Sonic wall dynamic block list

Can I set up Sonicwall to use a dynamically generated block list? Rather than go through the web-based configuration tools every time I need to block a new IP address?
tymccoyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi tymccoy,

Which security service are you referring to, CFS (Content Filtering Service)? With web 2.0 and the hyper advent of CDNs whitelisting is a pain. In general in SonicWALL you can whitelist by IP/Host, subnet, FQDN, or Network Range. Additionally, with CFS SonicWALL blacklists/whitelists by domain wildcarding by default so if you put in the blacklist itunes.apple.com users will still be able to go to apple.com conversly if you put apple.com users will not be allowed to go to any subdomain including apple.com. Good auto-whitelisting functions are a bit tricky and hard to come by because there are legitimate companies using semi illegitimate CDNs and vice versa.

Let me know which SonicWALL security service you are referring to and I can give you more details.
0
tymccoyAuthor Commented:
I'm talking about blocking inbound ip addresses. My users aren't trying to crash my servers. Some guy using China-based machines is whacking at us. Adding an IP address to the Sonicwall block list is a manual process, so far as I can tell from Google searches. I want my applications to update a block file whenever they detect bad behavior.
0
Blue Street TechLast KnightCommented:
To answer your question bluntly...No there is no such specific method or service, per se, that I'm aware of in SonicWALL or any firewall for that matter. However, depending on how you look at it there are more complete and robust ways to thwart these attacks through re-architecture and Gateway Security Services.

The best to do this is to start applying DPI (Deep Packet Inspection)/fortifying your firewall. The current methodology is more of a depreciated one and a security reversal; Stateless Packet Inspection or blocking IPs is not inspecting anything within the data being transmitted. Also, in regards to the security reversal, you want to avoid scenarios where you are blacklisting over whitelisting...you should always be implementing whitelisting over blacklisting meaning you block everything and only allow specifics in. If you don't have CGSS (Comprehensive Gateway Security Suite) then purchase it. Then you can setup IPS (Intrusion Prevention Services), GAV (Gateway Antivirus), GAS (Gateway Anti-spyware), CFS (Content Filtering), Geo-IP filtering (apply to port forwards & block China & others), Botnet Filtering and App Control (Application Control). All of these security functions should be applied on all Zones including the WAN with the exception of CFS which should only be applied to interior Zones, e.g. LAN, WLAN, etc.

The method you are using will never work. I can spoof and change IPs all day long. You'll never keep up. I'd also look at your architecture on top of CGSS. I assume you have open ports on your WAN>LAN then? Do you need them open? It is a bad security practice to open ports and have the Source = Any unless you have encryption running on port 443 with authentication with SSL Certificate authentication. Also, you could limit the access of your open ports if they are coming from static networks such as vendors, etc. In general you want to close as many ports on the WAN>LAN side as possible. If its for your internal web servers like IIS then I'd recommend setting up a RPS (Reverse Proxy Server).

What is the server role you are trying to protect?

Let me know if you have any other questions!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

tymccoyAuthor Commented:
We need a way to automate updates to the Sonicwall IP Block list. Sonicwall provides a web-based GUI for manually updating that list. We need an approach that enables automation.
0
tymccoyAuthor Commented:
We can identify misbehavior. We can identify misbehaving IP addresses. All we want to do is block the IP address. Should be simple.
If sonicwall used a sql database, we'd add a record to the database table. if sonicwall used a text dat file or an xml file, we'd update that file with a new IP address.
What does the sonicwall have that we can update in realtime with automation?
0
Benjamin Van DitmarsCommented:
Why not use region based blocking, and block all traffic from china. we have done this at our firewall's the reason to do this is simple.
we dont have to be contacted by hosts from china
0
Blue Street TechLast KnightCommented:
Hi Benjamin,

I already suggested this in my previous comment (https:#a41717838) it's called Geo-IP filtering and I also provided two better ways of configuring open ports that are secure (limiting the Source IPs & Certificate-based Auth). Even if you limit from China via Geo-IP filtering, which is a good step (if you do not do business with them or indirectly use any of their datacenters via your vendors or others) you are still working on deprecated security principals: Stateless Packet Inspection and blacklisting over whitelisting (meaning you allow everything in and blacklist specific IPs). Both are poor security practices - conversely the OP should be implementing DPI (Deep Packet Inspection) so that each packet's data is being inspected and implementing a whitelisting over blacklisting methodology (blocking everything; allowing only specifics in), otherwise the OP will never win in this game because inevitably the OP will set themselves up in a reactionary way instead of a proactive way. I can spoof and change IPs all day long and even encrypt my attacks. You'll never keep up and never know what is legitimate traffic and what is nefarious unless you are implementing what I have discussed and in the encrypted attack setting up DPI-SSL but a whitelisting over blacklisting methodology and/or a cert-based auth in the scenarios where you cannot limit the Source IPs will thwart this type of attack.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.