IPreputation is nice feature to have in case you are interestd to add more secuirty to your websites. It is a collection of ip’s put in categories like web attacks, botnets, spam etc. , that you can use to block access from. You can find on the internet multiple companies that offer these type of services. And in the case of the Netscalers, they use the WebRoot(BrightCloud) offering.
https://www.brightcloud.com/
https://citrixready.citrix.com/content/dam/ready/partners/we/webroot/brightcloud-ip-reputation-service/webroot-brightcloud-ip-reputation-solution-overview-citrix-us-brochures.pdf
If you want to manually check an ip against this service you can use: https://www.brightcloud.com/tools/url-ip-lookup.php
The WebRoot categories are: Windows Exploits, Web Attacks, Phishing, Botnets, Denial of Service, Scanners, Proxies, Reputation, Spam Sources, and Mobile Threats.
To be able to use this feature you will need:
- a valid license (Platinum)
- resolve DNS name api.bcss.brightcloud.com from the Netscaler
- access from Netscaler (NSIP) to api.bcss.brightcloud.com on port 443
- enable Reputation feature
To resolve DNS name api.bcss.brightcloud.com , you need to have some dns server configure on the Netscaler and make sure the Netscaler can resolve that name. In my case it could not so i’ve add a SNIP address from the same subnet as the NSIP and it started to work.
Also the NSIP needs access on port 443 to whatever ip the name resolves. As that name points to AWS , the ip changes, so giving access per ip is not ok .
It is a good (must) practice to have a firewall between NSIP and Internet.
And of course the Reputation feature needs to be enabled.
If eveything is ok the Reputation DB will be downloaded after 5 min. It will also update it automatically every 5 min.
You can see this in the logs: /var/log/iprep.log
Also you should see the local DB file here: /var/nslog/iprep/iprep.db
Using Reputation feature is pretty easy. In this article i’ve used them in responder policies. You can also use them in application firewall policies if you want. I’ve applied the policies to global (applies to all vips) and on REQ_OVERRIDE. This way they are processed before all responder policies, even before vip responder policies. But in this case this is what we want. If a bad ip tries to connect to our sites it will be dropped, no need to check anything else.
The order in which the responder policies are processed is this : REQ_OVERRIDE , responder policies that are binded on the VIP, REQ_DEFAULT. These 3 bind points make the bank of the responder policies. The first matched responder policy is executed. So only one responder policy per request gets executed. That’s why i’ve binded it to REQ_OVERRIDE.
I’ve also created a dataset called Whitelist and used it in all policies, in case some ip’s get in the Webroot database but you want to allow them.
For logging purposes i’ve created an audit message for each category i’ve used. For this to work you need to configure syslog actions and policies pointing to your syslog servers and the level of logging.
Below you have the Reputation policies(these were tested on ver 11.1):
add policy dataset Whitelist ipv4 bind policy dataset Whitelist aa.bb.cc.dd add logt messageaction log_web_attacks INFORMATIONAL "\"alertType=NS ipReputation Category Web_attacks Log - clientIP=\" + CLIENT.IP.SRC +\" VIP=\" + CLIENT.IP.DST + \" Requested : \" + HTTP.REQ.HOSTNAME.SERVER + HTTP.REQ.URL.HTTP_URL_SAFE" add logt messageaction log_botnets INFORMATIONAL "\"alertType=NS ipReputation Category Botnets Log - clientIP=\" + CLIENT.IP.SRC +\" VIP=\" + CLIENT.IP.DST + \" Requested : \" + HTTP.REQ.HOSTNAME.SERVER + HTTP.REQ.URL.HTTP_URL_SAFE" add logt messageaction log_scanners INFORMATIONAL "\"alertType=NS ipReputation Category Scanners Log - clientIP=\" + CLIENT.IP.SRC +\" VIP=\" + CLIENT.IP.DST + \" Requested : \" + HTTP.REQ.HOSTNAME.SERVER + HTTP.REQ.URL.HTTP_URL_SAFE" add logt messageaction log_dos INFORMATIONAL "\"alertType=NS ipReputation Category Dos Log - clientIP=\" + CLIENT.IP.SRC +\" VIP=\" + CLIENT.IP.DST + \" Requested : \" + HTTP.REQ.HOSTNAME.SERVER + HTTP.REQ.URL.HTTP_URL_SAFE" add logt messageaction log_cloud INFORMATIONAL "\"alertType=NS ipReputation Category Cloud Log - clientIP=\" + CLIENT.IP.SRC +\" VIP=\" + CLIENT.IP.DST + \" Requested : \" + HTTP.REQ.HOSTNAME.SERVER + HTTP.REQ.URL.HTTP_URL_SAFE" add logt messageaction log_network INFORMATIONAL "\"alertType=NS ipReputation Category Network Log - clientIP=\" + CLIENT.IP.SRC +\" VIP=\" + CLIENT.IP.DST + \" Requested : \" + HTTP.REQ.HOSTNAME.SERVER + HTTP.REQ.URL.HTTP_URL_SAFE" add logt messageaction log_reputation INFORMATIONAL "\"alertType=NS ipReputation Category Reputation Log - clientIP=\" + CLIENT.IP.SRC +\" VIP=\" + CLIENT.IP.DST + \" Requested : \" + HTTP.REQ.HOSTNAME.SERVER + HTTP.REQ.URL.HTTP_URL_SAFE" add logt messageaction log_spam INFORMATIONAL "\"alertType=NS ipReputation Category Spam Log - clientIP=\" + CLIENT.IP.SRC +\" VIP=\" + CLIENT.IP.DST + \" Requested : \" + HTTP.REQ.HOSTNAME.SERVER + HTTP.REQ.URL.HTTP_URL_SAFE" add responder policy pol_web_attacks "CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(WEB_ATTACKS) && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Whitelist\").NOT" DROP -logAction log_web_attacks add responder policy pol_botnets "CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(BOTNETS) && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Whitelist\").NOT" DROP -logAction log_botnets add responder policy pol_scanners "CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(SCANNERS) && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Whitelist\").NOT" DROP -logAction log_scanners add responder policy pol_dos "CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(DOS) && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Whitelist\").NOT" DROP -logAction log_dos add responder policy pol_cloud "CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(CLOUD_PROVIDERS) && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Whitelist\").NOT" DROP -logAction log_cloud add responder policy pol_network "CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(NETWORK) && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Whitelist\").NOT" DROP -logAction log_network add responder policy pol_reputation "CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(REPUTATION) && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Whitelist\").NOT" DROP -logAction log_reputation add responder policy pol_spam "CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(SPAM_SOURCES) && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Whitelist\").NOT" DROP -logAction log_spam bind responder global pol_web_attacks 10 END -type REQ_OVERRIDE bind responder global pol_botnets 20 END -type REQ_OVERRIDE bind responder global pol_scanners 30 END -type REQ_OVERRIDE bind responder global pol_dos 40 END -type REQ_OVERRIDE bind responder global pol_cloud 50 END -type REQ_OVERRIDE bind responder global pol_network 60 END -type REQ_OVERRIDE bind responder global pol_reputation 70 END -type REQ_OVERRIDE bind responder global pol_spam 80 END -type REQ_OVERRIDE
Documentation :
https://docs.citrix.com/en-us/netscaler/12/reputation/ip-reputation.html