial of service
M - malware-infected, P - phishing, A - anonymous proxy
O - cloud provider, I - malicious mobile apps
Idx IP ThreatMask Rep
-------- ------------------------ ---------------- -----
0 1.0.129.174/32 A 100
1 1.0.194.139/32 C 100
2 1.0.211.15/32 S 100
3 1.0.226.239/32 C 100
4 1.0.231.46/32 A 100
5 1.0.248.84/32 A 100
6 1.0.252.152/32 A 100
7 1.1.143.140/32 C 100
8 1.1.149.145/32 C 100
9 1.1.179.70/32 S 100
a 1.1.206.31/32 A 100
b 1.2.181.76/32 S 100
c 1.2.212.170/32 A 100
d 1.2.216.250/32 A 100
e 1.2.221.165/32 A 100
f 1.2.231.170/32 A 100
10 1.2.237.190/32 A 100
11 1.2.238.100/32 A 100
12 1.2.239.53/32 S 100
13 1.4.0.0/30 SI 100
14 1.4.0.4/31 SI 100