The overwhelming majority of Spam, Malware, and DDoS attacks come from different countries and from infected machines in global Botnets. Enterprises are working to reduce the attack space by blocking traffic from countries that offer no business value, and by using IP reputation lists to block connections from IP addresses that are tied to malicious activity.
The PoliWall in-line appliance works with existing routers and firewalls to stop threats at the perimeter. With a click on a map block inbound and outbound TCP traffic by country and by managed IP blocklists at line speeds. By cutting the noise at the perimeter, the workload on systems deeper inside the network is decreased, making routers, firewalls, and IPS/IDS systems more effective at stopping attacks.
HIPPIE : Block IP Ranges by Country
The HIPPIE (High Speed IP Packet Inspection Engine) will block IP ranges by country at line speeds of up to 20 gigabits per second, while giving the global enterprise hyper-granular control over setting allow/deny country blocking policies.
For example, set a blanket policy to allow traffic to/from US only, but still give sales VPN access while traveling in a blocked country like China, Russia, or India for example.
Testing with BreakingPoint we created a blanket policy to allow US traffic only and the PoliWall achieved a mere 40 microseconds of latency. The same policy created in a router or firewall would take 12,000 rules.
HIPPIE Technology Story
HIPPIE is the filtering algorithm, short for High-speed Internet Protocol Packet Inspection Engine. The HIPPIE country blocking engine was born in 2005 as TechGuard engineers were trying to find the best way to process large groups of IP ranges, which might take millions of rules to block in a firewall, without slowing down the network performance. TechGuard worked with artificial intelligence applications and neural net technology and set down that path to meet the filtering challenge.
TechGuard quickly optimized HIPPIE to line-speed processing, so that it would not measurably slow down the operation of the network or reduce the amount of available bandwidth. Replacing existing firewalls or routers to get the HIPPIE filtering capability might have been a barrier for customers, so the HIPPIE capability was put into its own interoperable appliance — the PoliWall. This way the appliance could plug and play with existing network firewalls and routers, invisible on the network and with no network configuration necessary.
PoliWall and HIPPIE were tested at the Coalition Warrior Interoperability Demonstrations in 2008 and 2009 and in the Joint Forces Expeditionary Exercise in 2010. The technology was deemed a “most promising technology” while in its infancy in 2008. It passed red team testing in 2009.
This was followed by two years of vetting and code testing to prepare for evaluation under a program established by the National Institute of Standards and Technology and the National Security Agency to evaluate conformance to international security standards, called Common Criteria.
In 2011 PoliWall earned the elite “Evaluation Assurance Level 4+” certification under the program, called the National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme. The PoliWall has been operating effectively in networks for more than four years.
DCEL : Block IPs by Reputation Feeds
In addition to blocking IP addresses originating from countries that offer no business value, you must contend with malicious actors operating in countries allowed by your policy. Many of these offending IPs are monitored by IP threat intelligence providers who provide direct near real-time feeds if detected malicious IP addresses to the Poliwall.
Using PoliWall’s Dynamically-Compiled Exception Lists (DCEL) engine, you can subscribe to commercial or open-source threat intelligence feeds and block all traffic both to and from listed IPs. The PoliWall allows you to configure an acceptable risk level for each of 32 threat categories, tailoring the DCEL engine to your environment and reducing the occurrence of false positives. Poliwall can check each packet against millions of know malicious IP addresses with virtually no impact on network performance.
Testing with BreakingPoint, using an allow US traffic only ingress policy (equivalent to loading 12,000 IP ranges in a firewall or router), while blocking a pre-compiled list of 30M IP addresses tied to malicious traffic, the PoliWall operated at a mere 140 microseconds of latency.
IP Threat Inteligence Feeds Turns Poliwall Into a Hammer!
PoliWall takes action on all that IP threat intelligence data you have been collecting and analyzing—saving up to 60% of firewall and router management time according to some PoliWall users.
The PoliWall takes IP Threat Intelligence and auto blocks malicious IPs based on a risk-tolerance level that YOU determine using an intuitive interface with easy-to-use sliders per threat category. The PoliWall’s vendor-agnostic platform can consume up to 32 unique IP threat intelligence feeds, derived from our premier IP Reputation list providers; from the PoliWall users own providers; from open source lists, and through the PoliWall’s REACT threat feed.
Bandura works with the most comprehensive and advanced IP Threat Intelligence providers on the market to identify high-risk connections associated with known malicious IP addresses. The PoliWall receives near real-time IP threat updates and dynamically adjusts the filtering policies to block high-risk inbound and outbound connections. User adjustable risk tolerance for protected network resources helps prevent false positives. PoliWall high-speed Dynamically Compiled Exception Lists (DCEL) engine can recognize and block over 50 million unique malicious IP addresses in 32 threat categories with virtually no additional network latency. Below is specific information about our IP Threat Reputation providers.
Webroot is the market leader in cloud-based, real-time Internet threat detection for consumers, businesses and enterprises. Webroot delivers real-time advanced Internet threat protection to market-leading security companies through its BrightCloud® security intelligence platform, to provide advanced Internet threat protection for their products and services. This includes Bandura, who leverages Webroot BrightCloud IP Reputation to help power the PoliWall IP Threat Blocker with the most advanced, dynamic IP threat intelligence available today. Founded in 1997 and headquartered in Colorado, Webroot is the largest privately held Internet security company in the United States – operating globally across North America, Europe and the Asia Pacific region
Emerging Threats, the leading independent threat intelligence provider, helps organizations to anticipate, detect, and mitigate even the most advanced and sophisticated threats. Emerging Threats, IQRisk Suite of products are derived from over 10 years experience having an extensive worldwide data collection, threat research, and analysis infrastructure delivering the latest intelligence updates. IQRisk Suite, Emerging Threats’ flagship offering, combines the ETPro™ Ruleset, IQRisk Rep List and IQRisk Query into single threat intelligence solution. IQRisk Suite provides users with a global perspective of the current threat conditions, and delivers actionable intelligence required for a dynamic network defense that is both accurate and timely.
Using an automated continuous monitoring architecture, ZeroFOX Cyber Cloud provides real-time social-based threat intelligence. Accessible through the PoliWall as a subscription IP Threat Intelligence feed, which provides threat data that is updated in near real time, allowing the creation of automated security workflows to increase protection while decreasing overhead costs.
REACT : Block Malicious Traffic
REACT provides a private IP threat intelligence feed for each user’s network. Any IA device in the network that detects a potential threat can submit the threat data to the REACT server where it is then distributed automatically to every Poliwall in the network. The REACT service can run either on-premise or on a pre-configured cloud based server. With either option, network data is always protected and private.
An example of how REACT can be used is if your IDS gets an alert that somebody is trying to compromise a server, the alert information is sent to the REACT server over a REST interface. Then REACT will tell every PoliWall to block that IP address for a certain period of time. The block can be permanent or short interval.
Another example is a port scan, where there is high probability of a false positive. In this case, you might want to have REACT block that asset for a shorter period of time. The amount of time is cumulative so the bad traffic can still be blacklisted, or earn bask their network privileges.
If you detect malware signatures, you can tell REACT to block that IP address indefinitely for all network traffic. This means if an attacker tries one particular vector in your network and fails, they can’t use another vector your IDS hasn’t picked up yet, like a zero-day attack.
If you have a network of PoliWalls, the REACT engine can send an alert to every PoliWall to block that IP from every node in the network. This drastically reduces the number of alerts you must manually review from your IDS. If you block lists of known malicious actors like botnets and malware, you again reduce the volume of alerts system admins must manually collect and analyze.
For example, imagine the scenario where you’ve got somebody with an IP address in the US. They are not yet on any threat list because they are a new zero-day threat, and they are not in a country blocked by your policy. Now imagine this unknown adversary seeks out a vulnerability in the web server and this activity is detected by your IDS by signature matching. The IDS will respond by raising an alert. This alert information, including the attackers IP address, is sent to the REACT server via the REST web interface. The IDS will continue to block this attacker if they use the same attack vector, but What now prevents the attacker from connecting to another web resource using a different attack signature? Maybe the IDS/IPS doesn’t know the new attack signature? With the REACT solution, all PoliWalls at all locations are now aware of the malicious IP address and will automatically block inbound and outbound connections, regardless of protocol ,port, or attack signature.
Advanced Controls : Advanced Management Features
Open SDK for Complete Control
The SDK provides programmatic control of the PoliWall configuration to dynamically adjust the filtering policies, exceptions and data configuration.
Prioritize & Throttle Bandwidth
Allocate bandwidth to the most important network resource IP address. Limit available bandwidth if the entity reaches a pre-set threshold. Automatically cut back bandwidth used by an attacking country in a DDoS attack.
Integrated Splunk® Forwarder
The integrated Splunk® forwarder provides high-speed logging capabilities to big-data clusters, delivering a dashboard for visualization of current network threats.
Data Logging and Reporting.