Creating Blocklists of IP Addresses in Edge, using Azion’s Network Layer Protection

Network Layer Protection is a module within Edge Firewall from Azion’s Edge Computing platform. It allows you to create custom Network Lists based on the user’s IP, ASN, and geolocation addresses, or to use automatic lists that are maintained and updated by Azion, such as the Tor network address list.

This allows you to monitor suspicious behavior, create intelligent rules, and apply restrictions on malicious activity by blocking or limiting access and giving protection to your applications’ incoming and outgoing traffic in the network layer on the Edge.

Some of the other advantages of using Azion’s Network Layer Protection are:

Easy to integrate with SIEM and other security tools in your infrastructure using blocklist maintenance APIs.
Processing on the Edge in real-time, enabling the origin infrastructure to maintain its level of performance.
The option to run business rules on the Edge.

How it works

The Network Layer Protection service uses a series of lists maintained by the user themselves or by Azion, which can be updated manually or via an API. When a request reaches an Azion Edge Node, it is assessed and, if it meets the criteria set in the Rule Set for that Edge, the configured lists are queried, thereby filtering out known offenders even before the request reaches the client’s infrastructure.

When activating the module within an Edge Firewall, the Network Criteria and the Deny, Drop and Set Rate Limit Behaviors become available in the Rules Engine settings of the selected Rule Set. This allows the client to define under what conditions the lists will be queried and what behaviors should be executed.

Activating the Network Layer Protection module

To enable the Network Layer Protection module, access Real-Time Manager (RTM), open the Products Menu, and select Edge Firewall. Then, in the Main Settings tab, activate the Network Layer Protection switch.

Once enabled, custom lists need to be created along with the evaluation criteria and behaviors set that will be applied by the Edge Firewall.

Creating a Network List

Path: Real-Time Manager > Edge Libraries > Network Lists

When opening the Network Lists page, all lists created by the user and those items automatically provided by Azion will be displayed, such as Origin Shield.

To create a new one, click the Add button, choose an identifiable name for your list (for example, BlockedIPsList, for a list of known malicious IPs), select the desired Type and complete the list according to the type you have chosen (ASN, Countries or IP / CIDR. For our example, we are using the IP/CIDR option), and then click on Save. The user’s list can be updated anytime, either manually or integrated through an API.

Example of the configuration of an IP/CIDR type list:

456.789.1
456.789.2/32
1.1.0/16

Defining the Execution criteria (Rules Engine)

Path: Real-Time Manager > Edge Firewall > Rules Engine

Create a new Rule Set inside your Edge Firewall or edit an existing one. The rules (or Rules Engines) determine the set of conditions that need to be met for Behaviors to be executed. You can create a new rule to set the validation parameters and the behaviors for this Rule Set to be run by Edge Firewall.

Defining the validation criteria: choose the variables, comparison operators, and strings to create your business rule, as in the following example:

If: Network matches BadBotsList

In order: logical operator, variable, comparison operator, string.

In this case, the rule will run if the IP address of the request is on the list BadBotsList.

Defining Behaviors: add the behaviors you want to be carried out when the rule’s conditions are met. Example:

Then: Drop (Close Without Response)

In order: logical operator, action.

In this example, if the conditions set by the rules are met, then a Drop will be run for the request without sending any return to the sender.

Didn’t find what you were looking for? Open a support ticket.