ContactSign in

Network Shield

Network Shield is a Firewall module that allows you to create lists based on the network IP/CIDR, user location (countries), Autonomous System Number (ASN), or use automatic lists maintained and updated by Azion, such as the Azion IP Tor Exit Nodes list.

With Network Shield, you can monitor and block suspicious behavior or apply restrictions, such as access limits.

Network Shield has a programmable security perimeter, where you configure Network Shield, at the edge, from all inbound and outbound traffic.

Advantages of using Azion’s Network Shield:

  • Easy to integrate with SIEM and other security tools in your infrastructure using blocklist maintenance APIs.
  • Processing on the edge in real time, enabling the origin infrastructure to maintain its level of performance.
  • The option to run business rules on the edge.

Implementation

ScopeSource
Create network listHow to create IP, ASN, and geolocation block/allow lists with Network Lists
Block Tor addressesHow to block Tor exit node IP addresses

How Network Shield works

When activating the Network Shield module in the Main Settings of an Firewall Rule Set, the conditions (criteria) and commands (behavior) will be enabled in the Rules Engine tab of the edge firewall.

The criteria available with the activation of the Network Shield module are:

  • Hostname
  • Network
  • Request URI
  • Scheme

And the behaviors are:

  • Deny (403 forbidden)
  • Drop (close without response)
  • Set Rate Limit

Network Shield configuration is done in the Firewall Rules Engine tab. There, you can use the Network criteria, to create rules with Network Lists, based on the network, user location, or ASN, or use ready-to-use lists that are kept up-to-date by Azion itself. You can also monitor and block suspicious behavior, or even apply restrictions according to the chosen behavior.

Activate other modules in the edge firewall to get numerous combinations of conditions and behavior in the Rules Engine.

Criteria and behavior logic example using Network Shield and Web Application Firewall:

Criteria: [If] [Network] [matches] [My-Country-BlockList] [and] [Header User Agent] [does not match] [Googlebot].

Behavior: [Then] [Deny (403 Forbidden)].

In this example, requests originating from countries that are on the blocklist will be blocked unless the User-Agent header contains the string “Googlebot”.

Go to work with rules engine guide

Network Lists

Through Network Lists, you can create, search, or update all Network Lists used in the Firewall Rules Engine. Also, you can maintain your own lists, via Azion Console, through the Network Lists configuration page, or via Azion API, through the Network Lists endpoints.

A single Network List can be associated with more than one edge firewall and rule. Whenever a Network List is updated, it’ll automatically propagate to all the rules in the associated Network List.

Go to Network Lists reference