Bandura Cyber 
ThreatBlockr 2.0 
User's Manual

OCTOBER 2020 

______________________________________________________________________________________

 

While​ ​Bandura​ ​Cyber​ ​has​ ​attempted​ ​to​ ​verify​ ​that​ ​the​ ​information​ ​in this​ ​document​ ​is​ ​accurate​ ​and​ ​complete,​ ​some​ ​typographical​ ​or​ ​technical errors​ ​may​ ​exist.​ ​The​ ​recipient​ ​of​ ​this​ ​document​ ​is​ ​solely​ ​responsible​ ​for all​ ​decisions​ ​relating​ ​to​ ​or​ ​use​ ​of​ ​the​ ​information​ ​provided​ ​herein.

The​ ​information​ ​contained​ ​in​ ​this​ ​publication​ ​is​ ​effective​ ​as​ ​of​ ​the publication​ ​date​ ​below​ ​and​ ​is​ ​subject​ ​to​ ​change​ ​without​ ​notice. 

This​ ​publication​ ​contains​ ​proprietary​ ​information​ ​that​ ​is​ ​protected​ ​by copyright.​ ​All​ ​rights​ ​are​ ​reserved.​ ​No​ ​part​ ​of​ ​this​ ​document​ ​may​ ​be reproduced​ ​or​ ​transmitted​ ​in​ ​any​ ​form​ ​or​ ​by​ ​any​ ​means,​ ​electronic​ ​or mechanical,​ ​or​ ​translated​ ​into​ ​another​ ​language,​ ​without​​ ​prior​ ​written consent​ ​of​ ​Bandura​ ​Cyber,​ ​Inc. 

This​ ​edition​ ​published​ ​June 2020. 

©​ ​2020​ ​Bandura​ ​Cyber,​ Inc. 

Bandura​ ​Cyber​ ​software​ ​is​ ​also​ ​protected​ ​by​ ​copyright​ ​law​ ​and constitutes​ ​valuable​ ​confidential​ ​and​ ​proprietary​ ​information​ ​of​ ​Bandura​ ​Cyber, Inc.​ ​and​ ​its​ ​licensors.​ ​The​ ​Bandura​ ​Cyber​ ​software​ ​and​ ​all related​ ​documentation,​ ​is​ ​provided​ ​for​ ​use​ ​only​ ​in​ ​accordance​ ​with​ ​the terms​ ​of​ ​the​ ​license​ ​agreement.​ ​Unauthorized​ ​reproduction​ ​or​ ​distribution of​ ​the​ ​software​ ​or​ ​any​ ​portion​ ​thereof​ ​could​ ​result​ ​in​ ​severe​ ​civil​ ​or​ ​criminal penalties. 

 

All​ ​trademarks​ ​are​ ​the​ ​property​ ​of​ ​their​ ​respective​ ​owners.

______________________________________________________________________________________

 

1 Introduction

Back to Table of Contents

1.1 Overview

Bandura Cyber ThreatBlockr

The Bandura Cyber ThreatBlockr is one of two main components of the Bandura Cyber ThreatBlockr platform. The other component is the cloud-based Actionable Threat Intelligence (ATI) engine (which includes the Global Management Center (GMC) and API Suite).

• Our Actionable Threat Intelligence (ATI) engine aggregates and integrates all of your IP and domain-based threat intelligence feeds. It connects data sources in real time from any source, including; commercial, government, ISAC/ISAOs, TIPS, SOARs, SIEMs and includes over 30M threat indicators out of the box.
• Our ThreatBlockr can be deployed in minutes and makes all of your threat intelligence actionable by blocking up to 150M threat indicators at line speed before they hit your network and existing security controls.

Operating holistically, these two components help organizations strengthen network protection, reduce manual staff workload and increase ROI on existing security investments including threat intelligence and next-generation firewalls. The Bandura Cyber ThreatBlockr delivers the “action” element of this solution. 

This manual provides a comprehensive description of the features and utilities of the Bandura Cyber ThreatBlockr.

Back to Table of Contents

1.2 Specifications

See Device Specifications.

Back to Table of Contents

1.3 What’s Included

The following items are included with the Bandura Cyber ThreatBlockr:

• Appliance
• Power Cord(s)
• Rackmount Equipment (if applicable)
• Registration Card

Back to Table of Contents

1.4 Support

Please visit the Bandura Cyber Help Desk site for answers to frequently asked questions. Technical Support is available by phone and email according to the Service Level Agreement (SLA) that was purchased with the unit.

 

Help Desk Site	https://helpdesk.banduracyber.com
Phone	1-855-765-4925
Email	support@banduracyber.com

 

Back to Table of Contents

2 Configuration

Initial configuration and deployment of the Bandura Cyber ThreatBlockr will be performed utilizing the Bandura Cyber ThreatBlockr’s easy-to-use, intuitive, graphical user interface. Once the ThreatBlockr is initially configured and deployed, the cloud-based Global Management Center (GMC) will be used by organizations to interface, configure, and manage the Bandura Cyber ThreatBlockr platform. Additionally, Bandura Cyber offers a powerful suite of APIs for those organizations seeking more flexibility and control. For more information, see the Global Management Center (GMC) User Manual.

We suggest that prior to configuring your Bandura Cyber ThreatBlockr, that this manual is reviewed in its entirety, and that the security policies specific to your organization are considered. 

Back to Table of Contents

2.1 Initial Configuration

YOUR BANDURA CYBER THREATBLOCKR ARRIVES WITH AN ‘ALLOW ALL’ POLICY CONFIGURATION

The Bandura Cyber ThreatBlockr provides several ports on the back of the device labelled according to the device type.

For initial configuration, locate the port labeled “Admin”, this port will be used to administer the Bandura Cyber ThreatBlockr. Note that the “Admin” port will also be used once deployed, to receive continued update information from the Bandura Cyber cloud-based Actionable Threat intelligence (ATI)  servers. 

 

 

Once your appliance is powered on, connect an ethernet cable to both the “Admin” port of the Bandura Cyber ThreatBlockr, and to a switch inside your local network. Connect the computer that you will be performing initial configuration to the same switch. See Figure 1: Initial Set Up Diagram.

Figure 1: Initial Setup Diagram

*Note: Your Bandura Cyber ThreatBlockr appliance also offers additional ports labeled “Outside” and “Inside.”  

 

Configuring a New Bandura Cyber ThreatBlockr

 

Follow these steps to connect your computer device to the Bandura Cyber ThreatBlockr:

• Configure your computer to have an IP address in the range of 192.168.1.2 to 192.168.1.254. 
• To avoid any network routing problems, you may want to turn off any other internet connections on this computer, such as WiFi.
• Connect your computer to the Admin port on the Bandura Cyber ThreatBlockr, using a standard UTP CAT5, CAT5e or CAT6 ethernet cable.
• The IP address of the Bandura Cyber ThreatBlockr’s Administration Interface is 192.168.1.1, with a network mask of 255.255.255.0.
• Configure the Bandura Cyber ThreatBlockr according to this manual and your security plan, then place the ThreatBlockr into your network. 
  
  

Back to Table of Contents

2.2 Logging in for the First Time

This section covers the initial steps required for logging in to the Bandura Cyber ThreatBlockr, readdressing, and configuring access to the device. 

2.2.1 Accessing the Bandura Cyber ThreatBlockr

The setup process consists of re-addressing the ‘Admin’ port of the Bandura Cyber ThreatBlockr to fit within your internal private networks. By default, the address is 192.168.1.1. Unless this address is within one of your private networks, it will need to be re-addressed. 

To establish a connection, open a terminal or command prompt and ping the address with the following commands:

• Linux or Mac: ping 192.168.1.1
• Windows: ping -t 192.168.1.1

If you receive a ‘Request Timed Out’ message, move on to the re-addressing step.

2.2.1.2 Re-addressing

Windows:

• Go to the Network and Internet settings and click Change Adapter Options from the left-hand side. Select the preferred connection.
• In the new window, right-click the correct adapter, select Properties. Select Internet Protocol Version 4 from the list of items and click on Properties. 
• Select the radio button next to Use the Following IP Address and input the IP address of 192.168.1.2.
• The subnet mask should auto recognize this as a 24-bit mask. If not, you’ll need to manually enter 255.255.255.0.
• After confirming your entry, click “OK” and close the Properties window. You should now start seeing a reply from the Bandura Cyber ThreatBlockr in the command prompt window. 

Mac:

• Go to System Preferences and select Network.
• Find your network adaptor on the left and select Advanced.
• Go to TCP/IP Settings and configure as follows:
  • Configure IPv4: Manually
  • IPv4 Address: 192.168.1.2
  • Subnet Mask: 255.255.255.0
  • Router: (Enter your router address if required. Otherwise, leave blank)
• Click OK and open your terminal to determine if there is ping communication on the Bandura Cyber ThreatBlockr. 
  
  

2.2.2 Logging In

In the address bar of your browser, type https://192.168.1.1. 

If you receive a message stating “your connection is not secure”, you will need to add an exception. Go to advanced settings, or click on a link that will allow you to connect after accepting the warning (depending on your browser).

You should be directed to the Bandura Cyber ThreatBlockr login screen. The default credentials are:

• Username: admin
• Password: admin

 

2.2.3 Changing Your Password

Click on the profile icon in the top right corner and select Your Profile. Enter a new password and enter it again to confirm. Click Save to submit your changes. 

By default, a new Bandura Cyber ThreatBlockr requires passwords to be at least eight characters in length. New passwords must also contain at least three character groups, or classes of characters.

There are four character groups:

• Upper case characters: A-Z
• Lower case characters: a-b
• Numbers: 0-9
• Symbols, such as: !@#$%^_

According to the default security settings on the Bandura Cyber ThreatBlockr, these are valid passwords:

• Ar43P5df (eight characters and three groups)
• 3RTy_22e8 (nine characters and four groups)

These are not valid passwords:

• A4_e (only four characters)
• REVLPQWDSG (only one character group)

2.2.4 Changing Date & Time

It is important that your Bandura Cyber ThreatBlockr has the correct time. Navigate to Settings in the side menu bar, and select Date & Time. Select the correct Time Zone and adjust the Date/Time if needed. 

If you are using an NTP Server, you may configure clock synchronization on your ThreatBlockr by selecting “NTP Servers” and selecting the icon. Follow the prompts in the pop-up window to configure your NTP Server. 

2.2.5 Change Admin Interface Address

The Bandura Cyber ThreatBlockr’s administration port has the default IP address of 192.168.1.1. Unless this is within your private network, you will need to re-address it. Select Network -> Admin Interface in the side menu bar to change these settings.

Note: Admin Interface address changes will require you to navigate your browser to the new address once configured.

If you do not have a DHCP server, set the Type to “Static” and configure the Address, Maskbits, MTU (Maximum Transmission Unit), and the gateway address. Once you have confirmed your addresses are correct, click Save.

You will need to revert the network settings changes that were made earlier:

Windows:

• • • • • Go to your Network and Sharing Center and select the radio button next to Obtain an IP Address Automatically.
        • Click OK and you should be redirected to the login page of the Bandura Cyber ThreatBlockr.

Mac:

• • • • • Go to the network adapter screen we had open previously, and change the Configure IPv4 drop down box back to DHCP, or your prior settings.

If you receive a warning message that your connection is not secure, you will need to add an exception. To do so, go to advanced settings on your device, or click on the link provided, that will allow you to connect after accepting the warning (depending on your browser).

Once completed, you will then need to configure the DNS server address. To do this, navigate to the Network -> Admin Interface page, then select the DNS tab and follow the prompts to add the DNS servers information specific to your network.

The Bandura Cyber ThreatBlockr has several levels of security for the administration port. Located under the Network -> Access menu bar option, the HTTP Access and Ping Access tabs can be used to limit access to this port from only specific networks or addresses. 

By default, 0.0.0.0/0 (all IPs) are allowed in the “Ping Access” and “HTTP Access” tables. Add your network and any other networks to which you would like to provide Ping/HTTP access.

*Warning: Do not remove the 0.0.0.0/0 entry from either table until you have successfully added your network. You cannot ping or access the Bandura Cyber ThreatBlockr unless your IP address is added to these lists.

Back to Table of Contents

2.3 Console Mode

The Command Line Interface (CLI) Console and Recovery Console are low level interfaces to the Bandura Cyber ThreatBlockr, accessible only through the physical video, keyboard (USB), and serial ports on the Bandura Cyber ThreatBlockr. These console modes are used to reset certain functions of the Bandura Cyber ThreatBlockr, or to restore it to factory default settings.

To use the console modes, you can attach a standard monitor with VGA connector and keyboard with USB connector to the ports found on the front or back of the unit.

You can also use the RS-232 serial port, and connect a VT100 compatible text terminal or terminal emulator, using these serial settings:

• 38400 baud
• 8 data bits
• 1 stop bit
• No parity

The recovery console can be used to restore the Bandura Cyber ThreatBlockr to its factory default settings, or correct specific items, such as resetting the admin account password.

For more information about CLI and Recovery Console refer to section 4.1 and 4.2 of this manual.

* Note: Please be aware that attaching a networked virtual keyboard, video and mouse (KVM) device or a serial device server to your Bandura Cyber ThreatBlockr in order to remotely access console mode may result in a security risk.

Back to Table of Contents

2.4 Overview of Bandura Cyber ThreatBlockr Configuration

The Bandura Cyber ThreatBlockr supports 3 or 5 (depending on device) active ethernet network ports. Two of these ports bridge and filter traffic between your local network and the internet, and the third port is used to configure and monitor your Bandura Cyber ThreatBlockr’s operation (see port naming for conventions). The bridging and administration ports are configured separately. 

The Bandura Cyber ThreatBlockr has two broad categories of configuration which are largely unrelated to one another:

• Configuration that filters internet traffic between the bridging ports, via rules, policies, world maps, exception lists, etc.
• Configuration regarding administrative functions of the Bandura Cyber ThreatBlockr, including user accounts, the HTTPS server, SNMP, security certificates, etc.

Back to Table of Contents

2.5 Configuring the Bridge Filters

The Bandura Cyber ThreatBlockr comes with 2 or 4 bridge ports (depending on the device):

• The outside port connects to your internet connection or border gateway
• The inside port connects to your firewall or main interior router

Resource groups are created to control the flow of data through these bridge ports.

Resource Groups determine if a packet should be dropped or passed through the Bandura Cyber ThreatBlockr. A Resource Group filters internet traffic traveling in one direction:

• Inbound: filters traffic entering your network
• Outbound: filters traffic leaving your network

A resource group includes a list of Resources, which lists internet addresses within your network. These lists operate slightly different, depending on the direction of the resource group:

• Inbound: rules identify what services your local computers offer to the internet
• Outbound: rules identify what services your local computers can access on the internet

When you plan your Bandura Cyber ThreatBlockr configuration, first determine what services or protocols you want to allow, and which devices or systems will offer these services. You can also determine what services and protocols you want your local machines to access. You can create numerous resource groups corresponding to various classes of machines. 

Example: Your office computers may need only web and email access, and no outside computer should be able to access them for any reason. Your web and email services need to expose their services to the internet.

You can configure custom resource groups to cover all the above circumstances. When you explicitly allow only particular services, you close large numbers of network protocol backdoors that could otherwise be used by intruders.

There are two resource groups on the Bandura Cyber ThreatBlockr that cannot be deleted. The DEFAULT_INBOUND and DEFAULT_OUTBOUND are applied to any packet containing a local internet address that cannot be found in a custom resource group.

Back to Table of Contents

2.6 Configuring a Resource Group

Resource groups filter traffic flowing through the Bandura Cyber ThreatBlockr, with each particular resource group filtering either inbound or outbound traffic. Examine your local network, considering your security needs as well as the internet services you need to allow access.

* Note: A new Bandura Cyber ThreatBlockr allows all traffic to and from the internet. Any internet address within your network, unless blocked, will be allowed.

Resource groups contain the following parts:

• Direction: resource group either filters inbound or outbound
• Resources: list of local internet addresses and protocols/ports that belong to this resource group
• World Map: a clickable, graphic map of the countries of the world that allows you to select which countries to block or allow
• Risk Threshold: filtering IP addresses by threat categories (i.e. botnets, command and control, etc.) and risk scores (0-100)
• Denied Lists: blocked IP addresses and domains
• Allowed Lists: allowed IP addresses and domains

A new Bandura Cyber ThreatBlockr has two Resource Groups, which allow all network traffic to travel across the bridge ports.

Back to Table of Contents

2.7 Configuring Administration

The Bandura Cyber ThreatBlockr comes with a single administrative port that is used to configure and monitor your Bandura Cyber ThreatBlockr. This port is configured separately from the bridge ports. The administrative port is found on the back of the Bandura Cyber ThreatBlockr. The administrative port, unlike the bridge ports, needs an internet address. The default internet address is 192.168.1.1. This will likely need to be changed to fit into your specific network configuration. Refer to Network Admin Interface section of this manual for assistance in readdressing the administrative port.

 

YOU WILL IMMEDIATELY LOSE YOUR CONNECTION TO THE BANDURA CYBER ThreatBlockr WHEN YOU READDRESS THE ADMINISTRATIVE PORT

 

The Bandura Cyber ThreatBlockr has many layers of security, which may or may not be required for your environment. Review your security policy, infrastructure and capabilities, and consider the following security features of the Bandura Cyber ThreatBlockr:

• Create multiple administrator accounts
• Change the Bandura Cyber ThreatBlockr password policy
• Assign roles to each administrator
• Limit web access to the Bandura Cyber ThreatBlockr to specific internet addresses or networks
• Change the TCP port used for the HTTPS server
• Change the security certificate on the Bandura Cyber ThreatBlockr, and require that administrative computers also have security certificates
• Create static ARP entries

Also consider other things that can be configured:

• Network Time Protocol (NTP) to keep the date and time synchronized 
• Simple Network Management Protocol (SNMP) to send Bandura Cyber ThreatBlockr operational status to network management systems
• Syslog to stream log data to remote servers using a standard protocol
• Alarms/notifications delivered on your Bandura Cyber ThreatBlockr screen

There are also general operation and maintenance activities:

• Logout to end a login session
• Reboot to restart the Bandura Cyber ThreatBlockr (Bandura Cyber ThreatBlockr will be in bypass mode during this time)
• Shutdown to turn off the Bandura Cyber ThreatBlockr (Bandura Cyber ThreatBlockr will be in bypass mode while turned off)
• Console Mode to do low level configuration changes or factory reset the unit
• Active Sessions to show who is currently logged into the Bandura Cyber ThreatBlockr
• Import and Export configurations to save and backup the current configuration, or to upload an existing configuration
• Software update to load a new operational software into the Bandura Cyber ThreatBlockr
• Bypass Mode to turn off the packet filtering feature

 

3 Bandura Cyber ThreatBlockr Menu Reference

The Bandura Cyber ThreatBlockr is configured through a standard web browser. This section of the manual describes the various screens you use to administer the Bandura Cyber ThreatBlockr.

Back to Table of Contents

3.1 Dashboard

The dashboard gives you a quick, graphical look at two system summaries, Connection Summary and Threat Summary.

* Note: The Bandura Cyber ThreatBlockr platform Global Management Center (GMC) provides more robust analytics and graphical representation via its UI dashboard. For more information, refer to the Bandura Cyber GMC Manual. 

3.1.1 Intelligence

Threat Summary shows four charts, Countries, IP Addresses, Threat Categories, and ASNs. The center of the charts shows the total number of connections for each category, and the outer rings show how many of those connections were dropped or allowed. You can hover over the charts to see tooltips with the exact numbers they represent.

 

3.1.2 Connections 

Connection Summary shows two graphs, one for Total Allowed Connections and one for Total Denied Connections. The vertical axis is the number of connections while the horizontal axis is grouped into categories such as Country, Exception List, IP Reputation, and Allowed List or Denied list. Each grouping has a separate bar showing if the connections were inbound or outbound. You can hover over the bars to see tooltips with the exact numbers they represent.

 

You can also view traffic by Resource Group, both inbound and outbound from this screen.

3.1.3 Filters

Filters allow you to adjust what data is shown in all graphs across the dashboard:

• Time Frame Start
• Time Frame End

Time Frame Presets can be selected to quickly see the last Hour, Day, Week, Month, ALL, or Custom. If you want to view data from a specific period of time, you can use the Time Frame
“From” and “To” fields to define the date and time of the beginning and end of the data shown.

Back to Table of Contents

3.2 Resource Groups

* Note that Resource Groups can only be applied at the Device level, not the GMC level. 

Resource Groups are at the core of the Bandura Cyber ThreatBlockr packet filtering system. The Bandura Cyber ThreatBlockr examines Resource Groups to determine which internet packets to block and those it will allow. Resource Groups determine the internet services allowed on your network, and those services your local users can access outside the network.

One or more Resource rules comprise a Resource Group, and each Resource is identified as a device, asset, or subnet on your network. If the Bandura Cyber ThreatBlockr receives traffic for the resource you identified in the Resource rule, then it will allow traffic according to the associated Resource Group. Each Resource rule includes a protocol and port or range of ports, so that you may restrict which services that a resource will offer to the internet, or you can specify which outside services a particular resource can use. 

If a resource is found in a Resource rule, then the Bandura Cyber ThreatBlockr will allow communications based on that Resource Group’s restrictions. If a resource is not included in any Resource rule, it will follow the restrictions found in one of the DEFAULT Resource Groups.

There are two kinds of Resource Groups:

• Inbound Resource Groups determine the kind of internet traffic allowed into your network. Each inbound rule shows a particular computer and service that will be visible to the internet.
• Outbound Resource Groups determine how your local computers can access the internet. Each outbound rule shows which particular outside internet service a computer can access. 

A Bandura Cyber ThreatBlockr is configured with two default Resource Groups, DEFAULT_INBOUND and DEFAULT_OUTBOUND, which allow all traffic to and from the internet. You may edit these groups' policies, but they cannot be deleted. You may create your own comprehensive Resource Groups to implement your security policy, and any computer not found in one of your custom Resource Groups will be processed by one of the DEFAULT groups.

 

3.2.1 Creating a Resource Group

Click the to Add Resource Group, then add a name, policy rule, direction, and drop action. The Create Resource Group configuration window appears: 

Once configured, the new Resource Group (Name) will appear in the Resource Group window. 

 

3.2.2 Resource Group Actions

There are various actions used to configure Resource Groups:

 

	Edit	Rename the Resource Group, change its description, and assign a Policy
	Resources	Add a specific network, protocol, and port range to the Resource Group
	Country Policies	Select countries to allow or deny from a world map
	Risk Thresholds	Activate threat categories and set risk thresholds (1-100) to allow or deny based on Threat Lists
	Denied Lists	Determine policy denied lists
	Allowed Lists	Determine policy allowed lists
	Delete	Delete a Resource Group along with all of its associated Resources, Country Policies, Risk Thresholds, Exception Lists, Country Policies, and Alerts

 

3.2.2.1 Edit

You can rename a Resource Group, determine a drop action preference, or assign it to a GMC Policy by clicking on the Edit icon shown in the actions list.

 

3.2.2.2 Resources

You can add resources to a Resource Group by clicking the Resources icon shown in the actions list.

Once on the Resources page, select the button at the top right corner. You will receive the Create Resource window. 

 

Resources are a list of your local internet addresses and place restrictions on your local network. An address found in a Resource gets processed based on its associated Resource Group, but if an address is not found in any Resource Group, then it will be processed according to one of the DEFAULT Resource Groups. 

• Inbound Resource Group: The Resource list limits the available local ports accessible from the internet.
• Outbound Resource Groups: The Resources list limits the type of remote services that can be reached by your local computers.

* Note: Service Groups are linked to Resource Groups. See section 3.3 of this manual. 

 

3.2.2.3 Country Policies

You can edit the world map associated with a policy by clicking the Country Policies   icon shown in the actions list.

The world map lets you allow or deny internet traffic to various countries of the world.

 

Click on a country to select it, or use the list of countries to search. The countries displayed in green are allowed, and red shows those that are blocked. 

 

3.2.2.4 Risk Thresholds

You can edit the Risk Thresholds associated with a policy by clicking the Risk Threshold icon shown in the actions list.

Each category has an associated risk threshold slider which has a range of 1 to 100. Each IP in the threat intelligence also has an associated score that can range from 1 to 100, with a higher score representing a higher chance of it being malicious. Moving the sliders allows you to control how strong of a policy you want to apply. A slider set at 90, the default, will block IPs in that category with a score of 90 or higher. Moving the slider to the left, and decreasing the threshold, will strengthen your policy by blocking more IPs with lower scores.

 

3.2.2.5 Denied Lists::Policies

 

You can select preconfigured Policy Denied Lists associated with a Resource group by clicking the Denied Lists icon shown in the action list. 

Once created, Policies are linked to the Resource Group on the ThreatBlockr level. From this screen, you can select the available policy denied lists to associate with the chosen Resource Group. 

 

3.2.2.6 Allowed Lists::Policies

 

You can select preconfigured Policy Allowed Lists associated with a Resource group by clicking the Allowed Lists icon shown in the action list. 

Once created, Policies are linked to the Resource Group on the ThreatBlockr level. From this screen, you can select the available policy allowed lists to associate with the chosen Resource Group. 

 

3.2.2.7 Delete

You can delete a Resource Group by clicking the Delete   icon shown in the actions list.

Deleting a Resource Group will delete all of its associated Resources, Country Policies, Risk Thresholds, Exception Lists, Country Policies, and Alerts.

Back to Table of Contents

3.3 Service Groups

* Note that Service Groups can only be applied at the Device level, not the GMC level. 

Service Groups define Protocols and Ports for services, and they can be used across multiple Resource Groups for allowing or blocking defined services. 

Click on Add Service Group to create a new Service Group. Enter a name and description, then click on the Resources icon to view any defined protocols and ports. Click on Add Service to assign protocols and ports to the Service Group.

Service Groups have no influence on your internet traffic until you include them in a Resource Group.

Back to Table of Contents

3.4 Threat Lists, Denied Lists, Allowed Lists

Threat Lists, Denied Lists, and Allowed Lists are all managed via GMC. To enable, disable, or configure any of these lists, please navigate to your GMC account. You do have the ability to search these lists on the macro or micro level from the ThreatBlockr by choosing the Search  or icons, respectively. 

Back to Table of Contents

3.5 REACT 

REACT is a part of our open API that can be set up to ingest requested denied list and allowed list entries automatically from third-party systems like Threat Intelligence Platforms, SIEMs, SOAR, and other systems. These entries typically have an expiration time on them.  Through the GMC UI the user can also create these entries manually from the Manage Entries screen.  From here you can view both active and expired entries.

 

REACT Denied List

 

REACT Allowed List

 

3.5.1 Manually Create REACT Denied List/Allowed List Item

To manually create a REACT Denied List or Allowed List item, click the Create button to open a new window

Complete the fields and select the create button. Your new REACT Allowed/Denied List will appear on the respective REACT list. 

Back to Table of Contents

3.6 Logging 

The Bandura Cyber ThreatBlockr keeps logs for incoming and outgoing traffic as well as Syslog events. From these menu options you can browse the various logs by designation (Packet, Domain, System, Audit). Additionally, you can set up an external Syslog server to send log file data from the ThreatBlockr to an external storage device. 

3.6.1 Logging: Internal Logs

Internal Logs shows traffic being filtered by the Bandura Cyber ThreatBlockr. The Internal Log will provide log information based on:

 

3.6.1.1 Internal Logs: Packet

Internal Log packet information by:

• Date and Time
• Country
• ASN
• Source IP
• Destination IP
• Direction 
• Action
• Risk Category
• Reason for being allowed or denied
• Resource Group that allowed or denied the connection

Use the Search button to filter your results for a more precise search or export of the logs via CSV or PDF.

If you would like to inspect your IP Address 

 

3.6.1.2 Internal Logs: Domain 

 

The Domain Logs screen shows information on any DNS requests that are then denied or allowed according to policy configurations.

Use the Search button to filter your results for a more precise search or export of the logs via CSV or PDF.

 

3.6.1.3 Internal Logs: System

 

System Logs allow you to display internal operating messages of the Bandura Cyber ThreatBlockr, and administer command history. 

Use the Search button to filter your results for a more precise search or export of the logs via CSV or PDF.

 

3.6.1.4 Internal Logs: Audit

 

Audit Logs display time, module and username for any internal administrative and system actions within the Bandura Cyber ThreatBlockr 

Use the Search button to filter your results for a more precise search or export of the logs via CSV or PDF.

 

3.6.2 Logging: External Syslog

Syslog is a standard method for sending log events to external systems like Syslog Servers, SIEM’s, etc., in real time. You can send the Bandura Cyber ThreatBlockr’s operational log messages to one or more configured devices that can then analyze and archive this data.

From the main screen, users can edit or delete their configured Syslog Server information. To add a new Syslog server, select the Add Syslog Entry  button on the top right of the window. 

 

The destination should be configured for syslog and we suggest listening on standard UDP port 514. Currently, all syslog traffic is sent out from the device via UDP.

The Bandura Cyber ThreatBlockr will then be configured to send log files to the defined external syslog server. 

Back to Table of Contents

3.7 Network

3.7.1 Admin Interface 

MISCONFIGURATION WILL RENDER THE WEB INTERFACE INACCESSIBLE 

 

Admin Interface is used to assign an internet address to the Bandura Cyber ThreatBlockr administration port, allowing remote administration of the Bandura Cyber ThreatBlockr Security Appliance. The Bandura Cyber ThreatBlockr accepts both Internet Protocol versions 4 and 6 addresses.

Please consider the following when changing the Bandura Cyber ThreatBlockr's network address:  

• Properly identify the Administrative​ ​Ethernet​ ​Network​ ​Port​ on the Bandura Cyber ThreatBlockr, as illustrated in the Physical​ ​Features​ diagrams.
• By default, a new Bandura Cyber ThreatBlockr will allow all network​ ​traffic​ to and from the Internet.
• A new Bandura Cyber ThreatBlockr has an Internet address of 192.168.1.1​ and your management computer must be configured for this network.
• After entering your new address information, you will be disconnected​ ​from the graphical administrator interface. 

If the Bandura Cyber ThreatBlockr is misconfigured and inaccessible, you can restore your Bandura Cyber ThreatBlockr via Maintenance Mode.

 

3.7.1.1 Admin Interface: Routes 

The Routes page will let you create and modify the default gateway and add additional routes if required by your network.

3.7.1.2 Admin Interface: DNS

To configure your own DNS server, enter the address to your preferred DNS here. We allow for multiple DNS servers to be set up as primary and backup in case your preferred server is down or unreachable.

3.7.1.3 Admin Interface: ARP Table 

The Address​ ​Resolution​ ​Protocol​ (ARP​) of IPv4, and the Neighbor Discovery​ ​Protocol​ (NDP​) of IPv6, are used to determine the Media​ ​Access​ ​Control​ (MAC​) addresses of nodes on the same network segment as the Bandura Cyber ThreatBlockr. The Bandura Cyber ThreatBlockr may know the internet address of a node, but still cannot communicate with that node until it obtains the MAC address of its network card.

The Bandura Cyber ThreatBlockr automatically updates this table whenever it discovers nodes on its network segment: these are dynamic​ ​addresses in this table. Entries you manually add to this table are static, and you can edit or delete them. You cannot edit a dynamic address, and if you delete a dynamic address, it will reappear if it is still active on your local network segment.

You can add an entry to this table by clicking on Add Arp Entry. Enter either an IPv4 or IPv6 address and its corresponding hardware MAC address.

 

3.7.2 Bridging Interface 

The Bridging​ ​Interface​ screen shows you the bandwidth or maximum rate of data transfer between the two bridge Ethernet ports. 

3.7.2.1 Bridging Interface: Bypass Mode

All Bandura Cyber ThreatBlockrs have hardware that supports bypass mode. This view will allow a user to view: 

1. Bypass Mode-What mode the device is currently in
2. Startup Mode- What mode the device will be in upon Startup
3. Power-Off Mode- What mode the device will go into upon getting a shutdown command.

3.7.3 Access

3.7.3.1 HTTPS Access Settings

You can add internal networks that are allowed access to the admin interface of the Bandura Cyber ThreatBlockr.

 

 

3.7.3.2 Ping Access Settings

The ping​ ​utility indicates if a particular internet address is accessible via the internet. This ping functionality can be abused by intruders, who may scan every internet address in a network, seeking out active targets. Ping​ ​Access​ ​Settings​ lets you to block these intelligence-gathering scans. 

 

The Ping Access Settings menu lets you add a list of trusted management networks. The Bandura Cyber ThreatBlockr will accept ping requests from these networks, and deny them from all others. 

By default, the Bandura Cyber ThreatBlockr will allow ping access from all IPv4 networks, as is indicated by the 0.0.0.0/0 address. After you allow access to your own local management networks, you can remove this "allow all" access by deleting it.

 

3.7.3.3 SNMP Access Settings

The SNMP Access Settings menu lets you add a list of trusted management networks. The Bandura Cyber ThreatBlockr will accept SNMP requests from these networks, and deny them from all others. 

 

3.7.3.4 SSH Access Settings

 

Back to Table of Contents

3.8 Settings 

3.8.1 Settings: General 

The General screen allows configuration of the following; Hostname, Log-in attempts, Password preferences, Session timeouts

 

3.8.2 Settings: Date & Time

 

The Network Time Protocol is a standard system for synchronizing the built-in clocks of network connected devices, to a very high degree of precision. Connecting your Bandura Cyber ThreatBlockr to the NTP network will ensure that the timestamps on its log files are accurate and coordinated with the computers in your organization.

The Bandura Cyber ThreatBlockr supports NTP version 3. Enter the IPv4 or IPv6 Internet address of your organization's NTP server, or if one isn't available, select a public server. Lists of time servers can be found at The NTP Public Services Project: http://support.ntp.org. NTPv3 has optional authentication. If required, click "Use Preshared Key" and enter the key information used by your selected time server. 

For more accurate time synchronization, and as a guard against network outages, configure more than one timeserver.

Configuring the Time Zone and Date/Time settings can be done either manually or using an NTP server. Note that manually set times will be overwritten by the NTP Server settings.

 

To configure a new NTP Server, choose the NTP menu file tab, and click the Add NTP Server button and complete the fields. 

 

 

3.8.3 HTTP

The Bandura Cyber ThreatBlockr is normally managed through a standard browser. This feature allows you to manage the Bandura Cyber ThreatBlockr from almost anywhere on the internet without needing any special device other than a computer, and no additional software besides a standard web browser.

The Bandura Cyber ThreatBlockr implements Hypertext Transfer Protocol Secure (HTTPS), an internet standard protocol for securely transmitting web pages. HTTPS encrypts communications between the web server and client, and can authoritatively identify both ends of the communication channel.

According to internet standards, the HTTPS server normally listens on TCP​ ​port​ ​443​. If you change this, you will need to include the new port when you connect to the Bandura Cyber ThreatBlockr; for example, if you change the port to 4567, you would need to access the Bandura Cyber ThreatBlockr this way: https://192.168.1.1:4567

 

HTTP and HTTPS ports can be configured under the General Settings tab. These settings will limit administrative access to the Bandura Cyber ThreatBlockr from specified ports. 

3.8.3.1 HTTP: Encryption and Certificates

Users can create and manage Public Key Certificates for secure communications on the Bandura Cyber ThreatBlockr.

 

* NOTE! Settings become active when you click the Submit button.

If you select Require​ ​Client​ ​Certificates​, then the HTTPS server will refuse all connections with unauthorized web browsers. Do not set Require Client Certificates until you have completed the steps found in the Certificates section of this manual.

Note that allowing a certificate to expire may result in blocked access to the Bandura Cyber ThreatBlockr. Before the existing certificate expires, either create a new self-signed certificate, or request one that is authoritatively-signed by a Certificate Authority. Your organization may have its own Certificate Authority, or you can purchase one from a commercial organization.

Your Bandura Cyber ThreatBlockr comes with strong​ ​data​ ​encryption​, securing the communications between your Bandura Cyber ThreatBlockr and web browser. This feature prevents wiretappers and eavesdroppers from deciphering your Bandura Cyber ThreatBlockr communications, and may be particularly useful when you access the Bandura Cyber ThreatBlockr from a public network. This security is part of the default Bandura Cyber ThreatBlockr configuration, and is automatically enabled. You can be confident that your connection is secure when you see "https://​" in the address bar while accessing the Bandura Cyber ThreatBlockr.

The https​ ​web browser function uses a secure internet protocol along with an encryption certificate installed on the Bandura Cyber ThreatBlockr. Transport​ ​Layer​ ​Security​ (TLS​) and Secure​ ​Socket​ ​Layer (SSL​) are internet standard protocols that encrypt communications within applications such as web browsers or electronic mail. TLS and SSL get their encryption parameters from an SSL Certificate​ which comes pre-installed on the Bandura Cyber ThreatBlockr. Since TLS and SSL are application-level protocols, they will only encrypt your web browser communications. 

SSL Certificates are a type of Public​ ​Key​ ​Certificate​, or electronic document based on the X.509​ ​standard​. X.509 is a framework for establishing a public key infrastructure, which specifies formats for Public​ ​Key​ ​Certificates​, and specifies methods for authenticating these certificates via trusted Certificate​ ​Authorities​. A certificate contains a public key used by other computers to encrypt data. The certificate holder also has a private key, which alone can decrypt the data, guaranteeing data privacy between the machines. A certificate may be authoritatively​ ​signed​: a trusted firm or organization can apply a digital signature to a certificate, giving you confidence that the computer with that certificate is what it claims to be.

A new Bandura Cyber ThreatBlockr has a single self-signed​ ​certificate​ used to encrypt communications between the Bandura Cyber ThreatBlockr and your web browser, but this does not provide authentication. You can install an authoritatively signed certificate in your Bandura Cyber ThreatBlockr, and you can install public key certificates in your web browsers, authenticating the administrative computers.

By default, the Bandura Cyber ThreatBlockr will communicate with any computer, since the Bandura Cyber ThreatBlockr does not require them to have public key certificates. In this case, security is based on administrator account passwords and optional network restrictions. This basic security may be adequate for many users, and be aware that enhancing this security requires considerable effort, coordination, follow-up activity, and possibly expense.

Your Bandura Cyber ThreatBlockr administration account must be assigned the Crypto Admin Role to make any changes in this section.

You can perform the following tasks from the HTTP: Certificates tab:

• Server Certificate

• Generate​ ​New​ ​Self-Signed​ Certificate​: Replace the Bandura Cyber ThreatBlockr's existing Public Key Certificate.
  
  Your Bandura Cyber ThreatBlockr comes with a self-signed Public Key Certificate, which is used for secure internet communications between your web browser and Bandura Cyber ThreatBlockr. Like many similar security certificates, the one that comes with your Bandura Cyber ThreatBlockr has an expiration date, which you can see if you view​ the existing​ ​certificate​ on the HTTP Settings menu screen.
  
  Do​ ​not​ ​let​ ​the​ ​certificate​ ​expire,​ ​otherwise​ ​you​ ​may​ ​not​ ​be​ ​able​ ​to​ ​access​ ​the​ ​Bandura Cyber ThreatBlockr, and​ ​you​ ​will​ ​have​ ​to​ ​reset​ ​it​ ​using​ ​Maintenance​ ​Mode​. Before the existing certificate expires, either create a new self-signed certificate, or request one that is authoritatively-signed by a Certificate Authority. Your organization may have its own Certificate Authority, or you can purchase one from a commercial organization. Please note that an authoritatively-signed certificate may take some time to process. For many uses, a self-signed certificate may provide sufficient security. Click on Generate Server Certificate button to create a new self signed certificate.
  
  
  
  Since this function creates a new Public Key Certificate, when you click Submit, your secure web browser session will immediately halt. Follow these steps to restore connectivity by your web browser: 

• • • • • • Delete the existing certificate on your web browser. 
          • Add this certificate as an exception on your web browser.
          • Do this for all other web browsers on all other administrator computers.

• • View​ ​Existing​ ​Certificate​: Select the View Server Certificate button to view your current Public Key Certificate. Here is a sample certificate, similar to what is found on a new Bandura Cyber ThreatBlockr:
    
    
    
    You can either create a new self-signed​ ​certificate​, or you can obtain an authoritatively-signed certificate​ from a Certificate Authority (CA).
    
    
• Certificate Signing Request
  
  • Generate​ ​CSR​: A Certificate Signing Request is used to initiate the request and receipt of an authoritatively signed Public Key Certificate from a Certificate Authority.
    
    To initiate an authoritatively-signed certificate, you must first generate a Certificate​ ​Signing Request​. From the HTTP: Certificates window, select the Generate​ ​CSR button. The Create HTTP Certificate Signing Request window appears.
    
    
    
    Fill out the following fields:
    
    

    Generate New Private Key	Select this option if you do not want to reuse your private key.
    Country	Two letter country name abbreviation. Use SSL Country Codes, listed here: http://www.digicert. com/ssl-certificate-country-codes.htm
    State	Spell out the full name of your state or province.
    Locality	Spell out the full name of your city, town, or locality
    Organization	Do not use abbreviations. This may contain upper and lower case characters, spaces, or numbers, but no symbols that need a shift key to type, such as shift-1, the exclamation point.
    Organizational Unit	Your particular department. If you are generating a certificate as an individual, put your fictitious or Doing Business As (DBA) name here.
    Common Name	Typically the fully qualified domain name (FQDN) of the Bandura Cyber ThreatBlockr, such as: Bandura Cyber ThreatBlockr.example.com. If your Common Name has no periods, then this will generate a certificate for an intranet device. This must exactly match the domain name that your web browser will use to access the Bandura Cyber ThreatBlockr.

    
    
    Once you have completed the fields, select the Create button to complete this function.
    
    Click on View Existing CSR and copy everything in the subject area between and including these line:
    
    -----BEGIN CERTIFICATE REQUEST-----
    -----END CERTIFICATE REQUEST-----
    
    Send the copied text to a Certificate Authority (CA) for signing, and request an SSL Certificate. Your organization may have its own Certificate Authority, or you may use one of the companies found on these lists:
    • Certificate Authorities trusted by Microsoft Internet Explorer: http://support.microsoft. com/kb/931125
    • CAs trusted by Mozilla Firefox: http://www.mozilla.org/projects/security/certs/included/

A list of trusted CAs will be found pre-installed in your web browser:

• • In Firefox, select the menu items: Tools->Options->Advanced->View Certificates->Authorities
  • For Internet Explorer: Tools->Internet Options->Content->Certificates->Trusted Root Certificate Authorities

The process needed, amount of time, or cost involved in obtaining a signed certificate may be highly variable. Eventually you will get back a digital signature from the Certificate Authority, and you paste that information in the Base64​ ​Encoded​ ​Certificate​ area on this form. Click the Submit signed certificate button to load your new authoritatively signed public key certificate into your Bandura Cyber ThreatBlockr. If your CA is already trusted by your brand of web browser - as seen in the lists above - then first time connections will no longer generate a Secure​ ​Connection​ ​Failed error message.

If you change your mind about obtaining an authoritatively signed public key certificate, or if you need to make changes to your request, you can click the Delete​ ​Existing​ ​CSR​ ​button. This deletes the Certificate Signing Request and removes the extra buttons from the HTTP Settings screen.

• View Current CSR: You can view the pending HTTP certificate signing request by selecting the View Certificate Signing Request  button.
  
  

 

Secure internet communications between your web browser and Bandura Cyber ThreatBlockr is enabled via the use of Public Key Certificates. Although the Bandura Cyber ThreatBlockr comes with a self-signed public key certificate, you may want to replace this with an authoritatively signed certificate. Signed security certificates enable authentication between trusted systems. 

The Certificate that is preconfigured on the Bandura Cyber ThreatBlockr has a predefined expiration date, which can be identified by selecting this function. 

• Remove Current CSR: Select the Remove Certificate Signing Request button to delete the pending HTTP certificate signing request.
• Import/Export Certificate
  
  Public Key Certificates are used for secure communications between your web browser and your Bandura Cyber ThreatBlockr. You can load a public key certificate file into your Bandura Cyber ThreatBlockr, or you can save the contents of the Bandura Cyber ThreatBlockr's public key certificate through the Import​ ​Certificate​ ​and​ ​Export Certificate​ buttons.
  
  You can generate a Public Key Certificate on the Bandura Cyber ThreatBlockr itself, as found in the Generate​ ​New Self-Signed​ ​Certificate​ ​or​ ​Generate​ ​CSR​ screens. You can also create a new certificate for the Bandura Cyber ThreatBlockr on another computer. If that software can generate a PKCS#12 format key file, you can upload it to the Bandura Cyber ThreatBlockr using the Import Certificate function.
  
  When importing a certificate, click the Browse​ ​button to find the Key Certificate file on your local computer, and enter the file's password. Click Import to load the keys into your Bandura Cyber ThreatBlockr. You need the Crypto​ ​Admin Role to Import a certificate.
  
  You may want to save​ ​your Bandura Cyber ThreatBlockr's public and private keys for safekeeping. This may be useful in the future if you have to restore your Bandura Cyber ThreatBlockr to its factory default settings.
  
  When exporting a certificate, enter a password for the key certificate file, and re-enter the password. Click Export​ ​to save the key certificate to your local computer. You must remember this password, otherwise the key certificate file will be unreadable. This will save a PKCS#12 format key file on your local computer, with the file name Bandura Cyber Threat Intelligence Firewall-certs.p12​.
• Import​ ​Certificate​: Install a public key certificate in your Bandura Cyber ThreatBlockr. Use this if you created the Bandura Cyber ThreatBlockr's Certificate on another computer.
• Export​ ​Certificate​: Save a copy of the Bandura Cyber ThreatBlockr's public key certificate on your computer.

 

3.8.4 SNMP

The Bandura Cyber ThreatBlockr Security Appliance supports the internet standard Simple​ ​Network Management​ ​Protocol​ (SNMP​). You can remotely monitor the Bandura Cyber ThreatBlockr by a network management system, such as IBM Tivoli Network Manager, CiscoWorks LAN Management Solution, and HP Network Node Manager. 

 

 

The Bandura Cyber ThreatBlockr simultaneously supports two versions of SNMP: the simple Community-based SNMPv2c, and the more complex SNMPv3, which includes the security features of device authentication, packet integrity, and data confidentiality. On this menu you can specify trusted IPv4 and IPv6 internet addresses, from which the Bandura Cyber ThreatBlockr will accept data requests, as well as designate Internet addresses where the Bandura Cyber ThreatBlockr will send asynchronous SNMP traps.

 

The data that SNMP can retrieve is described by the Management​ ​Information​ ​Base​ (MIB​) for the Bandura Cyber ThreatBlockr. Following are the MIB files supplied with the Bandura Cyber ThreatBlockr: 

• TECHGUARD-Bandura Cyber Threat Intelligence Firewall-MIB.mib 
• TECHGUARD-PRODUCTS-MIB.mib 
• TECHGUARD-REG-MIB.mib 

Particular items of interest in the MIBs include: 

• TECHGUARD-Bandura Cyber Threat Intelligence Firewall-MIB::Bandura Cyber Threat Intelligence FirewallCountryTable 
• TECHGUARD-Bandura Cyber Threat Intelligence Firewall-MIB::Bandura Cyber Threat Intelligence FirewallRuleGroupTable  
• TECHGUARD-Bandura Cyber Threat Intelligence Firewall-MIB::Bandura Cyber Threat Intelligence FirewallThrottleTable  
• TECHGUARD-Bandura Cyber Threat Intelligence Firewall-MIB::ruleGroupStatTable  
• TECHGUARD-Bandura Cyber Threat Intelligence Firewall-MIB::throttleStatTable  
• TECHGUARD-Bandura Cyber Threat Intelligence Firewall-MIB::Bandura Cyber Threat Intelligence FirewallBypass 

The Bandura Cyber Threat Intelligence Firewall can asynchronously send these traps:  

• TECHGUARD-Bandura Cyber Threat Intelligence Firewall-MIB::Bandura Cyber Threat Intelligence FirewallAlert 
• TECHGUARD-Bandura Cyber Threat Intelligence Firewall-MIB::Bandura Cyber Threat Intelligence FirewallThrottleActivated 
• TECHGUARD-Bandura Cyber Threat Intelligence Firewall-MIB::bypassChange

 

3.8.5 SMTP

 

SMTP messages are sent when an Alarm is raised (e.g. an update fails or an account gets locked out). You can set the following parameters in SMTP:

• Enable​ ​SMTP​ ​Alerts
• SMTP​ ​Host​: The hostname or IP address of the mail server 
• SMTP​ ​Port​: The port of the mail server, typically 25 or 587 for SMTP, or 465 for SMTPS
• Type​: Whether to use SMTP or SMTPS (SMTP over SSL). 
• Username​: Username if the server requires authentication 
• Password​: Password if the server requires authentication
• From:​ ​Address​: Password if the server requires authentication
• To:​ ​Address​: The email address alerts will be sent to After you fill out the information click the Submit button to save.

Test if your SMTP is working by clicking on Send Test Message.

 

3.8.6 Banner 

The Banner Text is displayed prior to logging into the Bandura Cyber ThreatBlockr. This banner can display a security policy, conditions of use, or a liability or disclaimer text. This warning message includes a checkbox for the user to agree with the Banner Text. If the user does not agree the “Banner Refused” Text is displayed and the user is denied access.

 

 

Above- Example message for “Banner Refused” test for a user that has not agreed to the terms of service.

 

 

Above- Example of Banner text input when inspected.

Back to Table of Contents

3.9 System 

3.9.1 Information

This menu item identifies your particular Bandura Cyber ThreatBlockr device.

 

 

3.9.1.1 License Information

This menu option allows you to view all license information of the Bandura Cyber ThreatBlockr.

 

 

3.9.1.2 Hardware Information

This window identifies the device model and number of CPU cores available

 

 

3.9.1.3 Support Information

This window displays the serial numbers to identify the software engine serial numbers in the event of a support ticket. 

 

 

3.9.1.4 Keys

This window displays the public keys for the device.

 

 

3.9.2 Active Sessions

 

Active Sessions show the users currently logged into the Bandura Cyber ThreatBlockr, their internet address and time of login. You can view an audit trail of administrative activities.

You can view the recent activity of a user by clicking on View Commands shown in the actions list.

This will show an audit log report of commands issued by the Bandura Cyber ThreatBlockr user. For more information about audit logs, refer to 3.6.1.4.

 

3.9.3 Users

The Bandura Cyber ThreatBlockr is protected by usernames and passwords. Only users with registered accounts may modify the configuration and operations of the device.  

The Bandura Cyber ThreatBlockr is shipped with a default administrative account with the following credentials:

User ID: admin 
Password: admin 
Roles: all 
Access restrictions: none

 

Bandura Cyber Recommends: 

• Change the default admin username and password before deploying the Bandura Cyber ThreatBlockr into the network.
• Create a unique User ID for every administrator of the Bandura Cyber ThreatBlockr. Each administrator should create an individual, unique password. Good username and password hygiene provides for a better audit trail, encourages individual accountability, and decreases the risk of fraud and misunderstanding. 
• Disable accounts that are no longer in use. This allows easy access to historical session logs that would otherwise be lost if the account is deleted. 

Here are the available actions for user accounts:

	Show User Sessions	Show login times and an audit trails of actions
	Edit User Account	Change account password, roles, and access restrictions
	Delete User Account	Permanently delete a user's account. An account cannot be deleted until it is disabled first

 

3.9.3.1 Creating a New User

Generally, a new user should be created for each person who will administer the Bandura Cyber ThreatBlockr. Every person with administrator access should have their own username and password. Each user account should be assigned to one and only one person. No accounts should be shared. Each person should immediately change their password when getting a new account.

Since the Bandura Cyber ThreatBlockr keeps extensive and precise records of all its activity, including the actions of administrative users, these personal user accounts add a level of security and accountability, and help prevent misunderstanding and fraud.

Here are the rules for all usernames:

• Must start with a letter
• Upper and lower case letters are acceptable
• May include numbers
• May include hyphen and underscore characters: “-” or “_”
• Must be between 2 and 32 characters long
• May include spaces but cannot end in a space

Passwords are restricted according to the settings found in the Bandura Cyber ThreatBlockr Configuration General Settings. If​ ​you​ ​are​ ​unfamiliar​ ​with​ ​the​ ​Bandura Cyber ThreatBlockr's​ ​password​ ​policy,​ ​you​ ​may​ ​want​ ​to​ ​review the​ ​settings​ ​before​ ​creating​ ​a​ ​new​ ​password.

 

 

Assign Roles defines the specific tasks that can be performed by the new user account. By default, every user has Read Only Access.

Roles:

• Security Admin: Can do everything except Crypto Admin and Audit Admin actions.
• Audit Admin: Can purge audit log records.
• Crypto Admin: Can change the HTTPS security certificate configuration and configure IPsec connections.
• Read Only: Can view logs and configurations

 

3.9.3.2 Edit User

You can edit the characteristics of a Bandura Cyber ThreatBlockr administrator by clicking the Edit User icon shown in the actions list. You can change the account password, assign roles, enable or disable the account, or generate a one time password.

 

 

You can disable an administrators account from the Edit User screen. If a Bandura Cyber ThreatBlockr administrator leaves your organization or is reassigned, you should disable their account by deselecting the “Active” checkbox.

 

3.9.3.3 Delete User

You can delete a Bandura Cyber ThreatBlockr administrator by clicking the Delete icon shown in the actions list.

A user account must be disabled before it can be deleted. When an account is disabled, even if the correct password is entered, the user will not be able to login. 

If you set the Minimum Disabled Duration parameter to a number greater than zero (found in General Settings), then you cannot delete an account until it has been disabled for that amount of time. 

If you keep an account in a disabled state, you will retain easy access to audit information for that account.

 

3.9.4 Software

The System -> Software menu screen will identify the current OS build that is configured on the Bandura Cyber ThreatBlockr. Bandura Cyber periodically releases software updates for the Bandura Cyber ThreatBlockr. Updates typically add features, upgrade the device to the latest networking standards, or correct known issues. We recommend that you keep your Bandura Cyber ThreatBlockr Security Appliance updated with the latest software. You can log into the Bandura Cyber Global Management Center (GMC) to the latest available software build and view release notes.

 

If your ThreatBlockr is currently running Software Build 59 or later, you can take advantage of the Software Update feature within the GMC. This will allow you to perform or schedule a software update from GMC. If your ThreatBlockr is currently running Software Build 58 or earlier, you will need to log in to the GMC to download the latest software package and perform the steps below to update.

 

 

Once you have downloaded the latest software from the GMC, click on Browse to select the software package file and press “Upload.” Once the “Upload” has completed, click on Install to install the new software package.

The Bandura Cyber ThreatBlockr will automatically reboot after successful software installation. While the Firewall is rebooting, the device will enter the bypass state specified in “power off” mode. 

 

3.9.5 Import/Export

Bandura Cyber recommends device configurations be saved into a secure location in the event a configuration recovery is needed. 

Device configurations can be imported and exported “into” and “from” the Bandura Cyber ThreatBlockr device. This feature allows for a fail-safe measure in the event a device needs to be returned to a previous configuration, or for precautionary reasons.

 

3.9.5.1 Importing a Configuration

The Import function allows for Bandura Cyber ThreatBlockr configurations to be imported to the device.

 

To upload a configuration, click the Browse button, and the standard operating system File Open dialog box will appear. Select a previously-saved Bandura Cyber ThreatBlockr configuration file. Click the Import button, and after the file loads, the Bandura Cyber ThreatBlockr will automatically reboot. The new configuration will be active after the Bandura Cyber ThreatBlockr restarts.

Before importing a configuration file, please consider:

• Importing a configuration will reset the passwords to their values at the time of the configuration file export.
• After an import, the Bandura Cyber ThreatBlockr will use the network settings defined at the last time of configuration.

 

3.9.5.2 Exporting System Configuration

To Export a Bandura Cyber ThreatBlockr configuration to a secure location, click the Export Tab from the System -> Import/Export menu option. 

 

When you select Export System Configuration, what happens next depends on your web browser:

• Microsoft Internet Explorer: “Do you want to save this file, or find a program online to open it?” Select the Save button, then select a destination for the configuration file
• Mozilla Firefox: “You have chosen to open Bandura Cyber Threat Intelligence Firewall-configuration-bin… What should Firefox do with this file?” Select the Save File radio button and select OK. Firefox will save the file to your desktop, or to the folder you designated as your download destination. 
• Google Chrome: Download the file and show the progress at the bottom of the browser.

 

3.9.6 Reboot

When selected, the Reboot function performs a complete shutdown and reboot of the Bandura Cyber ThreatBlockr. A Bandura Cyber ThreatBlockr reboot happens immediately upon choosing this function and will take approximately two minutes.

 

* NOTE: While the Firewall is rebooting, the device will enter the bypass state specified in “power off” mode. 

 

3.9.7 Shutdown

When selected the Shutdown function will power down the Bandura Cyber ThreatBlockr. 

 

Bandura Cyber recommends utilizing the Shutdown menu feature to power down the Bandura Cyber ThreatBlockr vs. using the power button located on the front of the device, as the menu feature will power the device down in a controlled manner. 

 

THE Bandura Cyber ThreatBlockr WILL BE IN BYPASS MODE WHILE TURNED OFF AND WILL NOT FILTER PACKETS

 

To power the device back on, physically press the power button on the front of the Bandura Cyber ThreatBlockr. If you do not have physical access to the Bandura Cyber ThreatBlockr, please consider rebooting instead of shutting down the device.

Back to Table of Contents

3.10 Action Buttons

The action buttons are located on the top right corner of the main Bandura Cyber Firewall screen and provide additional functionality and configurable user profile information. 

 

 

3.10.1 Search

 

The Search button   allows users to identify policy behavior based on IP address and associated packet attributes such as; ASN, Geo-location, Threat Categories, and/or whether the IP address is on an Allowed or Denied List.

3.10.2 Help 

The Help button provides a direct link to the Bandura Cyber Support Center. From here, users can find helpful information, device manuals, community resources, and submit a request to the support team.

 

3.10.3 Alerts

The Alerts button will display with system alerts. When this icon is highlighted, users can see the system alerts displayed by clicking on the button. 

 

3.10.4 User Information

Selecting the User button  will open the User Menu. From this menu users will see the username that is currently logged into the device, listed. This menu offers additional options as listed below.

 

3.10.4.1 Profile

From the Your Profile menu option, users can configure their email contact information, timezone, and change their password. Note that once a password has changed, users will be required to log back into the device.  

 

 

3.10.4.2 Sign Out

Clicking the Sign out menu option will immediately disconnect users from the Bandura Cyber ThreatBlockr, without prompting you for verification.

 

4 Consoles

Configuration and operational problems may require the use of the CLI or Recovery Console​. To use the consoles, you have to access the console interface ports on the Bandura Cyber ThreatBlockr. You can either connect a monitor and keyboard, or communicate using an RS-232-C serial connection. To use a monitor and keyboard:

• Connect a standard monitor to any VGA monitor port on the Bandura Cyber ThreatBlockr.
• Connect a keyboard to any USB or PS/2 keyboard port on the Bandura Cyber ThreatBlockr.

You can also connect to the RS-232-C serial port using a text terminal or terminal emulation program. The port settings are: 

• Baud: 38400 
• Data Bits: 8  
• Parity: None 
• Stop Bits: 1

 

Back to Table of Contents

4.1 Command Line Interface (CLI) Console

The CLI Console is a low-level control program which can be used to configure settings, including the Network and User configurations.  It can be accessed while the system is in a normal operational state.

The credentials to access the CLI console:

• Username: admin
• Password: bandura

The main CLI menu has the following items:

1. Network Menu: refer to section 4.1.1
2. User Menu: refer to section 4.1.2
3. Execute Self-test: places the device into bypass mode and out of bypass mode to test the hardware functions of the device
4. Shell: opens a shell to allow the user to access the file structure and processes of the device
5. Reboot: This will reboot the Bandura Cyber ThreatBlockr.
6. Shutdown: This will power off the Bandura Cyber ThreatBlockr
7. License Info: For use by Bandura Cyber internally
8. Exit: This will log the user out of the CLI menu

4.1.1 Network Menu

 

The Network Configuration section of the CLI is used to configure the network properties for the Administration Interface. 

The Administrator is able to configure the IP address, network mask, default gateway, and DNS server for the Administration Interface. The Administration Interface is only configured to use Static IP addressing; there is no DHCP option. Recovery Console requires the use of IPv4 addresses.

 

4.1.2 User Menu

 

This menu allows you to reset user passwords and view or unlock user accounts.

Back to Table of Contents

4.2 Recovery Console - Build 81 and later

Operational problems may make your Bandura Cyber ThreatBlockr inaccessible and require the use of the Recovery​ ​Console​ to restore your Bandura Cyber ThreatBlockr. The Recovery Console is a low-level control program which can restore factory-default​ ​software.

Reboot or power cycle the Bandura Cyber ThreatBlockr to view the following menu:

 

Select Recovery Console to view the following menu options:

 

1. Re-install software: This is used to restore the initial software that was loaded on Bandura Cyber ThreatBlockr when shipped from Bandura Cyber. Use this section only under instructions from the Bandura Cyber Support Team. 
2. Shell: opens a shell to allow the user to access the file structure and processes of the device
3. Reboot: This will reboot the Bandura Cyber ThreatBlockr.
4. Exit: This will log the user out of the Recovery Console menu

When the device is restarted, select Bandura Cyber ThreatBlockr​ ​from the menu​ ​to initialize the appliance. You can now remove the monitor and keyboard or serial cable. 

If you have Re-installed the software, the Bandura Cyber ThreatBlockr will be reset to factory defaults. The web address for administration will be the default; https://192.168.1.1:443​, and your computer must have an internet address in the 192.168.1.0 network to connect to the Bandura Cyber ThreatBlockr. See the Configuration section of this manual for details. 

The Recovery Console is an essential means for restoring your Bandura Cyber ThreatBlockr, but its presence may be a security risk. You will want to keep the Bandura Cyber ThreatBlockr in a secure location to prevent unauthorized use of the Recovery Console. Also consider the negative security implications of using a networked Keyboard, Video, and Mouse (KVM) switch or a networked serial device server with the Recovery Console ports.

Back to Table of Contents

4.3 Recovery Console - Build 76 and earlier

Operational problems may make your Bandura Cyber ThreatBlockr inaccessible and require the use of the Recovery​ ​Console​ to restore your Bandura Cyber ThreatBlockr. The Recovery Console is a low-level control program which can restore factory-default​ ​software.

Reboot or power cycle the Bandura Cyber ThreatBlockr to view the following menu:

 

Select Recovery Console to view the following menu options:

 

1. Request License: For Bandura Cyber Support Team use
2. Re-install Firmware: This is used to restore the initial software that was loaded on Bandura Cyber ThreatBlockr when shipped from Bandura Cyber. Use this section only under instructions from the Bandura Cyber Support Team. 
3. Reset License: For Bandura Cyber Support Team use
4. Reset Config: This will reset the configuration of the Bandura Cyber ThreatBlockr to the default configuration. This is useful if the user wishes to reset the Bandura Cyber ThreatBlockr configuration to the defaults from the factory. This does not remove any software updates that have been installed. The capability to restore to the exact factory configuration is in the Recovery Console. The user must answer "yes" to a confirmation prompt after selecting this option. 
5. Shell: opens a shell to allow the user to access the file structure and processes of the device
6. Reboot: This will reboot the Bandura Cyber ThreatBlockr.
7. Exit: This will log the user out of the Recovery Console menu

When the device is restarted, select Bandura Cyber ThreatBlockr​ ​from the menu​ ​to initialize the appliance. You can now remove the monitor and keyboard or serial cable. 

If you have Re-installed the software, the Bandura Cyber ThreatBlockr will be reset to factory defaults. The web address for administration will be the default; https://192.168.1.1:443​, and your computer must have an internet address in the 192.168.1.0 network to connect to the Bandura Cyber ThreatBlockr. See the Configuration section of this manual for details. 

The Recovery Console is an essential means for restoring your Bandura Cyber ThreatBlockr, but its presence may be a security risk. You will want to keep the Bandura Cyber ThreatBlockr in a secure location to prevent unauthorized use of the Recovery Console. Also consider the negative security implications of using a networked Keyboard, Video, and Mouse (KVM) switch or a networked serial device server with the Recovery Console ports.

 

5 Appendices

Back to Table of Contents

5.1 References

http://csrc.nist.gov/publications/PubsFIPS.html Federal​ ​Information​ ​Processing​ ​Standards regarding computer security. 

http://standards.ieee.org/getieee802 IEEE​ ​802​ standards documentation on local area and wide area networking, including Ethernet and WiFi. 

http://www.ietf.org The​ ​Internet​ ​Engineering​ ​Task​ ​Force​. "The mission of the IETF is to make the Internet work better by producing high quality, relevant technical documents that influence the way people design, use, and manage the Internet." 

http://www.itu.int/rec/T-REC-X.509/en International​ ​Telecommunications​ ​Union​ ​X.509 standards on public key certificates. 

http://www.banduracyber.com 

 

 

 

Tyson, VA
1-855-765-4925
www.banduracyber.com