Block Known Threats Using F5's IP Intelligence Service

Sadly, one of my favorite things to do lately is sit in my home office and view IP Intelligence logs and charts. To see something so simple but so powerful in action is quite intriguing. If you are not familiar with F5's IP Intelligence capability, it is an add-on service that integrates with both the Advanced Firewall Manager and Application Security Manager. The service provides a database of threatening IP addresses and can be updated as frequently as 5 minutes in order to block sources of known bad IP addresses as well as identify and block communications with new threatening IP addresses. Below is a list of each of the protection categories.

Now you might be asking how in the world does F5 get a list of known bad IP addresses? While F5 does have their own internal groups that do a lot of super secret stuff on the dark web for the greater good, this service is actually driven through a relationship with Brightcloud. Brightcloud's security platform scans billions of IP addresses and billions of URLs across millions of domains, in addition to millions of mobile apps, and leverages machine learning to classify and categorize each according to the threat it represents to your business. If you would like to read more info on Brightcloud, you can access their web page here. Now that we have discussed IPI at a high level, let's deploy it!

Prerequisites

  • F5 IP Intelligence Service add-on license
  • Internet connectivity
  • DNS configured
  • *Advanced Firewall Manager licensed and provisioned
  • *Application Security Manager licensed and provisioned

Note: There are many ways to configured F5's IPI and we will review using iRules, AFM and ASM to block known bad traffic. While AFM and ASM are not required, they can ease the deployment process.

Verify the IP Reputation Database is Current

  • Log into the BIG-IP system command line.
  • Run tmsh list sys db iprep.autoupdate.

The IP reputation DB is configured to auto-update by default. If this is has been disabled, run the following command to enable the auto-update feature.

  • Run tmsh modify sys db iprep.autoupdate value enable.
  • Run tmsh show sys iprep-status.

If the previous command provides no data then the IP reputation DB has not been downloaded.

  • Validate internet connectivity and name resolution.

If nslookup or a dig fails, validate you have configured a name server in the system configuration.

  • Run tmsh modify sys db iprep.intervalmin value 5.

The screenshot above shows the result of no IP reputation DB and upon resolving my DNS issue and modifying the interval to 1 minute a successful download occurs.

Creating an iRule to reject requests with questionable IP addresses

  • Navigate to Local Traffic >> iRules.
  • Click Create.
  • In the Definition field, copy and paste the following example iRule.
when HTTP_REQUEST { 
    set ip_reputation_categories [IP::reputation [IP::client_addr]]
    set is_reject 0
    if {($ip_reputation_categories contains "Windows Exploits")} {
       set is_reject 1
    } 
    if {($ip_reputation_categories contains "Web Attacks")} {
       set is_reject 1
    } 
    if {($is_reject)} {
        log local0. "Attempted access from malicious IP address [IP::client_addr]
        ($ip_reputation_categories), request was rejected"
        HTTP::respond 200 content 
        "

The request was rejected.
Attempted access from malicious IP address

" } }

  • Click Finished.

Note: When the system receives traffic from an IP address that is included in the IP intelligence database, the system prints the IP Intelligence information in the /var/log/ltm log.

Assign the iRule to a BIG-IP Virtual Server

  • Navigate to Local Traffic >> Virtual Servers.
  • Select the Resources tab.
  • Select Manage from iRules.
  • Move the iRule created in the previous step to Enabled.
  • Click Finish.

IP Intelligence for Advanced Firewall Manager

Configure a Global IP Intelligence Policy

  • Login into the Traffic Management User Interface (TMUI).
  • Navigate to Security >> Network Firewall >> IP Intelligence >> Policies.
  • From the Global Policy list, select the IP Intelligence policy to apply to all traffic on the BIG-IP system.
  • Click Update.

The IP Intelligence policy is now applied to all traffic.

Assigning an IP Intelligence Policy to a Virtual Server

You can assign an IP Intelligence policy to a virtual server, to apply blacklist and whitelist matching actions and logging to traffic on that virtual server only.

  • Navigate to Local Traffic >> Virtual Servers .
  • Click the name of the virtual server you want to modify.
  • On the menu bar, from the Security menu, choose Policies.
  • Next to IP Intelligence, select Enabled, then select the IP intelligence policy to apply to traffic on the virtual server.
  • Click Update.

The specified IP Intelligence policy is applied to traffic on the selected virtual server.

Assigning an IP Intelligence policy to a route domain

  • Navigate to Network >> Route Domains.
  • In the Name column, click the name of the relevant route domain.
  • From the IP Intelligence Policy list, select an IP Intelligence policy to enforce on this route domain.
  • Click Update.

The specified IP Intelligence policy is applied to traffic on the route domain.

IP Intelligence for Application Security Manager

  • Navigate to Security >> Application Security : IP Addresses : IP Intelligence.
  • Place a check in enabled by clicking the box.

Once enabled, you are presented with all IPI categories, you can select which category you would like to Alarm and/or Block. In this example I am configuring all Categories to Alarm and Block.

  • Select Save.
  • Apply Security Policy by clicking Apply Policy at the top of the screen.

The specified IP Intelligence policy is applied to the ASM Security Policy. If the security policy has not been applied to a virtual server, do so at this time.

View Traffic Blocked by the IPI Reputation Database

  • Navigate to Security >> Reporting >>Application >> Charts.
  • From the View By drop-down menu, select IP Intelligence.

  • Navigate to Security >> Reporting >> Network >> IP Intelligence.

You have now successfully deployed F5's IP Intelligence service and are blocking threats using iRules, Advanced Firewall Manager and Application Security Manager. Until next time!

Published Nov 28, 2018
Version 1.0
  • You got it Piotr. DNS resolution is only needed to connect to Brightclouds IPI API for downloads and updates of the DB.

     

  • Hi,

     

    I have to dig out my old lab notes and then will get back to you. Format of the files is easy (but can be tricky if wrong line endings are used :-) It's more about all the options in the feed definition.

     

    Just one more question - DNS definition is necessary only to resolve FQDN used to access IPI service or for something else?

     

    Piotr

     

  • No guarantees though I will try. However, in the meantime, the custom feed list should be pretty straightforward. The expected blacklist should be nothing more than comma separated content. Is there a particular issue you ran into that I can help with?

     

    https://support.f5.com/kb/en-us/products/big-ip-afm/manuals/product/network-firewall-policies-implementations-13-1-0/7.html

     

     

    10.0.0.2,32,bl,spam_sources 10.0.0.3,,wl, 10.10.0.12,,botnets 10.0.0.12,,, 10.0.0.13,,bl,

     

  • Hi,

     

    Nice intro. It would be great if you could write article about creating and configuring Feed Lists as well as creating IPI Policies using no standard Feed Lists and Blacklist categories.

     

    Some time ago I played around with those configuration objects and to be honest it was not easy to figure out how to configure to achieve expected results. Docs were as well not very helpful in figuring it out :-(

     

    Piotr