In a past article, I explained how to auto-block hosts with a WatchGuard Firebox. Yesterday alone my logs showed over 100 IP addresses auto-blocked in one day on a Firebox used for testing purposes. The list included over 1000 blocked IP addresses. I also noticed the Firebox shows a limited number of blocked hosts so the total number of blocked hosts may be longer than what the Firebox Web UI displays.
For those curious to know more about traffic in firewall logs, you can look up what part of the world and which network is trying to access your systems on blocked ports. To do that we can look up the IP address in the five Internet Registries that store information about who owns networks in different parts of the world. Each registry has a website with a “whois” search box to look up this information.
You can view the IP addresses that the Firebox auto-blocked by logging into the Fireware Web UI. Click on System Status and then Blocked Sites in the left menu.
Here is a random IP address that tried to connect to a blocked port on my firewall. Let’s see what information we can find out about it.
If you have no idea which region to search for the IP, then start with https://arin.net. Enter the IP address in the whois search box and click the arrow or hit enter.
For IP 18.104.22.168, the search results show that AFRINIC is the correct registry to search for this IP address, and any IP address in the range of 22.214.171.124 – 126.96.36.199.
If we go to https://afrinic.net and repeat the process to find information about the IP address we see the following, which tells us the IP address is in the range of 188.8.131.52 – 184.108.40.206 which has the network name: AFRIHOST-DYNAMIC.
The registry also displays address and contact information.
How is this information useful? A company could reach out to the other network to ask them to stop sending the traffic. Contacting every company that is sending unwanted traffic would be a time-consuming undertaking given the amount of rogue traffic like this that exists on the Internet. Alternatively, companies may choose to block networks or locations that are sending unwanted traffic, or proactively prevent some IP addresses from accessing all or part the networks protected by the Firebox.
The value above for inetnum: 220.127.116.11 – 18.104.22.168, shows the range of IP addresses that belong to this network. First, I want to convert the IP addresses to CIDR notation, which is another way to represent the address range. I will enter the CIDR block into my Firebox. Online calculators can help convert IP ranges to CIDR notation. Enter the starting and ending IP address and click “calculate.”
Now I know that the CIDR notation for this network is 22.214.171.124/16. I can enter that into the list of sites I want to block permanently in my Firebox by selecting Firewall, then Blocked Sites from the left menu.
Click the Add button at the bottom of the screen. Choose Network IPv4 (a network using Internet Protocol version 4) and enter the CIDR block we calculated above.
Click the OK button and important – make sure to also hit the Save button at the bottom of the list of blocked IP addresses before exiting the screen. Now whenever a host tries to connect to or from that network, the Firebox will block it right away. You can also delete the individual hosts from the auto-blocked list that are covered by this permanent rule.
What if your company never does business in Africa and you don’t want your employees visiting websites in Africa? You could look up all the addresses belonging to Africa in the registries and block them. Another approach would be to use the WatchGuard Geolocation Service which comes with the WatchGuard Total Security license. The Geolocation allows network administrators to choose countries on a map or from a list to allow or disallow traffic.
The most important thing is to monitor and understand what is happening in your environment. Know what is normal so you can spot things that are suspicious and investigate further. Use what you learn to create network rules to allow and disallow traffic appropriately. — Teri Radichel (@teriradichel)