--> IP Intelligence is a feature of ASM which is used to block the HTTP requests from the IP addresses which have a bad reputation.
--> Whenever any user tries to connect to the web application behind the F5 ASM then the IP address of the user is compared with the IP address list in IP Intelligence Database.
--> F5 ASM also checks the IP address in the XFF header to match the source address with the IP Intelligence Database.
--> F5 ASM uses the Webroot security services to maintain the IP Intelligence Database.
--> IP Intelligence database contains more than 230 million IP addresses which are having a bad reputation.
--> The IP addresses present under IP Intelligence database has been categorized into one of the following:
i) Windows exploits: Includes active IP addresses offering or distributing malware, shellcode, rootkits, worms, or viruses.
ii) Web attacks: Includes the IP addresses who are trying to perform cross-site scripting, iFrame injection, SQL injection, cross-domain injection, or domain password brute force.
iii) Botnets: Includes the IP addresses related to botnet command and control channels and infected zombie machines controlled by the botmaster.
iv) Scanners: Includes the IP addresses who performs reconnaissance, such as probes, host scan, domain scan, and password brute force.
v) Denial of service: Includes DoS, DDoS, anomalous SYN flood, and anomalous traffic detection.
vi) Reputation: When enabled, denies access to IP addresses currently known to be infected with malware or to contact malware distribution points.
vii) Phishing: Includes IP addresses hosting phishing sites or other kinds of fraud activities, such as click fraud or gaming fraud.
viii) Proxy: Includes IP addresses providing proxy and anonymization services, as well as The Onion Router (TOR) anonymizer addresses
--> We can block or alarm all the categories of the IP Intelligence or some categories depending upon the requirement.
--> In order to use IP Intelligence, The F5 ASM must have the connectivity to the Internet to download the database.
--> There are three main components used in IP Intelligence:
i) Database File which contains all the IP addresses which have a bad reputation
ii) iprepd daemon which updates the database in real-time for every 5 minutes
iii) Add-on License
--> You can check the IP Intelligence license activated on F5 device using two methods:
i) GUI: Navigate to System > License > Active Modules ( Search for IP Intelligence)
ii) CLI: grep trust /config/bigip.license ( Look for 20181230_subscr_trusted_ip)
--> Once all the requirements met then navigate to security > application security > IP address > IP Intelligence to enable the IP Intelligence:
--> Enable IP Intelligence Blocking Under Traffic and Learning Settings (Security › Application Security: Policy Building: Learning and Blocking Settings > IP Address/Geolocations > Enable Learn/Alarm/Block on Access from Malicious IP address)
--> You can check the IP Intelligence statistics by navigating to (Security › Reporting > Application > View By IP address Intelligence)
Reference: F5.com,
Md.Kareemoddin
Thanks for your great effort
ReplyDelete