Network Protection: Create firewall rules to automatically "blacklist" an "attacker."
I'd like to turn on 'reactive rules' to start dropping all traffic from source IPs that trip a threshold of IPS or PF rules.
Say someone is scanning your website for IIS vulnerabilities and trips 20 IPS rules in 1 minute (administrator defined parameters), then the UTM would create a rule at the top to block all traffic to and from the attacking source IP.
Bonus points for letting the rule dissolve after N hours as well as being able to turn this rule on for specific interfaces or subnets, You could link it to the geo-location system so that this adaptive/reactive defense can be turned on for Chinese source IPs only for example.
Vadim Korschok commented
we also miss a function like fail2ban in the linux world. When a port scan is applied the UTM reduces the speed of the attacker, but some hours later the same attacker try it again. So why should we / the UTM lose costs / performance instead of directly dropping the connection? It would be ncie to have a menu where you see all automated blacklisted IPs permanently. If there is a fale positive, the administrator should be able to remove it.
Thank you in advance.
Yes, the idea looks similar.
The "self defending" terminology was not intended to be compared to Cisco. I know they use this SDN terminology since years, but the affinity is by accident. It sounds better than "log based firewallactions" or something like that ;o)
However the idea is still a good thing - it would allow to create further automatic actions to events, which are NOT automatically mitigated by ASG as IPS alerts (instead drops), or login attempts on systems with limited blocking features as RDP sessions.
Bob Alfson commented
See also "Reactive Firewall Rules" - http://feature.astaro.com/forums/17359-astaro-security-gateway-feature-requests/suggestions/2479822-reactive-firewall-rules
Bob Alfson commented
This should trigger an email so that the admins are aware when any private IP is blocked. Then again, with IPv6 coming, maybe it should be for all configurations made by the UTM itself.
While Cisco is sure catchy with their terms, I see perhaps a need to "do something" in response to clear, repeated threats from an attacker, despite the fact that your firewall is already defending you anyways.
This Feature builds up on this feature here:
Clayton Dillard commented
Oh, and the ASG should notify the FW admin via email as well as sending an SNMP trap, and log to the PF or other log when a new reactive rule is deployed automatically.