Blocking Known Threat IP Traffic using ThreatIQ

ThreatIQ is only visible in Aviatrix CoPilot if you configured ThreatIQ prior to Controller version 7.2.4820.

If you did not configure ThreatIQ prior to Controller version 7.2.4820, but did configure Geoblocking, only the ThreatIQ > Overview and Geoblocking tabs are available.

Aviatrix recommends using Distributed Cloud Firewall and its integration with GeoGroups and ThreatGroups to monitor for threats and enable geoblocking.

If you previously used ThreatIQ and its Geoblocking tab to monitor for threats and block traffic from geographical areas, you can continue using it or migrate your existing ThreatIQ and Geoblocking data information to the Distributed Cloud Firewall method. You cannot use ThreatIQ and/or Geoblocking in conjunction with DCF and ThreatGroups/ GeoGroups.

ThreatIQ allows you to monitor, detect, and block security threats within your Aviatrix cloud network, whether it’s a multicloud or single cloud environment managed by Aviatrix Controller. By connecting with a reputable threat-IP source, ThreatIQ keeps you informed about malicious sites and IP addresses. The Aviatrix Gateways send real-time Netflow data to CoPilot, which analyzes the traffic against a database of known malicious hosts, enabling swift identification of threat IPs.

Within ThreatIQ, you can access detailed information about each threat, including source and destination IPs, gateways involved, traffic flow data (date, time, ports), and specifics on why it was flagged as a threat. Each threat record is accompanied by a network topology map highlighting the compromised gateway. Further drilling down reveals the compromised instance communicating with the threat IP, aiding in pinpointing the subnet and transit gateway involved in the communication.

By default, ThreatIQ protects all instances in all VPCs.

Working with ThreatIQ

This section describes the ThreatIQ feature of Aviatrix CoPilot.

You access ThreatIQ in CoPilot by going to Home > Security > ThreatIQ or typing ThreatIQ in the navigation search.

  • Overview tab: Shows a geographical map with the approximate locations of known malicious IPs that have communicated with your network within the specified time period selected. You can view the severity level of detected threat IPs and their associated attack classifications (as categorized by the well known threat IP source).

  • Configuration tab: enables you to take actions on those threats:

    • Enable alerts: Enable alerts so you are notified when threat IP traffic is first detected. You can configure your preferred communication channel (email) for sending these ThreatIQ alerts.

      In CoPilot, in the Notifications option, you can view historical information about when the alerts were triggered, including the names of the gateways within the threat IP traffic flow. ThreatIQ alerts are based on threat IP data stored in a database that is regularly updated with the most current threats (new or removed). When a threat IP is removed from the threat IP source (that is, the IP is no longer deemed malicious), the update is automatically pushed to the Aviatrix Cloud Network Platform.

    • Block threat-IP traffic: To block threat IP traffic, alerts must be enabled. When blocking is activated, the Controller acts promptly upon identifying a threat IP in a traffic flow. It immediately blocks the traffic associated with that threat IP on all gateways within the VPC/VNet/VCN. If the threat IP is no longer listed in the threat-IP database, the Controller automatically removes the security rules for that particular threat IP from the affected gateways, allowing the traffic to flow unrestricted. Otherwise, the security rules for that specific threat IP remain in effect.

    If you disable ThreatIQ blocking, the action removes all existing firewall rules instantiated by Aviatrix Controller for all threats (that is, all threat IPs) detected up to that point.

  • Custom Threat List tab: Add a custom list of IP addresses (that you consider threat IPs) to the database of known malicious hosts used by ThreatIQ. For information, see Adding a Custom ThreatIQ IP List.

  • Geoblocking tab: Block traffic coming from other countries.

Enabling ThreatIQ Alerts

Enable ThreatIQ alerts to receive notifications when threat IPs are detected in your network traffic.

You can only enable ThreatIQ alerts if you log into CoPilot with a user account that belongs to a group that has either all_write or all_security_write permissions.

To enable ThreatIQ alerts:

  1. In CoPilot, go to Home > Security > ThreatIQ.

  2. Click the Configuration tab.

  3. Click Send Alert to expand the settings area.

  4. Toggle the Send Alert slider to the right. This opens the ThreatIQ Configuration dialog.

  5. In tthis dialog, click Add Recipient(s). Select the email address destination to which you want to send ThreatIQ alerts. Repeat this for each recipient you want to receive the alert.

  6. Click CONFIRM. ThreatIQ alerts are enabled. When a threat IP is detected in a traffic flow, CoPilot will send a notification to the email you specified. The notification will state the threat IP that was detected in the blocked traffic.

  7. (Optional) Verify that ThreatIQ alerts are enabled:

    1. From the sidebar, click Notifications.

    2. In the Configured Alerts list, locate the entry with the name ThreatIQ Alert that has the condition When Threat IP Detected. This entry validates that alerts are enabled.

  8. (Optional) Enable ThreatIQ blocking. After alerts are enabled, you can opt to enable ThreatIQ blocking. When ThreatIQ blocking is enabled, Aviatrix Controller pushes down firewall policies to block threat-IP associated traffic as soon as it is detected.

About ThreatIQ Firewall Rules

ThreatIQ firewall rules are stateful firewall rules that are applied to Aviatrix gateways to block traffic for threats detected by the ThreatIQ feature. Threats are either IP addresses from the threat IP source that Aviatrix Cloud Network Platform communicates with or from your custom ThreatIQ IP List. For information about ThreatIQ, see Working with ThreatIQ.

Aviatrix CoPilot scans flow records for threats. When ThreatIQ blocking is enabled, and CoPilot detects a threat IP in a traffic flow, it calls the Controller with the firewall rules to add. The Controller instantiates the ThreatIQ firewall rules on all gateways that are within that flow (all gateways within the VPC/VNet) to immediately block the threat IP associated traffic.

By default, when ThreatIQ blocking is enabled, blocking occurs in all VPCs/VNets. When configuring ThreatIQ blocking, you have the option to exclude any VPC/VNet in your network from ThreatIQ blocking.

If a threat IP is removed from the database of the threat IP source or from your Custom Threat List, the Controller automatically removes the ThreatIQ firewall rules for that specific threat IP from the affected gateways and associated traffic is no longer blocked. Otherwise, the ThreatIQ firewall rules for that specific threat IP remain enforced.

If you disable ThreatIQ blocking, the action removes all existing ThreatIQ firewall rules instantiated by Aviatrix Controller for all threats (all threat IPs) detected up to that point.

When a ThreatIQ firewall rule is newly applied on a gateway that has existing rules applied, note the following:

  • The ThreatIQ firewall-rule drop policies are in addition to the existing firewall policies applied to the same gateways.

  • If you configure ThreatIQ firewall rules to append instantiated rules (default), Aviatrix Controller adds the ThreatIQ rule to the end of the rules list at the time the threat triggered the rule.

  • If you configure ThreatIQ firewall rules to prepend instantiated rules, Aviatrix Controller adds the ThreatIQ rule to the beginning of the rules list at the time the threat triggered the rule.

    The prepend feature is available starting from Controller release 6.6.5544.

  • If you change the append/prepend configuration, the new configuration applies to new rules. The rules instantiated before the configuration change will retain their placement in the rules list.

  • Firewall rules are followed in order by the first matching condition. The rule that applies first is the action taken and no subsequent rules are used.

Enabling ThreatIQ Blocking

Enable ThreatIQ blocking to block traffic at Aviatrix Gateways where threat IPs have traversed. When blocking is enabled, Aviatrix Controller pushes down firewall policies to block threat IP associated traffic as soon as it is detected. All gateways in the VPC/VNet will block when threat IPs traverse them.

To enable ThreatIQ blocking, you must log in to CoPilot with a user account that belongs to a group that has either all_write or all_security_write permissions.

To enable ThreatIQ blocking:

  1. In CoPilot, go to Home > Security > ThreatIQ.

  2. Click the Configuration tab.

  3. Verify that ThreatIQ alerts are enabled. The alerts are enabled when the Send Alert status has a checkmark. ThreatIQ alerts must be enabled before blocking can be enabled. See Enabling ThreatIQ Alerts for instructions.

  4. Click the Block Threats slider and slide it to the right. The Select VPC/VNets to allow/deny ThreatIQ Protection dialog may open. If so, select all the instances to protect with ThreatIQ and click Save.

    You may see a confirmation message about blocking threats. If so, click Confirm.

    Now that ThreatIQ blocking is enabled, Aviatrix Controller enforces firewall policies to block threat IP associated traffic as soon as it is detected. Each time a different IP threat is detected, a new firewall rule is instantiated on the gateway. By default, all gateways in a VPC/VNet will block the associated traffic. You can be selective about which VPC/VNets block threat IPs in the next step.

  5. (Optional - Deny ThreatIQ protection) Select VPC/VNets where you do not want ThreatIQ blocking enabled.

    • Click the pen icon next to Configure Exclusion List for VPCs.

    • In the Protected with ThreatIQ list, select the check box of each VPC/VNet for which you do not want ThreatIQ blocking enabled.

    • Transfer the VPC/VNets to the Not Protected list and click Save.

    • For any VPC/VNets listed in the Not Protected list, the gateways in them will not block threat IPs when detected.

  6. (Optional - Prepend ThreatIQ rules) By default, ThreatIQ firewall rules append instantiated rules — Aviatrix Controller adds the ThreatIQ rule to the end of the rules list at the time the threat triggered the rule. If you want Controller to add the ThreatIQ rule to the beginning of the rules list, select the Prepend radio button. For more information, see About ThreatIQ Firewall Rules.

  7. (Optional - Disable blocking)

When you disable ThreatIQ blocking, the action removes all existing ThreatIQ firewall rules instantiated by Aviatrix Controller for all threats detected up to that point.

To disable blocking, in ThreatIQ Configuration view, click the Block Traffic check and then click the Block Threats slider. Click Confirm to disable all ThreatIQ firewall rules and stop ThreatIQ blocking.

Adding a Custom ThreatIQ IP List

Add a custom list of IP addresses to the database of known malicious hosts used by ThreatIQ. The custom threat IPs are handled by Aviatrix Controller in the same manner as the threat IPs identified through ThreatIQ with ThreatIQ (detection, alerts, blocking, and unblocking functionality is the same).

You must log in to CoPilot with a user account that has all_write or all_security_write permissions to add, modify, or delete a custom ThreatIQ IP list.

To add a custom ThreatIQ IP list in ThreatIQ:

  1. In CoPilot, go to Home > Security > ThreatIQ.

  2. Click the Custom Threat List tab.

  3. Click +Threat IP and enter the details:

    • IP: An IP address you consider a threat IP.

    • Severity: Any term you want to use that indicates the severity of this threat IP.

    • Color: The color you want to associate with this threat IP. The color is used in lists and charts of the ThreatIQ dashboard.

    • Classification: Any term you want to use that indicates the classification of this threat IP.

    • Info: Any custom note you want to state for this threat IP.

  4. To add more IP addresses to the list, click the plus sign and enter the details for each one.

  5. Click Confirm.

    The IP addresses are added to the database of known malicious hosts used by ThreatIQ.

    To change a threat IP entry, click the pen icon, double-click on a value to change it, and click the save icon. Threat records generated prior to the change retain earlier values (for example, if you change the color from blue to red, threat records generated before the color change still show blue).

    To delete an IP address from the list, click the trash icon. The IP address is removed from the database of known malicious hosts used by ThreatIQ. If ThreatIQ blocking has been applied for this threat IP, the Controller automatically removes the security rules for that specific threat IP from the affected gateways and associated traffic is no longer blocked.

Threats View Properties

Descriptions of the properties in the CoPilot ThreatIQ Overview tab listed in alphabetical order:

  • All Threats (Total)

    Since ThreatIQ was turned on, the number of times total an action or event was detected that was correlated with any of the unique threat IPs.

  • Start Time and End Time

    (Start Time) Date and time from which you want to view what malicious IPs were occurring in the fabric of your Aviatrix transit network.

    (End Time) Date and time up to which you want to view what malicious IPs were occurring in the fabric of your Aviatrix transit network.

  • Threat Classifications

    Of the number of threats in the time period specified (by Start Time and End Time), what number of them is in a specific threat classification.

  • Threat Count

    The number of times the unique Threat IPs have been detected across your Aviatrix transit network within the time period specified (by Start Time and End Time).

  • Threat Details

    The Threat Details dialog provides a network topology diagram highlighting the location of the compromised host in your network, the flow data and overall netflow, and a summary of the threat severity as defined by the threat-IP source.

  • Threat Severity

    Of the number of threats in the time period specified (by Start Time and End Time), what number of them is in the Major threat severity category and Medium (Audit) threat severity category.

  • Threats Over Time

    Over the time period specified (by Start and End Time), a graph showing the number of threats that were detected. Spikes in the graph reflect days when more threats were detected.

  • Total Threats Over Time

    Over the time period specified (by Start and End Time), a graph showing the total count of threats. The count accumulates as you see more threats over time in that time period.

  • Unique Threat IPs

    The number of unique threat IPs that were detected across your Aviatrix transit network within the time period specified (by the Start Time and End Time). These are malicious IP addresses defined by a well known threat-IP source.

ThreatIQ Configuration View Properties

Descriptions of the properties in the CoPilot ThreatIQ Configuration tab listed in alphabetical order:

  • Blocked Threat IPs

    The number of unique threat IPs that traffic was blocked for.

  • Block Traffic

    Enable Aviatrix Gateways to block traffic that is associated with a threat IP.

  • Firewall Rules Per Gateway

    A pie chart showing the percentage of rules that are instantiated on each Aviatrix gateway.

  • Gateways

    The number of Aviatrix gateways that have instantiated firewall rules to block threat IP traffic.

  • Rules

    The number of firewall rules that were instantiated to block threat IP traffic.

  • Send Alert

    Enable CoPilot to send alert notifications (to one or more email/Webhook systems) when traffic that is associated with a threat IP is detected.

  • Threats Blocked Per Gateway

    A pie chart showing the percentage of threats that are blocked on each Aviatrix gateway.

  • View Rules dialog

    The View Rules dialog shows the ThreatIQ firewall rules that are applied on Aviatrix gateways.