Additional security protections can be enabled to prevent communication from and to known Malicious IPs. These Malicious IPs are defined by Trustwave and integrated into Valtix as a Security Profile Ruleset. The Ruleset is updated frequently as updates are made available by Trustwave. The updates can be dynamically applied to a Policy Ruleset using the Automatic Update configuration of the Malicious IP Profile.
Malicious IP are identified by Trustwave based on various learned behavior:
- Malicious attackers identified from Web honeypots
- Botnet C&C hosts
- TOR Exit nodes
- Other learned behavior
Create a Malicious IP Profile¶
- Navigate to Manage -> Profiles -> Malicious IP
- Click Create
- Provide a name and description
- Check the box to enable IP Reputation
- Click Manual or Automatic mode for Trustwave Ruleset Version selection
- In Manual mode, select the Trustwave Ruleset Version from dropdown. The selected Ruleset version is used by the Valtix datapath engine on all Gateways which use this Profile. The Profile will not be automatically updated to newer Ruleset versions.
- In Automatic mode, select how many days to delay the update by, after the Ruleset version is published by Valtix. New Rulesets are published frequently by Valtix and the Gateways using this profile are automatically updated to the latest ruleset version which is N days or older, where N is the "delay by days" argument selected from the dropdown. For example, if you select to delay the deployment by 5 days on Jan 10, 2021, the Valtix controller will select a ruleset version which was published on Jan 5th or before. Note that Valtix may not publish on some days if our internal testing with that ruleset version fails for some reason.
Associating a Malicious IP Profile with a Policy Ruleset Rule¶
Check this document to create/edit rules
Trustwave IP Reputation Service Tool¶
Trustwave offers an online IP Reputation Service that can be used to check whether an IP address is listed as a Malicious IP.