Policies allow users to determine what is allowed through specific networks or network segments. Users can create as many policies as they need to protect each of their networks as there isn't a limit to the number of policies that can be created.
Click on Enforce in the left-hand navigation menu and then select the Policies tab. The list of your existing policies will be listed in the chart below or users can use the navigation bar to narrow the search.
The chart will include the name, the network associated with the policy, the direction and a description of the policy.
By default, customers should have at least an Allow All Policy, Default Inbound Policy and Default Outbound Policy. Allow All policy can be used as a "break glass" policy in cases where a business critical site or service must be accessed but is being blocked. By using an allow-all policy, all traffic allowed through the device and continues to be logged for review.
We recommend using the Allow All policy instead of putting the device into bypass mode if you don't know whether or not the threatER platform is blocking traffic, so that logging is maintained. In bypass mode, no traffic is logged.
To create your own Allow All policy, apply the following configuration on each step:
- IPs by Country: Allow All
- Reserved and Unassigned IPs: Allow both
- IPs by ASN: confirm no ASN is blocked
- Risk Thresholds: Disable (uncheck) all categories
- Block Lists: Disable (uncheck) all Block Lists
Policy Overview
Details of the policy can be viewed under one view. Navigate to Enforce in the left-hand navigation menu, select the Policies tab and select the hyperlink of the Policy Name.
The top panel summarizes the following:
Field Name | Field Description |
Policy Name (1) | Name of the policy |
Network (2) | The Network the policy is assigned to |
Reserved IPs (3) | Private IPs not used for public internet access |
Unassigned IPs (4) | Private IPs not assigned |
Description (5) | Optional but a description of the policy |
List Panel
The List panel displays all lists available to your account. The left column will display a green checkbox if the list is enabled on the policy.
You can narrow down the results via the filters available for each column.
Search Name | Description |
Name | Search across all columns by typing the name of the list, type, indicator or source. |
Type | Search the type of list (Allow, Block, Threat) |
Indicator | Search for the list indicator (IP or Domain) |
Source | Search for manual lists or lists from specific connectors/plugins |
Click the Edit button in the top-right corner of the module to add or remove Lists from the policy. You will be taken to the Lists module to make adjustments.
Risk Thresholds Panel
The Risk Thresholds panel displays the current threat list settings applied on the policy. The green line represents threatER's security best practice of "80" score across all categories. If the category is set to our best practice, the bar will be green. Anything above or below the threshold will display a blue bar. If a category is not enabled on the policy, a bar will not display and the Category name will be red.
Click on the graph to view a list of the Category settings. If edits need to be made, click on the pencil icon in the top-right corner and you will be taken to the Risk Thresholds module.
Countries Panel
The Countries panel displays, by default, the map view of which countries are allowed and blocked. To view a list of the country settings, click on the list icon or click anywhere on the map.
Filter by country name or by changing the verdict from Allow or Block.
If edits need to be made, click on the pencil icon in the top-right corner and you will be taken to the IPs by Country module.
ASNs Panel
The ASNs panel displays the ASNs explicitly allowed and blocked on the policy.
You can filter down by ASN name and number, or by Verdict. To make any edits, click on the pencil icon in the top-right corner. You will be taken to the IPS by ASN module.
Creating a Policy
Policy Details
Select the green "Create" button in the top-right corner to get started. In the first module, enter a name and an optional description for the Policy under Policy Details.
IPs by Country
The second module, IPs by Country, allow admins to allow or block internet traffic to various countries of the world. By default, IPs from all countries are allowed. Traffic can be blocked from specific countries one of two ways:
- Click on a country in the map to change to a block setting (block countries are indicated in red)
- Search for the country in the Filter box and then move the toggle to the block state
Once all IPs by Country settings are complete, select the next module.
IPs by Country - Best Practice
A couple of questions to ask yourself while considering geo blocking:
1. Are you currently leveraging geo blocking in your firewall?
2. Are you an international based customer, meaning do you expect countries from outside your home country to access your site inbound?
3. Can you start by considering the known state actors like Russia, China, North Korea, Belarus or Iran for immediate blocking?
Another option is starting with a block-all stance for countries and then allowing countries you know who should be allowed onto your network. By selecting Block All as your first blocking policy, administrators can easily geo-block most of the world except the areas of expected business.
Reserved and Unassigned IPs
The 3rd module, Reserved and Unassigned IPs, are associated with private or internal IPs. Because private IPs don't have an associated country, they are indicated as reserved or unassigned IPs.
If needed, change the toggle to "Block" to block Reserved IPs or Unassigned IPs and select the next module.
Reserved and Unassigned IPs - Best Practice
Keep Reserved and Unassigned IPs allowed to ensure that internal or private IPs aren't being blocked. threatER has these two fields allowed by default, and if you don't have a specific reason otherwise, it is recommended that these remain allowed.
IPs by ASN
Traffic can be allowed or blocked from a single autonomous system number (ASN). This can be a useful feature when you are relying on large-scale geo-blocking, but find the need to allow one or more ASNs in a given country while maintaining blocks on all other activity associated with that country. Similarly, it can be a great way to quickly block all activity to and from ASNs that have been compromised or are being heavily used by malicious actors.
To add an ASN to your policy, search by ASN Name or ASN number in the right-hand panel. Click on the verdict you want to apply to the ASN (Allow or Block) to add it to the left-hand panel.
Select the trash icon in the row of the ASN to remove an ASN.
IPs by ASN - Best Practice
From an inbound perspective, if you are seeing a lot of activity from an ASN that you don't recognize or one that you have identified as a threat, you might want to block that ASN.
From an outbound perspective, you can think about this from both block and allow. For example, Facebook hosts their own ASNs and this covers all Meta products (Facebook, Instagram, WhatsApp, etc). Maybe you have a company policy where you don't allow your employees to access Facebook during the day so you want to block it entirely. On the other side, maybe your marketing team relies heavily on Instagram and you don't want to take any chances with potential blocking of the social media account so you want to allow it across the board.
Risk Thresholds
There are nineteen threat categories that can be enabled on this screen. All IPs included in the threat lists are placed in one ore more of these categories.
Each category has an associated risk score that can range from 1 to 100, with a higher score representing a higher change of being malicious. Adjusting the number allows admins to control how strong of a policy should be applied. A number set at 90, for example, will block IPs in that category with a score of 90 or higher. Lowering the threshold will strength policies by blocking more IPs with lower scores.
As an example, if the "Command and Control" category is enabled with a threshold of 92, any IP identified as a "Command and Control" with a score of 92 or above will be blocked. If the "Command and Control" category was not enabled, the connection would be allowed through that specific category, but could still be blocked by other categories (since an IP or domain can appear in multiple categories), Block lists or IPs by Country policy.
Select the checkbox to the left of the desired category to enable the category. All categories can be selected by enabling the checkbox at the top of the column.
Enter a value between 1 and 100 in the text field to set a Risk Score for a category. The same Risk Threshold can be applied to all categories by entering a value in the text field at the top of the column.
Risk Thresholds - Best Practice
Start by enabling all categories with a default baseline. We recommend the following baseline for inbound and outbound:
- Inbound: 90 for all categories.
- Outbound: 97 for the Fraudulent Activity and Proxy/VPN categories, 95 for all other categories.
A more aggressive approach, ie blocking more threats, means adjusting the threshold below the recommended default. A more conservative approach, ie less threats will be blocked initially, means adjusting the threshold above the recommended default. If blocking more IPs in a certain category is needed, lower the score in that category. Blocking fewer IPs in a certain category can be achieved by raising the score in that category.
Your organization could come across a scenario where many legitimate sites or services are being blocked. For example, upon correlating with logs in Enforce, critical IPs are being identified on the threat list as "Spam" with a score of 95. Admins can raise the outbound risk threshold for the "Spam" category to 96 and above to ensure that IPs in the "Spam" category are seeing less false positives and inadvertently getting blocked.
On the other hand, if checking the logs determines that many unidentifiable "Endpoint Exploits" are getting through inbound with a score of 85-89, admins can lower the inbound risk threshold score to 85. This will ensure that there are more blocked base on "Endpoint Exploits."
Lists
Users can enable Allow, Block and Threat Lists per policy, which specifies the IPs that should be allowed or blocked on the specific policy. Allowed and Block Lists do not influence traffic until enabled on a Policy.
Search or filter for the List(s) to include an allow or block list as part of your policy and then select the checkbox next to each desired list.
Select Create Policy button once all desired Lists have been selected. For further information on the out-of-the-box allow, block, and threat lists available to all customers, please see our Threat Intelligence List documentation.
Lists - Best Practice
From an inbound perspective, we recommend the following:
- Enable all available lists on the threat list
- Enable all available lists except for Zoom. Zoom was placed on the Block List during the 2020 height of the Covid-19 pandemic when Zoombombing or Zoom raiding was seen across different industries. Zoom implemented security updates to the application that mitigated most of these concerns, but it is up to the discretion of the Admin to determine if Zoom should remain enabled on organization block list.
- Enable the following lists on the allow list - Windows IP Update, Windows Domain Update, threatER Curated DNS, threatER SaaS
Keep in mind for the remaining lists - how many of these sites are going to be initiating the connection. threatER handles things in a stateful manner so as long as the connection is initiated outbound and allowed, the response inbound would automatically be allowed. For that reason, you will most likely not need to enable the remaining lists from an inbound perspective.
From an outbound perspective, we recommend the following:
- Enable all available lists on the threat list
- Enable all available lists except for Zoom. See above inbound explainer for reasons.
- Enable the following lists on the allow list - Windows IP Update, Windows Domain Update, threatER Curated DNS, threatER SaaS, all the list of companies that you are currently utilizing.
We don't recommend enabling Akamai, Amazon Cloudfront, Cloudflare CDN and Fastly unless absolutely necessary because they are cloud-based hosts, which will contain 3rd party data.
Edit a Policy
To edit configurations of an existing policy, find the policy that needs configuration edits in the the table. Select Edit from the ellipsis in the row of the policy.
Click on the Policy step that needs adjustments and make the necessary edits. Confirm that other steps are correct and click Save to enact all policy edits. It is crucial that you click the Save button before existing the tab or potential edits will be lost.
Duplicate a Policy
To duplicate an existing policy, find the policy that you would like to duplicate in the the table. Select Duplicate from the ellipsis in the row of the policy.
A copy of the policy will be created with the word "copy" appended to the policy name. The policy will not be assigned to any networks at the time of duplication and the policy can be edited by clicking Edit under the three ellipses.
Navigate to the Networks tab to assign the copied policy to a network.
Delete a Policy
A Policy can only be deleted if there are no Networks utilizing that policy. To delete a Policy with no Networks, go to the policy in the table and select Delete from the ellipsis menu in the row of the policy.
Click the Delete button on the confirmation modal to finalize the changes. Policies can't be retrieved once deleted.
Refer to the steps to remove a policy from a Network for more information.
Comments
0 comments
Please sign in to leave a comment.