Network Layer Protection
Azion’s Network Layer Protection allows you to create lists based on the network IP/CIDR, user location or ASN, or use automatic lists maintained and updated by Azion, such as a Tor network address list. With this, you can block, monitor suspicious behavior or apply restrictions, such as: access limit.
It is a programmable security perimeter where you get your network layer protection at the edge from all inbound and outbound traffic.
If you have a SIEM or other security tools in your infrastructure, you can use the Network Lists API to keep your blocklists and allowlists always up to date.
1. How it works
When activating the Network Layer Protection module in Main Settings of a Rule Set in Edge Firewall, the Conditions - Criteria - and behaviors will be enabled in the Rules Engine tab of the Rule Set.
The conditions - Criteria - available with the activation of the Network Layer Protection module are: Hostname, Network, Request URI and Scheme. And the behaviors are: Deny (403 Forbidden), Drop (Close Witout Response) and Set Rate Limit.
Use the Network Criteria to create rules with lists based on the network, user location or ASN, or use ready-to-use lists that are kept up-to-date by Azion itself, such as the outbound addresses of the Tor Network Azion IP Tor Exit Nodes. You can block, monitor suspicious behavior or apply restrictions according to the chosen behavior.
Activate other modules in the Rule Set to get numerous combinations of condition and behavior in the Rules Engine. For example, Network Layer Protection and Web Application Firewall If: Network matches My-Country-BlockList And Header User Agent - Unique criteria of the Web Application Firewall module - does not match Googlebot Then: Deny. In this case requests originating from countries that are on the blocklist will be blocked unless the user-agent header contains “Googlebot”.
The conditions and behaviors available in Edge Firewall depend on the modules you enable in the Rule Set. You will have a greater number of protection combinations if the Web Application Firewall module is also enabled.
2. Network Lists
Through Network Lists, you can create, search, or update the Network Lists used in the Edge Firewall Rules Engine. Add and maintain your own lists in Network Lists via Real-Time Manager or API. A single Network List can be associated with more than one Edge Firewall Rule or Rule Set. Whenever the Network List is updated, it will automatically propagate to all the rules in the associated Network List. To find out more and learn how to use it, check the Network Lists support documentation.
3. Origin Shield
Origin Shield is an Azion Network Layer Protection add-on. You will be able to create a security perimeter for your origin infrastructure, be it a cloud, hosting provider, or even your own data center. With this service, your origin will be able to restrict access only to specific IP addresses of our network and block any other access to your origin.
Our IP list may change frequently, but after updating it, we will only put the new servers into production for those using the Origin Shield add-on 7 days after the list is published. You can also track and trace the changes made to the list through the History of the Real-Time Manager. There, you can find which IP’s have been added or deleted from the list.
Our “quarantine” process allows you to add new addresses one week in advance, that means, whenever a new address is added to the list, it will be on standby for 7 days before being activated, giving you that time to update your firewall rules.
All users of the RTM accounts with the product enabled are notified by their RTM user emails whenever the Origin Shield addresses change.
Origin Shield is available via Real-Time Manager or our API. To learn more and how to use our API, check the documentation on how to Consult Network List data - Origin Shield.
Consult the list of Origin Shield IP’s, following these steps:
- Go to Real-Time Manager, access the Libraries > Network Lists menu.
- Click on Azion IP Origin Shield Network List to see the list;
- The list can be viewed with the View Network Lists permission and the IP’s are in the List field.
4. Support Documentation
Didn’t find what you were looking for? Open a support ticket.