In my previous post I introduced several methods to create an automated IP blacklist in Check Point Firewalls. At that time I was using Check Point v80.20, so, for obvious reasons, the best choice was Dynamic Objects.
However, if you read again that post, you can see as I was already talking about SecureXL Blacklist (solution n. 5). Well, I upgraded my Firewall infrastructure to v80.40, and here I am… I want to share my updated version of the automated IP blacklist script.
I totally changed the previous logic. I’m not using dynamic objects anymore since they can cause performance issue to your firewall when loading thousands and thousands of ranges. Instead, fwaccel dos blacklist -L <blacklist_file> is preferred in Check Point v80.40 since it performs very well. It can load thousands of IPs in 1-2 seconds.
See sk112454 for more information. Below some useful commands:
Attacks, cyber threats and social engineering techniques are evolving rapidly. We live in an age where criminal organizations speculate on stolen data, spy citizens and companies. Therefore, cyber security techniques must progress to allow companies to better protect their systems. In doing so, they can be compliant with recent regulations on the protection of personal data.
Every day we test innovative and advanced techniques to protect Sapienza’s IT systems. We try to anticipate and prevent latest generation attacks. Firewall and Intrusion Prevention System are essential for rejecting known attacks. However, they are no longer sufficient to completely defend systems from massive and advanced attacks.
For that reason, we created some blacklists made up of thousands of malicious IPs. They are automatically updated thanks to our continuous analysis of “anomalies” from the Internet. Our blacklists contain mostly IPs not detected by other organizations. So, Sapienza’s blacklists are a valid addition to the lists published in TLP: WHITE, such as FireHOL or Talos.
Please contact me if you’d like to use them. You can also integrate our blacklists with Check Point technologies freely available scripts published in other two posts: script_v1 and script_v2.
Check Point Firewalls do not have an easy and ready-to-use “automated IP blacklist” mechanism. Indeed, SmartConsole lacks of this kind of feature.
For that reason, you need to write some code using Check Point tools and API so that you are able to populate a blacklist (or blocklist) with IPs collected by external feeds. In doing so, your firewall can easily drop incoming traffic from malicious sources.
What are the solutions?
Following the solutions I tested to implement an automated mechanism.
1. Network Objects
Add new host and network objects into an existing network group object.
Pros: easy to implement by using mgmt_cli (e.g., an example of implementation is provided here).
Cons: process of addition and deletion very heavy since it acts as a sequence of several manual changes. Furthermore, you need to publish and install all changes. A well-known issue is the expiration of Apache session (see my post on CheckMates).
Pros: ready-to-use script. Maybe, you need to apply some changes to better suit your environment.
Cons: not supported in VSX configuration. Someone in CheckMates says samp rules could be heavy in terms of performance.
3. Custom Intelligence Feeds
Use Intelligence Feeds, as documented in sk132193.
Pros: new approach enriching cyber intelligence funciontalities with IOC feeds.
Cons: traffic is blocked by Anti-Virus and Anti-Bot blades, not by Access Control. This approach is not optimal for blocking incoming traffic from thousands of IPs. Better to only use with Anti-Virus feeds (e.g., URL, md5, and so on) for outgoing traffic.
Pros: dynamic approach able to provide a very fast process of change. Dynamic objects don’t require “publish and install”.
Cons: OpenDBL script does not support VSX configuration. In addition, it lacks of “covering” between the deletion process of the old blacklist and the creation process of the updated blacklist. This lack can last seconds in case of thousands of IPs or minutes in case of ten of thounsands of IPs.
5. SecureXL Blacklist
Use fwaccel dos blacklist to drop packets in SecureXL (see sk112454).
[UPDATE] Please also read this other post if you’re running v80.40.
Pros: For R80.40 and newer, it can scale to millions of IP addresses. A scalability hotfix is available for R80.20/R80.30.
Cons: networks in CIDR notation are not supported; you need to use rate limiting policy rules instead.
The defenitive solution
After several experiments, I eventually chose the Dynamic Objects approach (4). However, since the script provided by OpenDBL was not suitable to my configuration (i.e., a cluster of 3 x 23900 appliances in VSX configuration), I decided to rewrite the code.
Processing of multiple URL feeds in one script-file.
Support of network strings in CIDR format as well as IP.
Inputs verified by robust regular expressions.
“Diff” mechanism to add new IPs and remove obsolete sources (no more lack of covering).
Caching mechanism to preserve feed if its online resource is not available.
Create the directory path /scripts/blacklist/ on your Gateway.
Copy the bash script into the /scripts/blacklist/ directory.
Change the VSID variable with the correct Virtual System ID.
Change the CONTEXT variable with the name of your blacklist. IMPORTANT: the name must be the same of the Dynamic Object BLDO_ContextName you will create on SmartConsole (see below).
Copy your feeds in URL array elements (e.g. URL="...").
Give execution permissions to the bash script: chmod +x blacklist.sh.
Manually run the script in VS0 to test if everything is properly working: ./blacklist.sh.
Check logs within /scripts/blacklist/logs/.
Add a cron job in VS0 to automatically run the bash script (crontab -e command). For instance:
# Blacklist running every hour at :15 min 15 * * * * /scripts/blacklist/blacklist.sh
Create a Dynamic Object on your Smart Console named BLDO_ContextName and add it to a drop rule. For instance:
Feeds to subscribe
FireHOL is a very good resource containing several feeds.
In Sapienza Università di Roma we manage a very excellent feed containing thousands of IPs that are not discovered by any other feed. This list is updated every 5 minutes thanks to the correlation of our Cyber Threat Intelligence technology. Every IP within the list lives for 48 hours.