| Home Prev |  cOS Core 14.00.15 Administration Guide
|
Next |
|---|
Overview
cOS Core implements a blacklist of host and network IPv4 addresses which can be utilized to protect against traffic coming from specific Internet sources. If cOS Core receives an attempt to open a connection from a blacklisted IPv4 address then the connection is dropped with the option to generate a log event message. In addition, cOS Core has a whitelist which can contain IPv4 addresses that will never be blacklisted.Note that for automatically added blacklist entries (for example, from IDP) cOS Core only checks the source IP of incoming connections against the blacklist. However, it is possible to manually add an entry with the blacklist CLI command which checks the destination IP address instead.
![[Note]](images/note.png) |
Note: Restarting should not greatly affect the lists |
|---|---|
|
Most of the contents of the blacklist and whitelist should not be lost if the firewall restarts. cOS Core makes a copy of the both lists in non-volatile memory every 2 hours in order not to put unnecessary load on the firewall's CPU. Therefore, at most, the last two hours of changes might be lost. |
Synchronization in a High Availability (HA) Cluster
There is no synchronization of the cOS Core blacklist between the peers in an HA cluster. This means that after an HA failover the previous contents of the blacklist is no longer available. The expectation is that the external IP addresses that had caused the old blacklist entries to be added will do so again if they are still triggering the relevant features such as IDP and threshold rules.However, the same is not true of the whitelist. The whitelist is a static list that is synchronized between the devices in an HA cluster. Its contents are preserved after a failover.
Methods of Blacklist Addition
Certain cOS Core subsystems have the ability to optionally blacklist a host or network when certain conditions are encountered. Blacklist entries can also be added (and deleted) manually. These subsystems and methods for adding to the blacklist are the following:Addition when an Intrusion Detection and Prevention (IDP) rule is triggered.
Addition when a threshold rule triggers.
Addition when Botnet Protection or DoS Protection or Scanner Protection triggers.
Manual addition using the CLI blacklist command.
Addition from a separate remote computer using the REST API. Doing this is described in the separate cOS Core REST API Guide.
Blacklist Entry Data Fields
The following are the important data fields stored with each blacklist entry:Host - The source IPv4 address that is to be blocked.
Destination - This is an optional IP address so that the destination address of a new connection must also match this value for the connection to be dropped.
Service - The Service object of the rule that added the entry. As explained later, multiple entries can have the same blacklisted IPv4 address but different services.
Port - This can be optionally be used instead of the Service value to drop connections to a specific port number at the Host address.
Time to Live - How long the entry will remain in the blacklist in seconds.
Alert Type - This is indicates the cOS Core subsystem that created the entry or if it was created manually with the CLI or REST API. All the alert types are listed in the blacklist command section of the separate CLI Reference Guide.
Rule Name
This is the name of the rule object in the configuration that added the blacklist entry. If it was added manually with the CLI or REST API then this is just an arbitrary text string that does not indicate an object name.
There are other pieces of data stored in the blacklist but the above lists the fields that are most relevant to understanding how the feature works.
Entries Have Unique IP Address and Service Combinations
Each blacklist entry has a Service object reference associated with it and each entry has a unique combination of IPv4 address and Service. The service is determined by the Service property of the triggering rule that created the entry.For example, the blacklist entry for the IPv4 address 203.0.113.1 and service http-all is distinct from the entry with the IPv4 address 203.113.10 and service ftp-inbound. They can be created separately and they can be deleted separately. If the service for an entry is all_services then any connection originating from the IP address is dropped, regardless of the service.
Note that when adding a blacklist entry manually, a specific port number can be specified with the IP address instead of a service.
Blacklisting Options for IDP Rules and Threshold Rules
The automatic blacklisting of a host or network can be enabled in an IDP rule or a threshold rule by specifying the Protect action. The following blacklist options can then be set with this action:Time to Block Host/Network in seconds
The host or network which is the source of the traffic will stay on the blacklist for the specified time and then be removed. If the same source triggers another entry to the blacklist then the blocking time is renewed to its original, full value (in other words, it is not cumulative).
Block only this Service
By default, blacklisting blocks all services for the triggering host.
Exempt already established connections from Blacklisting
If there are established connections that have the same source as this new Blacklist entry then they will not be dropped if this option is set.
For further details on usage see Section 7.8.5, Setting Up IDP and Section 7.9, Threshold Rules.
The blacklist command can be used to look at as well as manipulate the current contents of the blacklist. It can only be used to display the current whitelist.The entire current blacklist can be viewed with the command:
Device:/> blacklist -show -blackSimilarly the entire contents of the white list can be shown:
Device:/> blacklist -show -whiteThis blacklist command can be used to remove a host from the blacklist using the -unblock option. The -block option is used to add a host to the blacklist:
Device:/> blacklist -block 203.0.113.1The -unblock option removes it:
Device:/> blacklist -unblock 203.0.113.1
All blacklist command options are described in the separate CLI Reference Guide.
Example 7.10. Blacklisting an IP Network
In this example, the IP4 network 203.0.113.0/24 will be added to the blacklist so that any HTTP or HTTPS connections (matching the service http-all) from this network will be dropped. The blacklist entry will remain in the blacklist for a period of 86,400 seconds (1 day).
Command-Line Interface
Device:/> blacklist -block 203.0.113.0/24 -serv=http-all -time=86400The Blacklist and the Web Interface
The Web Interface does not allow blacklist entries to be added or deleted. However, the Web Interface can be used to monitor blacklist contents by going to Status > Blacklist. To ensure that Internet traffic coming from trusted sources, such as the management computer, are not blacklisted under any circumstances, a Whitelist is also maintained by cOS Core. Any IPv4 address object can be added to this whitelisted which means that new connections coming from this address are automatically trusted.It is also important to understand that although whitelisting prevents a particular source from being blacklisted, it still does not prevent cOS Core mechanisms such as threshold rules from dropping or denying connections from that source. What whitelisting does is prevent a source being added to a blacklist if that is the action a rule has specified.
Whitelisting is not done through the blacklist command. Instead, a special Whitelist host (called BlacklistWhiteHost in the CLI) is added to the configuration.![[Tip]](images/tip.png) |
Tip: Important IP addresses should be whitelisted |
|---|---|
|
It is recommended to add the Clavister firewall itself to the whitelist as well as the IP address or network of the management computer since blacklisting of either could have serious consequences for network operations. |
One issue that often comes up with whitelisting is how to deal with threshold rules that continue to drop traffic from IP addresses that are whitelisted. This topic is discussed in an article in the Clavister Knowledge Base at the following link:
https://kb.clavister.com/354847558
See also Section 7.9, Threshold Rules.
Example 7.11. Adding a Host to the Whitelist
In this example we will add an IP address object called white_ip to the whitelist. This will mean this IP address can never be blacklisted.
Command-Line Interface
Device:/> add BlacklistWhiteHost Addresses=white_ip Service=all_tcpInControl
Follow similar steps to those used for the Web Interface below.
Web Interface
