• No results found

Blacklist Example Configuration for StoneGate


Academic year: 2021

Share "Blacklist Example Configuration for StoneGate"


Loading.... (view fulltext now)

Full text


Stonesoft Corp. Itälahdenkatu 22 A, FIN-00210 Helsinki, Finland

Tel. +358 ( 9 ) 4767 11 Fax. +358 ( 9 ) 4767 1234 E-mail. info@stonesoft.com Business ID: 0837548-0, VAT number: FI08375480

w w w . s t o n e s o f t . c o m

Blacklist Example Configuration for



1.1 Introduction ... 3

1.1.1 Why blacklisting is needed... 3

1.1.2 Blacklisting risks ... 3

1.2 Example Task ... 5

1.3 IPS Configuration ... 5

1.3.1 Analyzer Element Configuration... 5

1.3.2 Sensor Policy ... 5

1.3.3 Rule Options/ Blacklisting... 6

1.4 Firewall Configuration ... 7


Stonesoft Corp. Itälahdenkatu 22 A, FIN-00210 Helsinki, Finland

Tel. +358 ( 9 ) 4767 11 Fax. +358 ( 9 ) 4767 1234 E-mail. info@stonesoft.com Business ID: 0837548-0, VAT number: FI08375480

w w w . s t o n e s o f t . c o m

1.1 Introduction

A good security consists of prevention, detection and reaction layers. The preventive layer means threat identification and blocking before they can cause any damage. The detection monitors for any anomalies that may signify of a breach through the passive prevention layer. The reaction consists of a set of actions that are carried out when such anomalies are detected.

The reactive security's goal is to minimize the harm and to restore the systems back to the normal status quickly and cost-effectively. The procedures to do that should be pre-planned and documented. Many times, however, the exact reactions are hard to define before the incident happens and therefore the reactive actions usually require human analysis and adaption. For some cases, it may be possible to define active responses, i.e. actions that a security device can automatically launch when it detects an incident. Even then, the active responses are used only to save time and to limit the damage - the human intervention is usually required as well.

Blacklist is an active response. It is a command chain from the intrusion detection system (IDS) to a device, which is able to control the traffic stream through it. The purpose of the blacklist is to instruct the access control device to block harmful connections as determined by the IDS. In StoneGate architecture the IPS Sensor is able to send a blacklist request through the IPS Analyzer to a StoneGate firewall engine. Blacklist requests can also be sent manually to firewalls through the Management Client.

1.1.1 Why blacklisting is needed

Blacklisting is a reactive response that combines the IDS's ability to detect attacks and the firewall's ability to block traffic. Blacklisting is needed whenever the firewall is unable to determine if the traffic is good or bad, but needs separate IDS to tell the difference. An inline-IPS combines these functions and in many cases is able to block the attack attempts alone without a need to send blacklist responses to anyone. However, the blacklisting is useful in the following cases:

i) The traffic latency requirements are too strict for an inline-IPS. The IDS analyses the traffic off-line and therefore does not cause any delays to the good traffic.

ii) The risk of the inline-IPS failures (software or hardware) or the needs for inline-IPS maintenance does not meet the network availability requirements. If an IDS breaks, the attacks are not detected, but the good traffic is not interrupted. iii) Sometimes the offending connection is not the (only) one that is desired to block. If the IDS detects that a business-critical application server has been compromised, the desired reaction may be to shut down the whole network until the intruder has been cleaned out. This may require blacklist requests to several firewalls.

iv) Firewall may be already in a proper place and therefore adding the IDS is a lot easier step than implementing the real inline-IPS.

1.1.2 Blacklisting risks

All active responses always decrease the availability. Termination of a single connection breaks that connection only, whereas the blacklist request can block all future connections also between the defined hosts for a defined set of time. If the blocked host belongs to a malicious attacker, the response serves its purpose very well. However, there is always a risk that the blocking itself causes denial or service (DoS) damage to the innocent ones.


The following two categories represent the risks associated with the blacklisting: a) Blacklisting innocent connections

If the detection heuristic to detect the malicious activities out from the network traffic is not fully accurate, the good traffic may sometimes be blacklisted. This causes service downtime for the anomalous-looking hosts. The accuracy imperfection may be caused by bad quality with the fingerprints or by administrator errors in the configuration.

b) Acting as a denial of service (DoS) automation

A blacklist configuration essentially means an automation that responds to a defined set of attacks with denial of service. Sometimes this may lead to a response that causes more damage than the attack would have caused. The attackers may also deliberately trigger the IDS to blacklist business-critical communications, by spoofing the attack's source IP addresses. The attackers motivation in these cases is not to succeed with the original attacks, but to use them to tear down valid connections.

The risks can be tackled with good planning. The threats should be listed and evaluated carefully and the active responses should be defined only with good reasons.

Whitelisting is a technique that protects the business critical connections against blacklisting. By carefully planning the administrator can categorize the connections to three different groups:

1) Connections that are allowed and that cannot be blacklisted (i.e. they are whitelisted) 2) Connections that are allowed normally but are subject to blacklisting

3) Connections that are discarded

In StoneGate firewall the whitelisting is a part of the normal firewall policy and there is not a need to maintain a separate whitelist rulebase.

For more information about the Blacklisting configuration in StoneGate, please read Administrator’s Guide available at: (http://www.stonesoft.com/en/support/technical_support_and_documents/manuals/index.html).


Stonesoft Corp. Itälahdenkatu 22 A, FIN-00210 Helsinki, Finland

Tel. +358 ( 9 ) 4767 11 Fax. +358 ( 9 ) 4767 1234 E-mail. info@stonesoft.com Business ID: 0837548-0, VAT number: FI08375480

w w w . s t o n e s o f t . c o m

1.2 Example Task

The following example describes the configuration steps needed for StoneGate IPS and FW to respond for detected anomalies using blacklisting.


• IPS engine “SGIPSCombo1” blacklists all client-server pairs that have been matched for “Attacks” category situations for 3 minutes. In addition, IPS should raise an Alert every time new blacklist request is done.

• Blacklist requests are sent to both StoneGate Firewall engine “SGFWengine1” and the “SGIPSCombo1”

Whitelist SSH service in “SGFWengine1” from source: Control-NET to destination: WWW-NET-1

Blacklist is allowed in “SGFWengine1” for SSH, FTP, HTTP and HTTPS services when the destination is WWW-NET-1.

• Blacklist is allowed for ANY service in “SGIPSCombo1”

1.3 IPS Configuration

1.3.1 Analyzer Element Configuration

• Analyzer and combined Sensor-Analyzer element/ blacklisting: Define to which firewall(s)/ inline IPS(s) interface the IPS Analyzer sends the Blacklist requests.

1.3.2 Sensor Policy

• Open the Sensor’s system policy for editing and add a new rule in Inspection Rules/ Insert Point.

Drag-and-drop “Attacks” situation category to the Situation column (Situations/By Tag/By Situation


1.3.3 Rule Options/ Blacklisting

• Double-click rule options in the defined rule and select Blacklist Scope view.

• Configure the Blacklist Scope according to the screenshot bellow.

o “Terminate the single connection”

IPS Terminates the matching connection and blacklists the endpoints in the future accordingly.

o “Block traffic between endpoints”

IPS selects the Client_IP_address, Server_IP_address and Destination_Port_number from the matching connection and uses it in blacklist request for Firewall and IPS engine(s).

o “Blacklist Executors”

IPS analyzer sends the blacklist request to the selected blacklist executors.

o “Include the original observer into the list of executors”

If checked, the analyzer automatically sends the blacklist request for the engine that detected the anomaly or violation. In this example, the blacklist request is send for “SGIPSCombo1” engine too.

• Save the IPS policy with different name and install IPS sensor. Analyzer policy will be generated and installed automatically during sensor policy installation.


Stonesoft Corp. Itälahdenkatu 22 A, FIN-00210 Helsinki, Finland

Tel. +358 ( 9 ) 4767 11 Fax. +358 ( 9 ) 4767 1234 E-mail. info@stonesoft.com Business ID: 0837548-0, VAT number: FI08375480

w w w . s t o n e s o f t . c o m

1.4 Firewall Configuration 1.4.1 Firewall Policy

• Whitelisted access rules are located before the blacklist rules in firewall policy. In this example, rule 14.1 whitelists SSH service when the source is Control-NET and destination is WWW-NET-1.

The rule 14.2 defines which services are allowed to blacklist in firewall engine. SSH, FTP, HTTP and

HTTPS services can be blacklisted when the traffic destination is WWW-NET-1.

The following access rules 14.3 and 14.4 define how the WWW-NET-1 can be accessed from other networks.

• To allow blacklist requests from the IPS Analyzer engine (SGIPSCombo1) you need to add the Analyzer to the list of granted blacklisters in the rule Options (see rule 14.2/ Options)


• The Firewall policy is now ready for installation.

• To summarize:

o Access rules located before the blacklist rules are automatically considered as whitelisted traffic/ services.

o Blacklist rule defines the services that can be blacklisted if requested.


Related documents

Modules across their own purpose sales is to make educated forecasts and utility of sale of an invoice number that in sale of payment for leaving the template?. Little reason to

between rainfall patterns and the spatial distribution of mangrove forests at study sites in 16.. Moreton Bay, southeast Queensland, Australia, over a 32-year period from 1972

Fundraising plans (if any) as well as a listing of individual, corporate or foundation gifts and amounts received and anticipated for this specific project/program where the amounts

It is recommended to prepare local maintenance tasks using remote diagnostics procedures, as described in the "ServerView Suite Local Service Concept (LSC)" manual

Indira Nooyi, CEO PepsiCo Madras Christian College The non‐IIT Faces Satya Nadela, CEO Microsoft Manipal Institute of Technology Rakesh Kapoor, CEO Reckitt Benckiser BITS

Quality: We measure quality (Q in our formal model) by observing the average number of citations received by a scientist for all the papers he or she published in a given

* This paper is presented to the 2nd KRIS-Brookings Joint Conference on "Security and Diplomatic Cooperation between ROK and US for the Unification of the

Indian geothermal provinces have the capacity to produce 10,600 MW of power- a figure which is five time greater than the combined power being produced from non-conventional