Introduction
Policies allow users to determine what is or is not allowed through specific networks or network segments. As there are no limits to the number of policies that can be created, users can create as many or as few policies as they need to protect each of their networks as they deem necessary.
There are various actions used to configure each policy:
|
Action |
Description |
|
Edit |
Rename the policy or change its description. |
|
Country |
Select countries to allow or deny from a world map or table. |
|
Risk Thresholds |
Block IP addresses that have been categorized as threats based on adjustable confidence scores. |
|
Exception Lists |
Note: Only for ThreatBlockr 1.0 appliances. Apply Exception Lists to your policies or apply your Allowed Domain A or MX Records. |
|
Denied Lists |
Apply available Denied Lists per policy. |
|
Allowed Lists |
Apply available Allowed Lists per policy. |
|
Delete |
Delete a policy along with its associated Countries, Risk Thresholds, and Exception Lists. |
Policy Configurations
Edit
Rename the policy or change its description.
The Set as Default Inbound and Set as Default Outbound toggles are used as visual indicators.
Country Policies
Users can edit the world map associated with a policy by clicking on the Country icon shown in the actions list.
The world map lets you allow or deny internet traffic to various countries of the world.
Click on a country to select it or use the list of countries on the right hand side to search. The countries displayed in green are allowed, and the red shows those that are blocked.
Once you are ready for your first blocking policy, we recommend starting with a deny all stance for countries then allowing countries you know should be allowed onto your network.
NOTE: RESERVED and UNASSIGNED IPs are also in the Country list. Be sure to enable these from the table on the righthand side if you don't want your internal IPs to be blocked. You can find them by typing RESERVED or UNASSIGNED into the search box.
Risk Thresholds
Users can edit the Risk Thresholds associated with a policy by clicking the Risk Threshold icon shown in the actions list.
There are nineteen threat categories that can be enabled on this screen. All IPs included in the threat lists are placed in one or more of these categories.
Each category has an associated risk threshold slider which has a range of 1 to 100. Each IP in the threat intelligence also has an associated score that can range from 1 to 100, with a higher score representing a higher chance of it being malicious. Moving the sliders allows you to control how strong of a policy you want to apply. A slider set at 90, the default, will block IPs in that category with a score of 90 or higher. Moving the slider to the left, and decreasing the threshold, will strengthen your policy by blocking more IPs with lower scores.
As an example, if the Endpoint Exploit category is enabled with a threshold of 90, any IP identified as an Endpoint Exploit with a score of 90 or above will be blocked by the threat list. If the Endpoint Exploit category was not enabled, the connection would be allowed through by the threat list, but could still be blocked by denied lists or country policy.
BEST PRACTICE RECOMMENDATION:
We recommend starting by enabling all categories with the default baseline of 90. If you need to block more IPs in a certain category, lower the score in that category. If you need to block less IPs in a certain category, raise the score in that category.
For example, if you're hearing that many legitimate sites or services are being blocked, and upon correlating with your logs find that they are being marked as spam with a score of 90-94, you can raise the threshold for the Spam category to 95. Now, you will see less false positives based on Spam.
On the other hand, if you are checking your logs and seeing many unidentifiable Endpoint Exploits are getting through with a score of 85-89, you can lower the score to 85. Now, you will see more blocks based on Endpoint Exploit.
Exception Lists
| Note: Exception Lists have been deprecated in ThreatBlockr 2.0, and can only be used with ThreatBlockr 1.0 appliances. |
You can edit the exceptions associated with a Resource Group by clicking the Exception Lists icon shown in the actions list.
Click on the green allow arrow or the red deny arrow for the desired list to apply it to your policy.
Exception Lists do not influence traffic until added to a Policy.
Denied Lists
Users can enable or disable denied lists per policy. This allows you to specify IPs that should be denied on a specific policy.
Denied Lists do not influence traffic until enabled on a Policy.
Inherit Defaults
If Inherit Defaults is checked, only lists enabled under Denied Lists > IPv4 will be enabled on the policy.
BEST PRACTICE RECOMMENDATION:
We recommend unchecking the "Inherit Defaults" option and enabling all Denied Lists except for Zoom. Zoom may be enabled at your discretion.
By disabling "Inherit Defaults", you are able to choose which denied lists to use per policy. For example, if you have a list of IPs that should be denied at your datacenter but not your HQ.
Allowed Lists
Users can enable or disable allowed lists per policy. This allows you to specify IPs that should be allowed on a specific policy, and in doing so, only allow through the minimum required for business purposes.
Allowed Lists do not influence traffic until enabled on a Policy.
Inherit Defaults
If Inherit Defaults is checked, only lists enabled under Allowed Lists > IPv4 will be enabled on the policy.
BEST PRACTICE RECOMMENDATION:
We recommend unchecking the "Inherit Defaults" option and choosing just the lists/services you want allowed for the specific policy.
By disabling "Inherit Defaults", you are able to choose which allowed lists to use per policy. For example, if you have a list of IPs that should be allowed at your datacenter but not your HQ.
Creating an Allow All Policy
Allow all policies can be used as a "break glass" policy in cases where a business critical site or service must be accessed, but is being blocked. By using an allow all policy, all traffic is allowed through the device and continues to be logged for review. We recommend using this policy instead of putting the device into bypass mode if you don't know whether or not the Bandura Cyber ThreatBlockr platform is denying this traffic. In bypass mode, no traffic is logged.
To create an Allow All policy:
- Country: Allow All
- Risk Thresholds: Disable/uncheck all categories
- Denied Lists: Disable/uncheck all denied lists*
*Did you know? You can quickly move through all items by unchecking the first box then using your keyboard, press tab then space. Repeat this until all denied lists are disabled.
Related Articles
Comments
0 comments
Article is closed for comments.