IP Protection

Bad actors can repeatedly browse your web applications to perform malicious activities. By leveraging the IP Protection capabilities of Trend Micro Cloud One - Application Security, the malicious IP addresses can be blocked, which stops these hosts from browsing your web applications.

IP Protection algorithms

IP Protection allows you to configure policies that define the specific actions to be taken for given IP addresses. Three algorithms can be enabled as part of the policy:

  • IP Filtering: The IP Filtering algorithm blocks the specified IP addresses. Both IP addresses and subnets can be configured in the IP Filtering rules. When requests issued from a blocked IP address or subnet attempts to connect to the application, Application Security applies the mitigation configured as part of the rule (blocks or serves a CAPTCHA).
  • IP Feeds: The IP Feeds algorithm mitigates (blocks or serves a CAPTCHA) requests when the source IP address is a known Tor Exit node IP address. When the algorithm is enabled, the list of IP addresses to mitigate is augmented with a list of known Tor Exit nodes IP addresses.
  • Trusted IPs: The Trusted IPs algorithm allows specified IP addresses. Both IP addresses and subnets can be configured in the Trusted IPs rules, and when requests issued from a trusted IP address or network connects to the application, Application Security skips the execution of all security algorithms for that request. The Trusted IPs algorithm can be useful, for example, to allow IP addresses from Quality Assurance testing, or for nightly scanning of your web applications. By allowing these trusted IP addresses, you avoid generating security alerts during these activities.

Mitigation Types

By default, IP Protection is disabled. If you enable IP Protection, it can be set to either Report or Mitigate blocked IP addresses, as detailed here.

There are two mitigation options:

  • Block: When the source host's IP address is part of the IP Filtering rules, with the mitigation type set to block, the request is blocked.
  • Captcha: When the source host's IP address is part of the IP Filtering rules, with mitigation type set to Captcha, the user is served a CAPTCHA. If the user successfully resolves the CAPTCHA challenge, the user is allowed access to the application. Otherwise, the user keeps being presented the CAPTCHA challenge page, preventing the user from accessing the application.

The mitigation type to apply is configured with each IP address or subnet.

Configure the IP Protection policy

  1. Go to Your Group > Policies > IP Protection and ensure that it is enabled.
  2. Set the state for IP Protection, select either Report or Mitigate
  3. On the right of the page, select Configure Policy.
  4. In the IP Protection Policy Configuration window, are the IP Filtering, IP Feeds and Trusted IPs toggles. If you'd like to block or allow specific IP addresses and subnets to your application, select the respective toggle switches, IP Filtering for blocking and Trusted IPs for allowing. The button will turn grey to indicate it has been turned off or turn blue to indicate it has been turned on.
  5. Under IP Filter are a list of rules that consist of IP addresses or subnets to block. To block an IP address or subnet, follow these steps:
    a. Select the Add new rule button on the right side.
    b. In the text box "Enter an IP to match" specify the IP address or subnets to block. The IP address is expected to follow the syntax number.number.number.number. Subnets follow the syntax number.number.number.number/length. For example, 10.1.4.0/24.
    c. Select the Expiration Duration. By default, IP addresses and subnets that are blocked never expire, which means they will remain blocked until they are removed from the rule list. In the case where the rule needs to expire, select the duration.
    d. Select the mitigation type to apply for this IP address or subnet, either Block or Captcha.
  6. Under IP Feeds there is one known Tor Exit nodes IP address list. Note that in the future, additional sources of known Tor exit nodes IP addresses may be available.
    a. Select the mitigation type to apply for the Tor Exit nodes, either Block or Captcha. The same mitigation type applies to all IP addresses from the known Tor Exit nodes list.
  7. Under the Trusted IPs are a list of rules that consist of IP addresses or subnets to allow:
    a. Select the Add new rule button on the right side.
    b. In the text box "Enter an IP to match" specify the IP address or subnets to allow. The IP address is expected to follow the syntax number.number.number.number. Subnets follow the syntax number.number.number.number/length. For example, 10.1.4.0/24.
    c. Select the Expiration Duration. By default, IP addresses and subnets that are allowed never expire, which means they will remain allowed until they are removed from the rule list. In the case where the rule needs to expire, select the duration. Screenshot
  8. Select Save Changes and close the window.
  9. Navigate to your application and use it in the various scenarios that it was designed to handle.
  10. On the Application Security dashboard, check the Events page for IP Protection events. If one has been triggered, follow the steps in IP Protection events.

IP Protection events

IP Protection events are displayed on the Dashboard in Events or in your respective group's dashboard.

Every event includes the Request Details panel for general information about the event. For more information, see Manage Events.

Under IP Protection Details, the following information is displayed:

  • Source IP: The source IP address
  • Matched Rule: The IP Filter rule that was matched and triggered the event Screenshot