- IP Reputation
IP reputation is an extremely effective tool in identifying the IP address that is sending unwanted requests. You can use the IP reputation list to preemptively reject requests that are coming from the IP with the bad reputation. For example, you can use this feature to optimize application firewall performance by filtering out the requests that you do not want to process. You can reset or drop the connection, or you can configure a responder policy to take a specific responder action.
Following are some examples of attacks that you can prevent by using IP Reputation:
A NetScaler appliance uses Webroot as the service provider for the dynamically generated malicious IP database and the metadata for those IP addresses. Metadata might include geolocation details, threat category, threat count, and so on. The Webroot threat Intelligence engine receives real-time data from millions of sensors. It automatically and continuously captures, scans, analyses and scores the data, using advanced machine learning and behavioral analysis. Intelligence about a threat is continually updated.
As soon as a threat is detected anywhere in the network, the IP address is flagged as malicious and all appliances connected to the network are immediately protected. The dynamic changes in the IP addresses are processed with high speed and accuracy by leveraging advanced machine learning.
As stated in the datasheet from Webroot, the Webroot’s sensor network identifies many key IP threat types, including spam sources, Windows exploits, botnets, scanners, and others. (See the flow diagram on the datasheet)
The NetScaler appliance uses an iprep client process to get the database from Webroot. The iprep client uses the HTTP GET method to get the absolute IP list from Webroot for the first time. Subsequently, it checks delta changes once every 5 minutes.
Make sure the NetScaler appliance (NSIP) has Internet access and DNS is configured before you use the IP Reputation feature.
To access the webroot database, the NetScaler appliance should be able to connect to api.bcti.brightcloud.com on port 443. Each node in the High Availability (HA) or Cluster deployment gets the database directly from the webroot and should be able to access this FQDN (Fully Qualified Domain Name).
PI expressions: The IP Reputation feature can be configured by using PI expressions (NetScaler default syntax expressions) in the policies bound to supported modules such as application firewall and responder. Following are two examples showing expressions that can be used to detect whether the client IP address is malicious
Following are the possible values for the threat category.
SPAM_SOURCES: Includes tunneling spam messages through a proxy, anomalous SMTP activities, and forum spam activities.
WINDOWS_EXPLOITS: includes active IP addresses offering or distributing malware, shell code, rootkits, or viruses
WEB_ATTACKS: includes cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force attack.
BOTNETS: includes Botnet C&C channels, and infected machines controlled by Bot master.
SCANNERS: includes all reconnaissance such as probes, host scan, domain scan, and password brute force attack.
DOS: Deniel of Service - includes DOS, DDOS, anomalous sync flood, and anomalous traffic detection.
REPUTATION: denies access from IP addresses currently known to be infected with malware. This category also includes IPs with average low Webroot Reputation Index score. Enabling this category will prevent access from sources identified to contact malware distribution points.
PHISHING: includes IP addresses hosting phishing sites and other kinds of fraud activities such as ad click fraud or gaming fraud.
PROXY: includes IP addresses providing proxy services.
NETWORK: includes stealing of data, such as credit card data or passwords, utilization of the computer as a portion of a botnet attack, for spamming or creating Denial of service attacks, uploading or downloading of files, software installation, such as additional malware, keystroke logging.
CLOUD_PROVIDERS: includes data breaches. Weak identity, credential and access management. Insecure interfaces and APIs. System and application vulnerability
MOBILE_THREATS: includes application-based threats, web-based threats, network-based threats and physical threats.
The IP reputation feature can check both source and destination IP addresses. It can also detect malicious IPs in the header. If the PI Expression in a policy can identify the IP address, the IP reputation check can determine whether it is malicious.
IPRep log message. The /var/log/iprep.log file contains useful messages that capture information about communication with the Webroot database. The information can be about the credentials used during Webroot communication, failure to connect with Webroot, what is included in an update (such as number of IP addresses in the database), and so on.
Creating a blacklist or whitelist of IPs using policy data set. You can maintain a whitelist to allow access to specific IP addresses that are blacklisted in the Webroot database. You can also create a customized blacklist of IP addresses to supplement the Webroot reputation check. These lists can be created by using policy data set. A data set is a specialized form of pattern set that is ideally suited for IPv4 address matching. To use data sets, first create the data set and bind IPv4 addresses to it. Then, when you configure a policy for comparing a string in a packet, use an appropriate operator and pass the name of the pattern set or data set as an argument.
To use the dataset to create a customized whitelist of addresses to treat as exceptions during IP reputation evaluation, configure the policy so that the PI expression evaluates to False even if an address in the whitelist is listed as malicious by Webroot (or any service provider).
Enabling or disabling IP reputation. IP reputation is a part of the general reputation feature, which is license based. When you enable or disable the reputation feature, it enables or disables IP Reputation.
General procedure. Deploying IP reputation involves the following tasks
To enable IP reputation using CLI, you can use the following commands:
> enable feature [rep | reputation]
> disable feature [rep | reputation]
The following examples show how you can add an application firewall policy using the PI expression to identify malicious addresses. You can use the built-in profiles, or add a new profile, or configure an existing profile to invoke the desired action when a request matches a policy match.
Examples 3 and 4 show how to create a policy dataset to generate a Black (to be blocked) or White (to be allowed) list of IP addresses.
The following command creates a policy that identifies malicious IP addresses and block the request if a match is triggered:
> add appfw policy pol1 CLIENT.IP.SRC.IPREP_IS_MALICIOUS APPFW_BLOCK
The following command creates a policy that uses the reputation service to check the client IP address in a specific header (X-Forwarded-For) and reset the connection if a match is triggered:
> add appfw policy pol1 "HTTP.REQ.HEADER(\"X-Forwarded-For\").TYPECAST_IP_ADDRESS_AT.IPREP_IS_MALICIOUS" APPFW_RESET
The following example shows how to add a list to add exceptions that allow specified IP addresses:
> add policy dataset Allow_list ipv4
> bind policy dataset Allow_list 10.217.25.17 -index 1
> bind policy dataset Allow_list 10.217.25.18 -index 2
The following example shows how to add the customized list to flag specified IP addresses as malicious:
> add policy dataset Block_List ipv4
> bind policy dataset Block_List 10.217.31.48 -index 1
> bind policy dataset Block_List 10.217.25.19 -index 2
The following example shows a policy expression to block the client IP if it matches an IP address configured in the customized Block_list (example 4) or if it matches an IP address listed in the Webroot database unless relaxed by inclusion in the Allow_list (example 3).
> add appfw policy "Ip_Rep_Policy" "((CLIENT.IP.SRC.IPREP_IS_MALICIOUS || CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Block_List\")) && ! (CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Allow_List\")))" APPFW_BLOCK
Using Proxy server
If the NetScaler appliance does not have direct access to the Internet and is connected to proxy, use the following command to configure the iprep client to send requests to the proxy.
> set reputation settings –proxyServer <proxy server ip> -proxyPort <proxy server port>
> set reputation settings proxyServer 10.102.30.112 proxyPort 3128
> set reputation settings –proxyServer testproxy.citrite.net –proxyPort 3128
> unset reputation settings –proxyserver –proxyport
> sh reputation settings
The Proxy Server IP can be an IP address or a fully qualified domain name (FQDN).
To enable reputation (which enables IP reputation) feature in GUI
Navigate to the System -> Settings. In the Modes and Features section, click the link to access the Configure Advanced Features pane and enable the Reputation check box. Click OK.
To configure a proxy server by using the configuration utility
1. On the configuration tab, navigate to Security > Reputation. Under Settings, click Change Reputation Settings to configure a proxy server. You can also enable or disable the reputation feature. Proxy Server can be an IP address or a fully qualified domain name (FQDN). Proxy port accepts values between [1 – 65535].
To use a dataset to create a whitelist (list of safe IPs) and blacklist (list of unsafe IPs) of Client IP addresses
Similarly, you can create a Block_list and add the IP addresses that are to be considered malicious.
Also see, http://docs.citrix.com/en-us/netscaler/11/appexpert/pattern-sets-data-seta.html for additional details regarding using data sets and configuring default syntax policy expressions.
To configure an application firewall policy by using the configuration utility
1. On the Configuration tab, navigate to Security > Application Firewall > Policies > Firewall. Click Add to add a new policy using the PI expressions to use IP reputation.
You can also use the Expression editor to build your own policy expression. The drop-down menu shows preconfigured options that are quite useful for configuring an expression using the threat categories.