FQDN / URL Filtering Categories¶
Valtix uses threat intelligence from WebRootTM BrightCloud to categorize web sites based on their risk score. This includes fully qualified domain names (FQDNs), sometimes referred to as domain names, and URLs. This provides sites across 84 categories when traffic from your public cloud environment makes outbound connections (egress) to these sites:
- FQDNs (domains) - 1+ billion categorized FQDNs (domains)
- URLs - 45+ billion categorized URLs
To improve efficiency in recognizing and processing traffic, The Gateway will pre-load a cache of the top 1 million FQDNs/URLs and their Categories. The Gateway will also utilize a runtime cache of 10k FQDNs/URLs and their Categories that are not part of the top 1 million. If traffic contains any of the cached FQDNs/URLs, then the Categories will be known immediately. If the FQDN/URL is not found in the cache, the Gateway will query the Controller to resolve the Category via BrightCloud. This operation is expected to complete in no more than 200ms. If it completes within the expected time, then the traffic will be processed based on the learned Category and the Profile will operate on the traffic based on the policy defined for the Category. If the operation does not complete within the expected time, then the traffic will be processed as Uncategorized and the Profile will operate on the traffic based on the policy defined for Uncategorized. Once the resolution returns, the learned Category will be added to the cache for subsequent resolutions, even if the resolution occurs available the expected time and the traffic has already been processed. If the run-time cache is exhausted, the Gateway will purge the oldest accessed FQDNs/URLs and their Categories in batches of 10 entries to ensure space is available for more recently accessed FQDNs/URLs and their Categories.
Tech Notes
FQDN Filtering with Categories happens for: 1) SNI in TLS Client Hello 2) DNS queries for FQDN lookups 3) HTTP hostname header (for cleartext HTTP traffic)
Malicious Categories¶
Valtix considers the following categories to be particularly malicious:
| Category Name | Category Description |
|---|---|
| Malware Sites | Sites hosting malicious content including executables, drive-by infection sites, malicious scripts, viruses, trojans, and code. |
| Phishing and Other Frauds | Phishing, pharming, and other sites that pose as a reputable site, usually to harvest personal information from a user. These sites are typically quite short-lived, so they don’t last long in terms of uptime. |
| Proxy Avoidance and Anonymizers | Proxy servers and other methods to gain access to URLs in any way that bypasses URL filtering or monitoring. Web-based translation sites that circumvent filtering. |
| Keyloggers and Monitoring | Software agents that track a user's keystrokes or monitor their web surfing habits. Often used for collecting sensitive data such as usernames and passwords. |
| SPAM URLs | Sites known to distribute unsolicited email (spam) messages. |
| Spyware and Adware | Spyware or Adware sites that provide or promote information gathering or tracking that is unknown to, or without the explicit consent of, the end user or the organization, also unsolicited advertising popups and programs that may be installed on a user's computer. |
| Bot Nets | These are URLs, often IP addresses, which are determined to be part of a Bot network, from which network attacks are launched. Attacks may include SPAM messages, DOS, SQL injections, proxy jacking, and other unsolicited contacts. |
Valtix offers traffic analysis when viewing traffic via Discover -> Traffic -> DNS and Investigate -> Flow Analytics -> Traffic Summary, where a pre-defined Malicious Categories filter can be selected to show instances and VPCs communicating with these Malicious Category FQDNs and URLs.
The full list of categories is shown below.
Full List of Categories¶
| Category Name | Category Name | Category Name | Category Name |
|---|---|---|---|
| Abortion | Games | Motor Vehicles | Sex Education |
| Abused Drugs | Government | Music | Shareware and Freeware |
| Adult and Pornography | Gross | News and Media | Shopping |
| Alcohol and Tobacco | Hacking | Nudity | Social Networking |
| Auctions | Hate and Racism | Online Greeting Cards | Society |
| Bot Nets | Health and Medicine | Open HTTP Proxies | SPAM URLs |
| Business and Economy | Home and Garden | Parked Domains | Sports |
| Cheating | Hunting and Fishing | Pay to Surf | Spyware and Adware |
| Computer and Internet Info | Illegal | Peer to Peer | Streaming Media |
| Computer and Internet Security | Image and Video Search | Personal sites and Blogs | Swimsuits and Intimate Apparel |
| Confirmed SPAM Sources | Individual Stock Advice and Tools | Personal Storage | Training and Tools |
| Content Delivery Networks | Internet Communications | Philosophy and Political Advocacy | Translation |
| Cult and Occult | Internet Portals | Phishing and Other Frauds | Travel |
| Dating | Job Search | Private IP Addresses | Uncategorized |
| Dead Sites | Keyloggers and Monitoring | Proxy Avoidance and Anonymizers | Unconfirmed SPAM Sources |
| Dynamically Generated Content | Kids | Questionable | Violence |
| Educational Institutions | Legal | Real Estate | Weapons |
| Entertainment and Arts | Local Information | Recreation and Hobbies | Web Advertisements |
| Fashion and Beauty | Malware Sites | Reference and Research | Web Hosting |
| Financial Services | Marijuana | Religion | Web-based Email |
| Gambling | Military Search Engines | Services |
Associating a Filtering Profile with a Policy Ruleset Rule¶
- Refer to FQDN Filtering to create/edit FQDN Filtering Profiles
- Refer to URL Filtering to create/edit URL Filtering Profiles
BrightCloud URL / IP Lookup Tool¶
BrightCloud offers an online URL / IP Lookup Tool that can be used to understand what category a particular FQDN / URL is classified as along with its Web Reputation.