Security Experts:

Block & Tackle: How IP Reputation Filtering is Central to Your Security Success

We’ve all heard the longstanding piece of advice to “nip it in the bud” when confronted with something unpleasant or avoidable. But sometimes, we forget to take this same advice when it comes to data security. Focusing early on the preventative side of security before reactive measures are needed is pivotal when it comes to thwarting damaging attacks and data compromises. One of the best ways to proactively guard against infiltrators is to identify the origin of an attack and block it before it hits your network. IP reputation filtering (IPRF) correlates source IP addresses against databases of known malicious IP addresses, and stops them before they have a chance to make it into your network.

The trick is that IPRF needs to be implemented strategically as part of your overarching security plan, rather than as a one-off or side note. When done this way, IPRF can efficiently block unwanted traffic and help you essentially disappear off the ‘bad guys’ radar. This type of countermeasure impedes phishing, botnets, social engineering, Web application attacks, spam and other unwanted traffic by safeguarding against known malicious actors. This becomes especially important when you consider that some countries of origin are known for high volumes of dangerous source IPs. For instance, it’s been reported recently that upwards of 55 percent of global attack traffic originates in Asia. IP reputation filtering is an effective tool that can help identify these sources. In order to ensure your IPRF investment is a success, look at the program from a strategic standpoint and make calculated decisions. Work to keep your data up-to-date and verified to ensure a low rate of false positives.

Strategic goals drive success

From a high level, what do you want IPRF do for you? Be very thoughtful in answering that question because it has important implications. Why? Because in theory, it might sound ideal to block all IP source addresses that have been historically damaging. But you have to consider the fine line of blocking unwanted, potentially destructive traffic while not denying entry to more addresses than necessary.

For example, consider an anonymous proxy such as Tor. Some businesses might be comfortable allowing traffic that has been scrubbed of identifying factors such as location or browsing habits. After all, many users of this software might just want to surf anonymously, or something equally innocuous. You have to think high level about what traffic is allowable and what your business can tolerate.

When setting your goals, honestly evaluate them with your IT department and consider how to meet them. Discuss how tolerant you want to make your IPRF filters and then identify the required parameters around them.

Working with false positives

A close cousin to setting goals is risk assessment of your IPRF deployment. In truth, this should be part of the risk assessment policies and procedures you have in place for all of your security initiatives. You should always have to have a risk-to-reward ratio in mind and build your programs around it.

It’s important to stop and evaluate what your business can afford. For instance, how will false positives impact your success? It’s a fact: when you set out to block dangerous traffic, some normal traffic may be blocked as well. The risk-to-reward ratio here is generally acceptable, unless your efforts are blocking so much traffic that your business suffers. Understanding what kind of false-positive rate is tolerable and crafting your data source around it is important in understanding the effectiveness of any security countermeasure. The risk of blocking certain traffic might be weighted more heavily than the reward of not blocking it.

If you find that the false positives are impacting your risk-to-reward ratio to the negative, consider a couple of things:

• Go back to your goal setting session and re-evaluate the filters you’ve put in place. By making them more extensive and targeted, you have a better chance of blocking unwanted traffic while letting in IP addresses that really are acceptable.

• Thoroughly vet your data source to ensure the data is updated regularly and stale entries are removed.

Select vendors intentionally

If you know what you want to block, what you want to allow, and how much ambiguity your business can tolerate in between, you’re almost there. Now you have to source a vendor. Finding a solution that fits best with your particular IT and business needs can be a smooth and mostly painless process, if you know where to look.

Start by looking at your existing security vendors. If one of them offers IPRF solutions and is already considered a trusted source with which you have a good working relationship, chances are they will continue to be a good partner. This also will enable you to keep your security programs under one roof, and it helps systems work together, complementing one another. Additionally, existing vendors are better able to guide you through a smooth initial implementation.

Outside of your existing vendors, obviously look for partners that have a long history and strong reputation around their IPRF solution. Next, determine the depth of each solution, and identify the flexibility they offer within them. For instance, you want to be able to fluidly evaluate how their solution is working in your environment and change course if necessary. If they don’t offer this, or won’t negotiate toward it, source a different partner.

One final aspect to note when dealing with IPRF is how the IP reputation data fits into the entire malicious IP recipe. You’ll likely have to augment your own known ‘bad’ IP address data in order to have a sampling that’s big enough to truly impact your success. If this is the case, take proactive measures to ensure that the IPRF vendor’s data is highly reputable and that the data is vetted, trusted and extremely accurate.

Keeping your eye on the next threat

Trying to secure your network or infrastructure is tricky business. Blocking bad guys from known malicious IPs (or from geographies that have no business doing business with you) should not be that difficult. Just remember to be strategic in all aspects of your decision-making, from identifying goals, to filter setting, to partnering with the right vendor. When you set yourself up to easily block unwanted IPs, it frees you up to more proactively deal with other threats that are undoubtedly endangering your business.

view counter
Chris Hinkley is a Senior Security Engineer at Armor where he maintains and configures network security devices, and develops policies and procedures to secure customer servers and websites. Hinkley has been with Armor (previously FireHost) since the company’s inception. In his various roles within the organization, he’s serviced hundreds of customer servers, including Windows and Linux, and overseen the security of hosting environments to meet PCI, HIPAA and other compliance guidelines.