We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Configuring IP Reputation Filter

  • Last updated on

Overview

In order to prevent geographically distributed DoS attacks which span multiple sub networks, the Barracuda Web Application Firewall provides an IP reputation based filter which can be applied to an entire geographic region or collection of regions spanning multiple countries and/or continents.

This feature is available ONLY in Firmware Version 7.7 and above.

You can configure a geo pool with one or more geographic regions and allow or deny requests from it. IP addresses can be filtered based on the following categories:

  • Geo Pool The IP address is from an included geographic region.
  • Barracuda Reputation Blocklist – The IP addresses that are identified as potential originators of spam, malware and bots.
  • TOR Nodes – The IP addresses that are identified as TOR.
  • Anonymous Proxy – The IP address is from an anonymizer that hides the IP address of the requesting client.
  • Satellite Provider – The IP address is from a Satellite Internet Service Provider (ISP) so the IP address of the requesting client is unknown.

Anonymous Proxy and Satellite Provider IP addresses are not specific to geographic regions. IP addresses are compared to the MaxMind database to determine if the requester is a known anonymizer or ISP address.

Once a Geo Pool is created, it can be associated with one or more services using the IP Reputation Filter section in the WEBSITES > IP Reputation page.

An IP Reputation Filter policy can be applied at the Network Layer or Application Layer.  When set to Network Layer, the Barracuda Web Application Firewall applies the IP Reputation policy at the network layer. In this case, the socket IP address that is used to establish the connection with the service IP address of the Barracuda Web Application Firewall is used as the client IP address. Use Network Layer when the Barracuda Web Application Firewall is deployed directly between the client and the server, without any intermediate device like a Load Balancer deployed between the client and the Barracuda Web Application Firewall. In this scenario, clients establish a direct connection with the Barracuda Web Application Firewall to send requests. Any request sent by the client is received directly by the Barracuda Web Application Firewall.

WAF_Setup_1-01.png

If the clients connect to the Barracuda Web Application Firewall through an intermediate device such as a Load Balancer, the connection is established by the intermediate device instead of the actual client. In such cases, the Barracuda Web Application Firewall cannot identify the client’s IP address at the network layer. It is recommended to use the Application Layer IP Reputation policy when there is an intermediate device between the client and the Barracuda Web Application Firewall. When set to Application Layer, the Barracuda Web Application Firewall uses the client IP address from the HTTP request header (e.g. X-Forwarded-For header) to identify the actual client IP address, and applies the IP Reputation policy. 

WAF_Setup_2-01.png

Geographic Filtering

You can create a geo pool in the WEBSITES > IP Reputation page, Add Geo Pool section.

Steps to Create a New Geo Pool:

  1. Enter a name for the pool in New Geo Pool Name.

    The name can include alphanumeric characters, periods (.), hyphens (-) and underscores (_). Any other special characters such as space, semicolon, asterisk, etc. are not allowed.

  2. Select the geographic region(s) to include in your IP Reputation Filter using the Expand button. Expand lists smaller regions inside a continent, and Collapse lists discrete continents. When you can discretely select the areas you desire, select one or more entities you wish to geographically filter. Alternatively, you can use Select All or Deselect All.
  3. Click Add to save the new geo pool. The created pool appears in the Geo Pools list showing the configured settings.

Use the Geo Pools section to edit or delete an existing geo pool.

  • To Edit: Select the Edit icon from the Options column next to the desired geo pool.
  • To Delete: Select the Delete icon from the Options column next to the geo pool you wish to delete.

Click Help on the relevant page for more information.

You must associate the newly created geo pool to a service to enable filtering for the selected geographic region. See Applying an IP Reputation Filter to a Service.

Applying an IP Reputation Filter to a Service

To associate a geo pool to a service, perform the following steps:

  1. Go to the WEBSITES > IP Reputation > IP Reputation Filter section.
  2. Identify the service to which you want to associate a geo pool. Click Edit next to it. The Edit IP Reputation Filter window appears.
  3. In the IP Reputation Filter section:
    1. Set Enable IP Reputation Filter to On to enable the filter for the service.
    2. Set Enable Logging to Yes if you want to generate logs for the IP reputation policy. If Apply IP Reputation Policy is set to Network Layer and Enable Logging is set to Yes, the logs can be viewed in the NETWORKS > Network Firewall Logs page.  When Apply IP Reputation Policy is set to Application Layer, the logs can be viewed in the BASIC > Web Firewall Logs page.

      Enable Logging is applicable only for Network Layer.

  4. In the Geo IP Filter section, set the Action to Allow or Block:
    1. Allow – Allows the traffic ONLY from the selected geographical regions, but blocks the traffic from other geographical regions.
    2. Block – Blocks the traffic ONLY from the selected geographical regions, but allows the traffic from other geographical regions.
  5. In the Block IP Categories section, select the IP categories that needs to be blocked for this service. When set to Block, the requests from the IP addresses of the selected category will be terminated and logged. You can override any of these IP address(es) and allow by adding the IP address(es) in Allowed Networks in the Exception Networks section.
    1. Barracuda Reputation Blocklist – Set to Block to block the IP addresses that have been identified as potential originators of spam, malware and bots. When Apply IP Reputation Policy is set to Network Layer, the Barracuda Web Application Firewall communicates with the local database stored in the system to validate the requests. If Apply IP Reputation Policy is set to Application Layer, the Barracuda Web Application Firewall communicates with Global Real Time IP Look UP (GRIP), a cloud service  that contains IP addresses that have been identified as potential originators of spam, malware and bots by Barracuda’s threat intelligence engine..
    2. TOR Nodes – Set to Block to block the IP addresses that have been identified as TOR.
    3. Anonymous Proxy – Set to Block to block the IP addresses that are used as anonymizers to hide the identity of client's IP address.
    4. Satellite Provider – Set to Block to block the IP addresses from the Satellite Internet Service Providers (ISPs) that provide internet service.
  6. In the Exception Networks section, enter the IP address(es) that needs to be considered an exception despite originating from the geographical region specified in the geo pool, or from the Block IP Categories.
    1. Allowed Networks - Enter the IP address(es) and associated subnet mask that needs to be allowed in spite of getting matched with the configured Geo IP rules or Block IP Categories rules.
    2. Blocked Networks - Enter the IP address(es) and associated subnet mask that needs to be blocked in spite of getting matched with the configured Geo IP rules or Block IP Categories rules.
  7. Click Save. The configured IP Reputation Filter will now be applied to all requests for the service.

Click Help on the relevant page for more information.

 

Last updated on