Policies and lists
Policies and lists come in two types with specific usages:
- Policies: Are made up of pre-defined IP address ranges grouped into target lists. These lists specify IP addresses based on established hostile intent, geographical area, or threat type. These lists are created and curated by ThreatSTOP’s Security team based on information gathered from the security industry, as well as our own research into various active threats. Default policies can be used to block or allow communication, with various groups, they can also be rolled into User Defined Lists.
- User Defined Lists: Are made up of IP addresses provided by you, the user. Once entered into our system, the actions to take against selected lists are established using the following instructions, those actions being to block communications, allow communications, or to remain neutral (by not adding the list to your policy).
The Policies & Lists screen is comprised of between two tabs for standard accounts:
- Policies: Any policies associated with the account, will be displayed here, and new policies may be added by clicking + Add Policy. Policies themselves are constructed from target lists.
- User-Defined Lists: When you have generated one or more custom lists of IPs they will display in this tab. Custom lists provide a great deal of control over the communications allowed with your internal network. The type of list will determine the action taken against a particular target IP. These lists define IP addresses specific to your needs, and will work in conjunction with ThreatSTOP’s pre-defined lists.
The Create and Edit Policy screens are used to create and maintain custom ThreatSTOP policies. There are two available modes for policy creation, Standard and Expert. Standard mode allows a user to quickly create a ThreatSTOP policy to be used for protection in a firewall configuration. Expert mode allows for the creation of a custom ThreatSTOP policy, but is slightly more complex to setup. This can allow for policies that allow access to slightly more hazardous IP spaces while denying IPs that are known to the System Administrator to be bad.
After creating a policy, you will need to add it to the devices that you want it applied to. We have some predefined policies that may be used as well, which are explained here.
The window itself is comprised of the following fields:
- Policy name: A brief name to apply to the policy. For example “Block0”. Changing this name will require a setup on the devices using the policy.
- Description: A brief description of what the policy is intended to accomplish.
- Standard Mode/Expert Mode switch: On the right side of the header is the switch to change between Standard and Expert modes. Changing this will require you to reselect your policies. It will also reload the pop-up.
- Policy Summary: The right-side of the pop-up houses the Policy Summary box. This box gives a high-level overview of your selected policy, and allows removal of individual selections without requiring that the policy be found in the master list. Summarized information provided includes:
- Num of IP addresses: The total number of IP addresses being blocked by your active policy decisions.
- Number of records: Number of subnets required to block the IP records being blocked or allowed.
- Block Group: Shows any lists of blocked IPs that have been added to the policy being created.
- Allow Group: Shows any lists of allowed IPs that have been added to the policy being created.
- Customer Group: Shows any lists generated by the customer that have been added to the policy being created.
- Block: The Block tab shows available target lists of IPs. Ticking the box next to the list name will add that list to the policy to be generated and used by your instance of ThreatSTOP. These IPs will be denied any communication (to or from) your internal network provided that exceptions are not set in the Allow lists. This effectively hides your network from cybercriminals.
- Allow: The Allow tab lists available target IPs. Ticking the box next to the list name will add that list to the policy to be generated and used by your instance of ThreatSTOP. IPs on this list will be able to receive information from inside your network (allowing “dial homes”) from any malware active in your system. But the IPs in question may not be able to communicate back depending on your Block list settings.
- Devices: Lists any devices that have been setup to use the ThreatSTOP service. For more information on setting up devices see Adding a Device.
Lists come in three types:
- Threat: Threat lists are lists comprised of known malicious IPs.
- Geo: Geo lists block entire Geographical regions, regardless of whether communications from that region have been hostile or friendly.
- User-Defined: Allow or block communications with IP ranges that are defined by the user.
Setting Up a Policy
Policies combine target lists to define the IP addresses that are allowed to connect, both incoming and outgoing, to your network. A Block List prevents incoming connections from reaching your internal network or connections from inside your network to outside servers. While an Allow List pokes holes in your firewall to allow outgoing connections as well as incoming connections. Creating a policy is covered in detail above, and for this guide we will only be setting up a very basic Policy. Custom block and allow lists are covered in User-Defined Lists and should be setup before proceeding through this setup.
To set a Policy:
- Click on the Policies tab towards the top of the window.
- Click on + Add Policy.
- The Create Policy pop-up will appear.
- Enter a name for your new policy in the Policy name field. Type a brief description of your policy in the Description field. This will help you focus on what you are looking to accomplish with your policy. For example, “Block Malware, Botnets, and TOR” could help you remember to tick the boxes under Malware, Botnets, and Anonymous proxies.
- Determine the type of policy that you would prefer. Standard or Expert. Toggle the usage mode appropriately.
- Locate and tick the boxes next to the groups you want to Block from communicating with your network.
- Click on Allow. Then determine if there are any exceptions that you wish to set for the blocked networks on your list, tick the boxes next to them.
- Once you have your firewall policy defined to your liking click Submit.
This will add your policy name to the Policy field in the device setup section (covered in Adding a Device).
User-defined lists are unique IP address groups created by you and are unique to your account.
Block Lists are made up of IP addresses that should not be able to communicate.
An Allow List may be needed for communication with a known limited IP range in an otherwise questionable IP address space. Due to the level of expertise required to establish a proper custom list, further information can be found in Establishing Custom Policies.
To Create a User-Defined List
Creating a User-Defined List happens through the Create List pop-up window. Since this is a relatively advanced process, familiarity with the system is going to be assumed and only the field descriptions will be supplied:
- List Name: A brief descriptive name for the list, this field has a limitation of eight characters. For example: “Block0”.
- Description: A slightly longer description of the goal of this list.
- List Type: The type of list being created. Two possibilities exist: Block, and Allow. Block is selected by default.
- IP/Netmask: This shows the IP and Netmask of any blocked IPs in CIDR format.
- Number of IP Addresses: Shows how many addresses are in the entry.
- Comments: Denotes why an entry was made.
- Actions: Two options will display in this field, Edit and Delete. Clicking edit allows the IP address range comments to be modified. After editing click on the Save icon to commit the changes to the list before clicking Done to save the list.
Additionally two tabs are available under the Add more records: section:
- Individual IP: Individual IP can be used to add a single IP address using the following fields:
- IP/netmask: The range of addresses should be entered here. The field uses standard CIDR format, so the initial IP to block should be entered followed by a / and the subnet mask (in bits) of the range to block after that. For example: 192.168.0.0/24 would mean 192.168.0.0 - 192.168.1.255.
- Comment: Optional comment for the IP being added.
- Multiple IPs: If multiple IP address ranges are to be added, you can save time by entering them in CIDR format here. Followed by a space and any applicable comments.