Skip to content

Adrian Giacometti

  • Home
  • Useful links
  • About Me

Network Security Automation Win – block IP threats in seconds

30th December 2020 by Adrian Giacometti

Not so long ago a customer asked me for help on how to block IP addresses on their regional firewalls infrastructure. They needed a solution urgently, since lately there were some severe attacks on other companies in the region, and they didn’t want to be “on the news” too.

Having a network engineer available 7×24 to block IP addresses on all the firewalls is not timewise efficient nor effective. It is simply not realistic to get him to work at any time (like midnight) and configure everything in less than 1 hour without errors and back and forths while chatting in the middle of the crisis with the rest of the organization.

I always keep in mind one of the biggest take-aways that I had from Networking in Public Cloud Deployments webinar from ipspace.net.

It goes something like this (in my head): “Automate making my knowledge available to others who are NOT network engineers or even IT people, and if I can make that knowledge available on-demand, well.. that is a killer!” (huge win).

On the other hand, I like to use chatbots, because I think it is the simplest way to give a face to automation, and in the end, make my knowledge available on-demand. Check this post.

As a big plus, you have collaboration and searchable message history, which I like to see as a kind of knowledge base. Check this post.

You don’t need a huge platform, contracts, tech guys, customizations, web servers, databases, screens, GUIs, etc. It’s just on VM with free software all around, and a secure chat to interact with others or bots in this case.

So, let’s go back to the main topic and solve this for good, in an automated way, on-demand and it should run very fast (in just a couple of minutes).

Luckily the infrastructure was already standard on Cisco devices, traditional ASAs, and some Firepower managed by an FMC.

Since we were already doing network automation integrated with Slack chatbots (check this post with the architecture), this was relatively easy to accomplish: just develop a new chatbot command. It took me a couple of days to capture 80% of the infrastructure with Ansible, and some extra time to work with a public API to the FMC (thanks to daxm for the fmcapi).

In the end, any network or security support can block an IP in literally 2 minutes in the whole infrastructure (almost 30 firewalls). And, since it’s a Slack chatbot, he can do it anytime from anywhere with just a cell phone.

You might be thinking “isn’t that dangerous?” Yes, but there is command authorization and CIDRs checks included, so not everybody can block any IP.

Let’s go step by step on what is needed:

1.- Create a standard object name group, named “blacklist”. In that group we will add and remove IP addresses to be blocked.

2.- Only one time, create the ACL on the firewalls to block any IP which is in this “blacklist” group.

3.- To add IP/CIDR to be blocked in traditional ASA devices I used this Ansible playbook with some Python scripts to parse the information.

4.- For Firepower devices I used FMCAPI. So in this case, I developed this Python script to do that.

5.- Add all kinds of controls in both points 3 and 4. For example, valid IP and CIDR, do not block internal IP/CIDRs, execution errors, active/passive cluster check, IP/CIDR already in the group, and of course, the last check is to verify that the outcome is how it’s meant to be.

6.- You will write the IP/CIDR address to block in the Slack chat, the bot will read, validate, and execute the request, and post the output back to Slack.

7.- Everything is wrapped up with a daemon written in Python. Base code here.

Now we are working on how to integrate this functionality with Splunk Phantom (security automation and orchestration platform). In this way, it will be even more automated: when that platform detects a new threat in your infrastructure or an alert is externally pushed, it will automatically trigger the block IP command, in this case not represented by a chatbot, but using a direct API call to the bot daemon.

Hope you enjoyed it, until next time

Adrián.-

Share on Social Media
linkedin twitter email

Post navigation

Previous Post:

Fast and basic DRP solution

Next Post:

Fast and basic DRP solution (part 2)

2 Commments

  1. Alan says:
    22nd February 2021 at 10:59 am

    Awesome, creativity at its best, automation truly opens a lot of doors

    Reply
    1. Adrian Giacometti says:
      25th February 2021 at 2:14 am

      Thanks Alan! yes indeed, that is what amazes me.
      Adding some creativity you can mix as many components as you want and get a mixed report or execute some commands in just seconds.
      Stay tuned for my next post on Security Automation! I’m on it 🙂

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Translate to your language

Site search

Tags

ansible automation aws bcp bgp books chatbot chatops cisco cisco aci cloud automation datacenter desing devops drp enterprise f5 fastapi free gitlab ci gitops high availability internet iproute2 isp learning linux monitoring nat netdevops netmiko netops network network automation network backup opensource oracle oci python saltstack slack slackops terraform vpn vrf webinar

Blog Stats

  • 13,367 hits

RSS ipSpace.net Blog Posts

  • Video: Packet Buffers in Data Center ASICs
  • Will ChatGPT Replace Stack Overflow?
  • New: CI/CD in Networking Resource Page
  • External Links on Spine Switches
  • Test VRF-Aware DHCP Relaying with netlab

RSS Unknown Feed

Archives

  • 2021 (10)
    • November (1)
    • August (2)
    • July (1)
    • May (2)
    • April (3)
    • February (1)
  • 2020 (15)
    • December (2)
    • October (1)
    • September (1)
    • June (1)
    • April (5)
    • March (1)
    • February (2)
    • January (2)
  • 2019 (3)
    • December (3)

Follow & Contact info

  • LinkedIn
  • GitHub
  • Twitter
  • YouTube
  • Email
  • RSS Feed

Subscribe to stay updated

Loading
© 2023 Adrian Giacometti