cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Import IP Watchlist(s) to NSP Sensors

Has anybody been successful in importing IP Watchlist(s) for pro-active blocking on known malicious IPs?  I am considering using the NSP API to create FW objects, but fear I will hit a limit, as there are hundreds of IPs on the watchlist(s).  I'm hoping somebody has come up with a better solution or can confirm the API is my only path.

Thanks all

2 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Import IP Watchlist(s) to NSP Sensors

So I can tell you from experience supporting this product that using it as a Firewall Solution is a bad idea. Because this product was not designed as a firewall you will run into limitations very quickly.  If you have a list of malicious IPs to be blocked from accessing your network I would recommend doing it on your Firewall not the NSP.

Depending on what sensors you have the limitations are as follow:

M-8000: 10,000
M-6050: 5,000
M-4050/3050: 3,000

M-2950/2850/2750: 2,000
M-1450/1250: 1,000

NS-9300/9200/9100: 20,000

NS-7300: 5,000

NS-7200/7100: 3,000

NS-5200/5100: 2,000

NS-3200/3100: 1,000

 

As you can see the limits are not large. Keep in mind that each FW Rule will also impact scanning and other resources.

Highlighted

Re: Import IP Watchlist(s) to NSP Sensors

Maintaining lists of "malicious" IP addresses is a losing battle, especially through anything manual. I'd strongly recommend the use of McAfee GTI wherever possible in the environment instead, and using similar threat intelligence feeds in other products, such as your firewalls. Those lists are dynamically updated (both as known-malicious, and also reverting to known-good) much better than you can hope to do by yourself. For NSP, you're better off using the country geo-location blocking instead when it comes to the firewall policies.

Further, IP addresses as lists of IOCs are more useful for hunting, than as a general defense. There's a reason they are low on the Pyramid of Pain.

--
Mark Boltz-Robinson, CISSP, CISA
Sr. DFIR Consultant

Foundstone Consulting Services
McAfee LLC

Do you have an emergency?
North America/LATAM – E-mail: Hacked911@mcafee.com Phone: +1 866 212 5589
EMEA – E-mail: Hacked999@mcafee.com Phone : +44 1753 217499
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community