- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-07-2021 05:44 AM
Hi Team,
I have a query where i need to block some unknown attacker or someone malicious from external trying to access my internal network or DMZ.
I need to ways to block or deny those specific traffic. We have enabled country based block, we have IP based block yet is there anyother way to block or deny malicious domains except using EDL, Which is aldready configured.
Let us know the ways to block or deny unknown or malicious sources from accessing the internal or dmz network.
09-07-2021 07:48 AM
Hi @Vijaygvasan ,
First of all you need to understand that there is significant difference between "unknown bad" and "known bad". It is very similar to how you treat people - how do you know if a person means you bad or not? You either rely on someone else to tell you that is person is bad you need to avoid or you leave him to approach you, but proceed with cautions and monitor him for not doing anything bad.
- In one case you known that given indicator (ip address, url, fqdn, file hash etc) is associated with bad reputation and suspicios/malicious actions. All types of protections that rely on some kind of reputation, categorization, signature can help you block such attack. The key point here is that the world already know that the give IP address (or domain or url etc) is bad and should not be trusted. So you can use:
- EDL: for blocking known bad IP address or URLs
- URL filtering: for blocking URLs that are known to server malicious content, or have been used in phishing attempts
- Statick Address group: for manually blocking IP addresses that you believe are bad
- Anti-Virus profiles: for blocking known malwares that vendor have developed signature for it
- Vulnerability profile: for blocking known attempts to exploit certain vulnerability
- Anti-Spyware: for blocking known bad DNS requests.
- "Unknown bad" is the tricky part. You can block such only if you allow the initial communication, but block it if you notice anything suspicious is going on.
- Anti-Virus profiles: Address/URL could be benign, but it could try to send you malicious file
- Vulnerability profile: Again address you communicate with have good reputation, but could try to do something bad
- WildFire: Running the file in sandbox to see if the unknown (never seen before) is doing something strange
- Anti-Spyware: for blocking suspiciously looking DNS traffic.
I probably haven't cover all with above, but your question is a bit general and each point could be separate discussion on its own.
09-07-2021 10:30 AM
Just to add to what @aleksandar.astardzhiev has already mentioned, and I agree that this is a very broad topic, but there's also even more advanced things you could setup. For example, if this is inbound traffic do you have SSL Inbound Inspection configured for exposed resources? When threats are identified, are you actually processing those alerts and dynamically adding them to your EDLs to they can't sit and hammer away at what you have exposed?
You're never going to prevent a malicious actor from being able to probe exposed resources, unless you go so far as to not expose anything. So you have to do the next best thing and work on ensuring that you can properly identify malicious traffic and take action on those identifications and block those indicators from continually accessing your network resources.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!