Additional security protections can be enabled to prevent communication from and to known Malicious IPs. These Malicious IPs are defined by Trustwave and integrated into Valtix as a Security Profile Ruleset. The Ruleset is updated frequently as updates are made available by Trustwave. The updates can be dynamically applied to a Policy Ruleset using the Automatic Update configuration of the Malicious IP Profile.
Malicious IP are identified by Trustwave based on various learned behavior:
- Malicious attackers identified from Web honeypots
- Botnet C&C hosts
- TOR Exit nodes
- Other learned behavior
Create the Profile¶
- Navigate to Manage -> Profiles -> Malicious IP
- Click Create
- Provide a name and description
- Check the box to enable IP Reputation
- Click Manual or Automatic mode for Trustwave Ruleset Version selection
- In Manual mode, select the Trustwave Ruleset Version from dropdown. The selected Ruleset version is used by the Valtix datapath engine on all Gateways which use this Profile. The Profile will not be automatically updated to newer Ruleset versions.
- In Automatic mode, select how many days to delay the update by, after the Ruleset version is published by Valtix. New Rulesets are published frequently by Valtix and the Gateways using this profile are automatically updated to the latest ruleset version which is N days or older, where N is the "delay by days" argument selected from the dropdown. For example, if you select to delay the deployment by 5 days on Jan 10, 2021, the Valtix controller will select a ruleset version which was published on Jan 5th or before. Note that Valtix may not publish on some days if our internal testing with that ruleset version fails for some reason.
The IP Reputation checkbox is used as a means to enable or disable the Profile. When checked and the Profile is attached to a Policy Ruleset Rule, Malicious IP protection will be enforced. When unchecked and the Profile is attached to a Policy Ruleset Rule, Malicious IP protection will not be enforced. Our recommendation is to always check the IP Reputation checkbox for the Profile such that the Profile is enabled. If you want to disable the Malicious IP Profile, then remove its association from the Policy Ruleset Rule(s) rather than uncheck the checkbox.
Associate the Profile¶
Check this document to create/edit rules
Malicious IP Checker¶
Trustwave offers an online IP Reputation Service that can be used to check whether an IP address is listed as a Malicious IP.