IDENTITY-BASED MICROSEGMENTATION DOCUMENTATION

Blocking malicious IPs

About blocking connections with malicious IPs

We leverage IPsum for this procedure, a threat intelligence feed based on more than 30 publicly available lists of suspicious and/or malicious IP addresses. The list is updated once daily.

This page guides you through creating:

  • An automation that creates and updates an external network with the latest malicious IP addresses from IPsum
  • A network policy that blocks processing units from initiating or accepting connections with the malicious IP addresses

Because network policies that reject traffic take precedence over those that accept it, the one we create in this procedure won’t conflict with any other network policies you may have in place. You can safely propagate it to children namespaces and apply it to all processing units.

Before you begin, you may wish to review basic network policy concepts.

Prerequisites

  • apoctl installed
  • Authenticated to apoctl with the Namespace Administrator role in the target namespace

Creating the automation

  1. Set a MICROSEG_NS environment variable containing the target namespace.

    export MICROSEG_NS=/acme
    

    TIP

    We recommend creating the external network and network policy at your top-level namespace.

  2. Use the following command to add an automation that creates a new external network called malicious-ips and keeps it synchronized with IPsum.

    cat <<EOF | apoctl api create automation -n $MICROSEG_NS -f -
    name: create-and-update-malicious-ip-list
    trigger: Time
    schedule: "@every 12h"
    immediateExecution: true
    disabled: false
    
    parameters:
     serviceName: "malicious-ips"
     servicePorts: ["tcp/1:65535"]
    
    entitlements:
     externalnetwork:
       - retrieve-many
       - create
       - delete
    
    condition: |
     function when(api, params) {
       return {continue: true, payload: null};
     }
    
    actions:
     - |
       function then(api, params, payload) {
         serviceName = params.serviceName
         obj = aporeto.http('GET', 'https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt');
    
         lines = obj.body.split('\n');
    
         var maliciousIPs = [];
         for (i=0; i < lines.length; i++) {
           if (lines[i].slice(0,1) != "#")  {
             var parts = lines[i].split(/\s+/);
             if ( parseInt(parts[1]) > 7 ) {
               maliciousIPs.push(parts[0]+"/32")
             } else {
               break;
             }
           }
         }
    
         if (maliciousIPs.length > 0 ) {
           var definedServices = api.RetrieveMany('externalnetwork', null, 'name == '+serviceName);
           if (definedServices.length > 0) {
             api.Delete('externalnetwork', definedServices[0].ID)
           }
           api.Create('externalnetwork', {
             name: serviceName,
             description: "Automatically updated malicious IP list"
             entries: maliciousIPs,
             servicePorts: ["tcp/1:65535"],
             propagate: true,
             associatedTags : [
               "ext:name=malicious-ips",
             ]
           })
         }
       }
    EOF
    
  3. Copy the alphanumeric string returned by the Microsegmentation Console to your clipboard. This is the ID of the automation.

  4. Use the following command to retrieve the automation, replacing <automation-id> with the value you copied in the previous step.

    apoctl api get automations <automation-id> -o yaml -n $MICROSEG_NS
    
  5. It should return a YAML object representing the automation. Check the errors key. It should not contain any value.

  6. In the Microsegmentation section of the Prisma Cloud web interface, expand Defend, select Network, then select External networks. You should see an external network named malicious-ips. Expand to review the details. You should see a number of malicious IPs listed.

Blocking connections with network policy

  1. Set an environment variable named PUSELECTOR containing the tag or tag expression defining the processing units that should be blocked from connecting to the malicious IPs. The following example sets the value to $identity=processingunit, which will select all processing units in the namespace. Feel free to modify this value as desired.

    export PUSELECTOR="\$identity=processingunit"
    
  2. Use the following command to create the network policy.

    cat <<EOF | apoctl api create networkaccesspolicy -n $MICROSEG_NS -f -
    name: block-malicious-ips
    description: Block connections with malicious IPs
    action: Reject
    propagate: true
    subject:
      - - ext:name=malicious-ips
    object:
      - - "$PUSELECTOR"
    EOF
    
  3. In the Microsegmentation section of the Prisma Cloud web interface, expand Defend, select Network, then select Network Policies. You should see a network policy named block-malicious-ips.

Verifying the policy

The easiest way to verify the policy is from a Linux host. If you’ve created the network policy and external network at the top namespace, as we recommended, you can verify the policy from any Microsegmentation namespace.

  1. Obtain your public IP address, such as by visiting whatsmyip.org in your browser.

  2. In the Microsegmentation section of the Prisma Cloud web interface, expand Defend, select Network, then select External networks. Click the Edit button to open the malicious-ips external network for editing.

    TIP

    If it is grayed out, navigate to the namespace it was created in. If you followed our recommendation, you created it in the top-level namespace.

  3. Click Next.

  4. Paste your public IP address into the Networks field, click Next, and then click Update.

  5. Navigate to the namespace of your enforcer, and select Platform. You should see your host as a processing unit.

  6. From your local host, attempt to gain access to the enforcer host, such as via SSH.

  7. You should see the malicious-ips external network with a red flow to your host.

    Malicious-IPs

  8. Click the red flow and select Policies. Your block-malicous-ips policy should be listed as having blocked the traffic. Because it is a reject policy, it takes precedence over any allow policies in place.

  9. Navigate to the namespace of the malicious-ips external network, expand Defend, select Network, then select External networks. Click the Edit button to open the malicious-ips external network for editing.

  10. Click Next, remove your IP address from the Networks field, click Next, then click Update.

  11. From your local host, confirm that you can once again access the remote host via SSH.

    Congratulations! You have successfully blocked your processing units from communicating with IP addresses known to be malicious or suspicious.