IP-RBLs for firewalls

jhickey
L3 Networker

‎03-12-2013 11:25 AM

Riddle me this…

We have issues with malicious traffic coming from Open Proxies, Known Bad Hosts, etc.

Is there such thing as an all IP, Realtime Blacklist for firewalls. There are certain external servers I dont want to be accessible by known bad networks.

I’d love to write a rule like this:

Source = RBL-or-Block-of-BAD-IPs-maintained-by-someone-else             Destination=Important Server         Action=Drop

And no, I don’t want to buy a million dollar IPS. Isn’t there something in the Linux world called IP Tables.

Justin

0 Likes Likes

ericgearhart
L4 Transporter

‎03-12-2013 11:36 AM

I'll try to find a firewall specific realtime black list, but funny you should mention this, in PANOS 5.0 Palo Alto added something called "Dynamic Block Lists" that do exactly what you describe.

Dynamic Block Lists.jpg

jhickey
L3 Networker
In response to ericgearhart

‎03-12-2013 11:56 AM

That is cool. I would assume this works with the SpamHaus "DROP" Dont Route or Peer list. For sure and idea whose time has come. I'd also like to put in all TOR endpoints.

0 Likes Likes

ericgearhart
L4 Transporter
In response to jhickey

‎03-12-2013 12:12 PM

Here's an example of a block list... SANS' DSHield has a Recommended Block List. I figured the list would be a bit bigger and more comprehensive though honestly:

http://feeds.dshield.org/block.txt

#    This list summarized the top 20 attacking class C (/24) subnets
#   over the last three days. The number of 'attacks' indicates the 
#   number of targets reporting scans from this subnet.