Or as those canny Romans said : Quis Custodiet Ipsos Custodes?

You have a firewall to protect the users and servers behind it. That's great. But these days the firewall will often be the VPN server and half a dozen other things as well and so it isn't just examining traffic and passing it through (or not) it's also receiving traffic itself.

What happens if there's a vulnerability in one of those other services... and that vulnerability can be exploited to take over the whole firewall? That's roughly what we've seen with the recent Fortigate SSL VPN issue, but the issue is not unique to Fortigate or VPNs.

The fact is, you need to protect the firewall itself and to detect (and prevent) attacks on it. Well you could add another firewall in front of it, but that defeats the whole point of a single access point, so what we really need is a way to have the firewall protect itself. By far the easiest and safest way to do that is to block malicious IP addresses from even connecting to the device (or  the devices behind it). Basic IP blocks are normally applied to all traffic on the external interface and they happen immediately, before reaching the higher inspection levels that decide whether this traffic is for the internal SSL VPN, the mail server in the DMZ or whatever. Critically this means that it will stop attempts to hack the firewall itself.

How Attackers Work

The best news about this is the way that bad guys identify a device to try and exploit. Typically the first step is to use very noisy scanners that sweep the entire internet looking for devices that may be vulnerable. If those IP addresses are blocked then the bad guys will conclude there's nothing there and move on. If there's a response - even if the response is "not found" - then the bad guys know there's something they can try to attack. That is usually handled by a different device and IP address - one more directly controlled by the hackers unlike the fully automated scanner bots.

That means there are at least two chances to stop the attack by blocking known bad IP addresses - the noisy scanner and the less well known but still frequently reused exploiter. And, if by some chance, the firewall is hacked because neither of the attacking devices used known malicious IPs, the same IP blocks will likely stop the call-homes or download requests that come when the exploit has run. This provides an opportunity to discover the exploit through block reporting and significantly limit the damage done.

How to get the list of known IPs?

Ask us. Seriously, that's the easy bit. We've been collating these lists from our own research and hundreds of other sources for over a decade now and we keep those lists updated as new malicious IP addresses are found and as older ones are cleaned up. We work with almost all firewalls and WAFs, we work with devices where ever they are: at the main data center, in branch offices or in the cloud. 

Get a Demo