General FAQ

Why would a Bandura Cyber ThreatBlockr be needed when we have a firewall with some of the same features?

The Bandura Cyber ThreatBlockr does not replace a firewall, it compliments the firewall and other security appliances in your network. The Bandura Cyber ThreatBlockr filters traffic before it gets to the firewall and can operate much more efficiently. Firewalls typically update their threat feeds once a day, whereas we have patented and patent pending technology that allows us to do updates in near real time of multiple threat feeds. The Bandura Cyber ThreatBlockr processes large access lists that are not even possible on convention firewalls and has passed tests with access lists containing 100 million single IP addresses. The Bandura Cyber ThreatBlockr is considerably faster than any of our competition, and allows for very granular exceptions that are unavailable on firewalls.

Will the Bandura Cyber ThreatBlockr slow down my network?

No. The Bandura Cyber ThreatBlockr's high-speed filtering algorithms can process packets with virtually no latency. Even our entry level products can process over 100,000 packets per second.

Will I have to reconfigure my routers and firewalls?

No. The Bandura Cyber ThreatBlockr is a layer 2 IP-bridge device. Simply insert it between the firewall and router and turn it on. You won't even need to flush an ARP cache.

Does the Bandura Cyber ThreatBlockr have to go between the firewall and router?

No. It can be placed anywhere in the network where you want to stop malicious traffic. Placement between the firewall and router is usually the best place, but every network is different.

Can the Bandura Cyber ThreatBlockr sit outside the border router?

Most customers place the Bandura Cyber ThreatBlockr between the router and firewall, but the Bandura Cyber ThreatBlockr can be deployed outside the edge router if the connection to the network is Ethernet.

What happens if there is a hardware or software failure? Will traffic flow be impacted?

No. The Bandura Cyber ThreatBlockr is equipped with a bypass card that will automatically and immediately trigger allowing the unit to pass traffic, wire to wire, in the event of a failure of any kind.

How does traffic flow when the Bandura Cyber ThreatBlockr is in normal mode and what happens when it is placed in bypass mode?

When the Bandura Cyber ThreatBlockr is in normal mode, it reads the packets of one interface, evaluates the policy, and if the packet should be allowed, writes it out on the other interface. If there are multiple bridge interfaces, the packets are always written to the other interface of the bridge pair it came in on. When the Bandura Cyber ThreatBlockr is in bypass mode, relays in the network card connect the ports directly to each other, disconnecting them from the network processing chip.

Where does country mapping IP information come from?

Bandura Cyber gets this information from ipinfo.io ( https://ipinfo.io/ ) and the regional internet registries. This data is updated daily. 

What is DCEL and how frequently is the IP Threat Reputation data updated?

DCEL is dynamically compiled from difference or delta files that are delivered to the Bandura Cyber ThreatBlockr in near real-time whenever new threats are discovered. A single DCEL engine can handle threats in 32 categories from up to 32 different IP threat intelligence sources.

Can the IP Threat Reputation feeds be customized regarding risk tolerance?

Yes. The addresses on the list are given a score which indicates the confidence level the provider has in that address' classification. Increasing the slider value for a particular category decreases the number of addresses from the category included in the policy, i.e. it includes addresses of higher confidence.  Decreasing the slider increases the number of addresses included in the policy, i.e. it starts including addresses of a lower confidence.

Is the Bandura Cyber ThreatBlockr compatible with a firewall configuration with High Availability?

Yes. The BT-1G-A, BT-1G-X, and the BT-10G all have High Availability for and Active/Active or Active/Standby configuration.

Will the Bandura Cyber ThreatBlockr support external logging to a log server for denied traffic or SNMP polling?

Yes. It will log denied traffic, and in fact all traffic, to an external server via Syslog.  It does support SNMP polling with SNMP version 2c and version 3.  The SNMP interface contains traffic statistics aggregated by country.

Will the Bandura Cyber ThreatBlockr interfere with a VoIP phone system?

No. The Bandura Cyber ThreatBlockr introduces less than 1 millisecond of latency to the network, so you should see no difference in the performance of your VoIP.

Does the Bandura Cyber ThreatBlockr allow VPN connections?

The Bandura Cyber ThreatBlockr will handle VPN traffic like any other traffic and will allow/block it based on the policy applied. You can create a separate policy specifically for VPN traffic if a different policy is desired.

How is the Bandura Cyber ThreatBlockr different from an IDS?

An IDS uses deep packet inspection to detect signatures of known malware or intrusion attempts. The Bandura Cyber ThreatBlockr works by blocking high-risk traffic from IP addresses that have previously been associated with malicious behavior. By using the "IP Reputation" of the external IP address, Bandura Cyber ThreatBlockr can block malicious traffic when a signature is not currently available, helping reduce the possibility of zero-hour security breaches.

What DDoS capabilities does the Bandura Cyber ThreatBlockr have?

While the Bandura Cyber ThreatBlockr isn't specifically a DDoS prevention device, it can help in certain types of DDoS attacks. The Bandura Cyber ThreatBlockr is typically downstream from your ISP, so it can't help if the DDoS is using up all your ISP bandwidth since by the time the packets get to the Bandura Cyber ThreatBlockr, the bandwidth is already used up. However, if the attack is targeting resources that are inside the perimeter of the Bandura Cyber ThreatBlockr, like firewall sessions or application resources, it can help in many situations. The Country Blocking or Throttling features can stop or reduce much of an attack if you don't need to allow traffic from many of the countries being used in the attack. Also, many hosts used in a DDoS are compromised and could be known members of botnets or on blacklists. Blocking these by enabling the threat intelligence and available blacklists can stop them before they use up resources on firewalls or application servers.

If a failure is experienced, is there a convergence time for network connectivity while entering failover mode on the unit? Will switching into failover mode be noticeable to the users?

There really is no convergence time during a failover, as the bridge pair is transparent. Although there would be a few lost packets as the physical relay closes and shuts the internal circuitry of the Bandura Cyber ThreatBlockr off from the network, the users would most likely not notice any change.

What does the Bandura Cyber ThreatBlockr need Outbound access to?

- A DNS server (UDP port 53), this may be inside your network
- The Bandura support site over HTTPS (support.banduracyber.com, TCP port 443)
- GMC over HTTPS (gmc10.banduracyber.com or gmc15.banduracyber.com, TCP port 443)

Will the Bandura Cyber ThreatBlockr support VLAN over a trunk?

It will support VLANs for a trunk, with the requirement that each VLAN has unique subnets. We don't do VLAN aware filtering, but do properly handle packets that are part of a VLAN.

My Domain Whitelisting is not working?

Make sure that your A and MX records are enabled in GMC. Once logged into your account go to your Policies > Inbound Policy > Exceptions. Make sure you do enable this for any policies you want to use white listing on. Once you have made sure this part is done. On your Local Device ensure that your policies show under your Resource Groups with a green check mark under the GMC column. If you need any further assistance, contact support@banduracyber.com.

How to enable the Domain Tools Blacklist?

Make sure your on the most recent software and send support@banduracyber.com an email to let us know you're ready for the automatic domain blacklist! 

My Dashboards are not populating in the Local Device?

Make sure your device is inline in your network. Ensure that your admin, inside and outside ports are plugged in and configured correctly. Make sure your device is not in bypass mode. Also ensure your date and time are correct. We do give the functionality to add an NTP (Network Time Protocol) server if needed. If you do not have an NTP server, we recommend 0.pool.ntp.org.

My Dashboards are populating in the ThreatBlockr Local Device but not in GMC?

On your Local Device ensure that your policies show under your Resource Groups with a green check mark under the GMC column. This ensures your device is synced with GMC. If it has a red x, then go to your Settings > GMC > enable the 3 listed options > submit. Next, go to your Resource Groups > Edit > GMC  “Select Policy”. Chose the same policy in the drop down for each item . 

Can the ThreatBlockr create a splash page or redirect to a splash page?

No, the ThreatBlockr works at layer 2. So it does not provide this functionality. However this is a highly demanded feature request and we are working to get it implemented.

I’m seeing GMC sync errors, what do I do?

Ensure the software is current on the device. You will login into your GMC account, on the left hand side select the Software tab. Everyone is currently on ThreatBlockr 1.0, select this option and choose the most recent software. *Installing new software will cause your device to reboot once the installation is complete. When rebooting the device will go into bypass mode and allow all traffic. 

I blacklisted a domain and its not being blocked?

Give it a few minutes once you have added it to your Blacklist to sync down through your box, also clearing your cache or flushing your DNS can speed up the process if you experience a long delay. 

Unable to Ping the device?

Make sure when you are trying to communicate with the device you are using the subnet you put into you Ping Access when setting up the device. This should be the same subnet used for your HTTP access. Once those components are verified, do a power cycle on the device. This will put the device into bypass mode allowing all traffic. If the problems persist, contact support at support@banduracyber.com. 

Can I use wildcards for whitelisting all sub domains for a particular domain?

When you white list the domain your device has the technology to pick up any sub domains for that domain.The wild card or “ * “ is not a functionality that is currently supported. Make sure that your A and MX records are enabled in GMC. Once logged into your GMC account go to your Policies > Inbound Policy > Exceptions. Make sure you do enable this for any policies you want to use white listing on.

I have a large list of IP’s I want to add to blacklist/whitelist, is there a way to import them all without doing each individual IP address? 

For large lists of IP’s you want added, send them to support@banduracyber.com and we can import the list on the back end for you. Once imported we will send you an update to let you know it’s available.

Getting a notification that auto updates are failing?

This is caused by your support lapsing. Contact support and we can get your support back up and running while our sales team reaches out to your company about renewing your term. Call us at 1.855.765.4925 ext.2 or send us a email at support@banduracyber.com.

Is there any way to get the threat category connection numbers other than mousing over the graphic on the dashboard?

We provide this functionality in GMC dash boards. These do have the number of connections beside their categories on the pie tables; which is the same information available on your ThreatBlockr dashboard. You can also schedule reports in GMC that can be created from each of the dash boards to be emailed to you with the information. The schedule option is on the top right hand side of the GMC dashboards. The export to PDF option is there beside it as well.

Can you explain how sites are added to the threat list and more importantly if sites are confirmed by a Bandura engineer prior to being placed on the lists?

One of our threat Intelligence sources is supplied by Web root. We then take those feeds and apply them to our units. I have looked into this specific IP address and it looks like there are a large number of domains associated to this IP address. Some of those domains have been associated with malicious activity, causing the entire IP address to be marked as malicious. We do not verify each website that is put on these lists due to the high volume of them. I have provided a link to Web root so you will be able to type the IP in and see how it’s scored.  To make the website available you can white-list the website to gain access. https://www.brightcloud.com/tools/url-ip-lookup.php#

Can you provide some input on how threat feeds determine the threshold score for these IPs and when to block them?

Webroot continuously monitors and examines IP addresses traffic going through your network. The process of analysis takes into consideration the website’s history, age, rank, location, networks, links, real-time performance, and behavioral information. The analysis results in each IP being labelled as belonging to one of the primary content categories defined by threat feed, spam, Windows exploits, scanners, botnets, denial of service attacks, proxies (including anonymous and Tor), web attacks, phishing, and mobile threats. indicating its primary purpose. Each IP is assigned a risk score of 1-100.