Has anybody been successful in importing IP Watchlist(s) for pro-active blocking on known malicious IPs? I am considering using the NSP API to create FW objects, but fear I will hit a limit, as there are hundreds of IPs on the watchlist(s). I'm hoping somebody has come up with a better solution or can confirm the API is my only path.
So I can tell you from experience supporting this product that using it as a Firewall Solution is a bad idea. Because this product was not designed as a firewall you will run into limitations very quickly. If you have a list of malicious IPs to be blocked from accessing your network I would recommend doing it on your Firewall not the NSP.
Depending on what sensors you have the limitations are as follow:
M-8000: 10,000 M-6050: 5,000 M-4050/3050: 3,000
M-2950/2850/2750: 2,000 M-1450/1250: 1,000
As you can see the limits are not large. Keep in mind that each FW Rule will also impact scanning and other resources.
Maintaining lists of "malicious" IP addresses is a losing battle, especially through anything manual. I'd strongly recommend the use of McAfee GTI wherever possible in the environment instead, and using similar threat intelligence feeds in other products, such as your firewalls. Those lists are dynamically updated (both as known-malicious, and also reverting to known-good) much better than you can hope to do by yourself. For NSP, you're better off using the country geo-location blocking instead when it comes to the firewall policies.
Further, IP addresses as lists of IOCs are more useful for hunting, than as a general defense. There's a reason they are low on the Pyramid of Pain.
-- Mark Boltz-Robinson, CISSP, CISA Sr. DFIR Consultant
Foundstone Consulting Services McAfee LLC
Do you have an emergency? North America/LATAM – E-mail: Hacked911@mcafee.com Phone: +1 866 212 5589 EMEA – E-mail: Hacked999@mcafee.com Phone : +44 1753 217499