Blocking malicious IPs

About blocking connections with malicious IPs

We leverage IPsum for this procedure, a threat intelligence feed based on more than 30 publicly available lists of suspicious and/or malicious IP addresses. The list is updated once daily.
This page guides you through creating:
  • An automation
    that creates and updates an external network with the latest malicious IP addresses from IPsum
  • A network ruleset
    that blocks processing units from initiating or accepting connections with the malicious IP addresses
Because network rulesets that reject traffic take precedence over those that accept it, the one we create in this procedure won’t conflict with any other network rulesets you may have in place. You can safely propagate it to children namespaces and apply it to all processing units.
Before you begin, you may wish to review basic network ruleset concepts.

Prerequisites

  • Authenticated to apoctl with the
    Namespace Administrator
    role in the target namespace

Creating the automation

  1. Set a MICROSEG_NS environment variable containing the target namespace.
    export MICROSEG_NS=/acme
    We recommend creating the external network and network ruleset at your top-level namespace.
  2. Use the following command to add an automation that creates a new external network called malicious-ips and keeps it synchronized with IPsum.
    cat <<EOF | apoctl api create automation -n $MICROSEG_NS -f - name: create-and-update-malicious-ip-list trigger: Time schedule: "@every 12h" immediateExecution: true disabled: false parameters: serviceName: "malicious-ips" entitlements: externalnetwork: - retrieve-many - create - delete condition: | function when(api, params) { return {continue: true, payload: null}; } actions: - | function then(api, params, payload) { serviceName = params.serviceName obj = aporeto.http('GET', 'https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt'); lines = obj.body.split('\n'); var maliciousIPs = []; for (i=0; i < lines.length; i++) { if (lines[i].slice(0,1) != "#") { var parts = lines[i].split(/\s+/); if ( parseInt(parts[1]) > 7 ) { maliciousIPs.push(parts[0]+"/32") } else { break; } } } if (maliciousIPs.length > 0 ) { var definedServices = api.RetrieveMany('externalnetwork', null, 'name == '+serviceName); if (definedServices.length > 0) { api.Delete('externalnetwork', definedServices[0].ID) } api.Create('externalnetwork', { name: serviceName, description: "Automatically updated malicious IP list" entries: maliciousIPs, propagate: true, associatedTags : [ "externalnetwork:name=malicious-ips", ] }) } } EOF
  3. Copy the alphanumeric string returned by the Microsegmentation Console to your clipboard. This is the ID of the automation.
  4. Use the following command to retrieve the automation, replacing <automation-id> with the value you copied in the previous step.
    apoctl api get automations <automation-id> -o yaml -n $MICROSEG_NS
  5. It should return a YAML object representing the automation. Check the errors key. It should not contain any value.
  6. In the
    Network Security
    section of the Prisma Cloud web interface, select
    Network Lists
    , then select
    External networks
    . You should see an external network named malicious-ips. Expand to review the details. You should see a number of malicious IPs listed.

Blocking connections with a network ruleset

  1. Set an environment variable named PUSELECTOR containing the tag or tag expression defining the processing units that should be blocked from connecting to the malicious IPs.
    The following example sets the value to $identity=processingunit, which will select all processing units in your current namespace as well as any children. Feel free to modify this value as desired.
    export PUSELECTOR="\$identity=processingunit"
  2. Use the following command to create the network ruleset.
    cat <<EOF | apoctl api create networkrulesetpolicy -n $MICROSEG_NS -f - name: block-malicious-ips description: Block connections with malicious IPs propagate: true subject: - - \$identity=processingunit outgoingRules: - action: Reject object: - - externalnetwork:name=malicious-ips protocolPorts: - any incomingRules: - action: Reject object: - - externalnetwork:name=malicious-ips protocolPorts: - any EOF
  3. Copy the alphanumeric string returned by the Microsegmentation Console to your clipboard. This is the ID of the network ruleset.
  4. Use the following command to retrieve the network ruleset, replacing <ruleset-id> with the value you copied in the previous step.
    apoctl api get networkrulesetpolicy <ruleset-id> -o yaml -n $MICROSEG_NS
  5. It should return a YAML object representing the network ruleset.

Verifying the network ruleset

The easiest way to verify the network ruleset is from a Linux host. If you’ve created the network ruleset and external network at the top namespace, as we recommended, you can verify it from any Microsegmentation namespace.
  1. Obtain your public IP address, such as by visiting whatsmyip.org in your browser.
  2. In the
    Network Security
    section of the Prisma Cloud web interface, select
    Network Lists
    , then select
    External networks
    . Click the
    Edit
    button to open the malicious-ips external network for editing.
    If it is grayed out, navigate higher in the namespace hierarchy, to the namespace it was created in. If you followed our recommendation, you created it in the top-level namespace.
  3. Click
    Next
    .
  4. Paste your public IP address into the
    Networks
    field, click
    Next
    , and then click
    Update
    .
  5. Navigate to the namespace of your enforcer, and select
    App Dependency Map
    . You should see your host as a processing unit.
  6. From your local host, attempt to gain access to the enforcer host, such as via SSH.
  7. You should see the malicious-ips external network with a red flow to your host.
  8. Click the red flow and select
    Policies
    . Your block-malicous-ips ruleset should be listed as having blocked the traffic. Because it is a
    reject
    ruleset, it takes precedence over any
    allow
    policies in place.
  9. Navigate to the namespace of the malicious-ips external network, select
    Network Lists
    , then select
    External networks
    . Click the
    Edit
    button to open the malicious-ips external network for editing.
  10. Click
    Next
    , remove your IP address from the
    Networks
    field, click
    Next
    , then click
    Update
    .
  11. From your local host, confirm that you can once again access the remote host via SSH.
    Congratulations! You have successfully blocked your processing units from communicating with IP addresses known to be malicious or suspicious.

Recommended For You