How to block IP addresses using ManageEngine Log360

What is an IP address?

Every device on a network, including mobile devices, laptops, and servers, has a unique identifier called an Internet Protocol (IP) address. They are essential for network communication, providing a way to identify and locate devices on the internet and other networks. IP addresses come in two versions—IPv4 and IPv6—and can be public or private depending on their use.

Types of IP addresses

• IPv4: This is the fourth version of the IP that uses 32-bit addresses. It can accommodate a maximum of around 4.3 billion unique addresses.
• IPv6: This is the sixth version of the IP designed to replace the fourth version. Due to the expansion of the internet, IPv6 is usually used to increase the range of IP addresses. It uses 128-bit addresses, accommodating a larger number of unique addresses.
• Public IP: An IP assigned to a device directly connected to the internet.
• Private IP: An IP assigned to a device in a private network, such as an enterprise network.

Why should you block an IP address?

In an office network, blocking an IP address can be useful to prevent unwanted access to a device. It's often used to enhance the security posture of a network because it prevents:

• Malicious activity: If an IP address is associated with spam, hacking attempts, or other malicious behavior, blocking it will help you prevent malicious access to your network and defend it from further attacks.
• Unauthorized access: If you notice suspicious activity coming from an IP address, blocking it will prevent unauthorized access to your network and sensitive data.
• DDoS attacks: Distributed denial-of-service (DDoS) attacks can overwhelm a device or network with traffic. Blocking the IP addresses associated with the attack can help in immediate remediation.
• Excessive resource consumption: If an IP address is consuming excessive bandwidth or system resources, blocking it can improve the performance of your network or device.

How to block an IP address

An IP address can be blocked in different ways. Before you proceed with blocking an IP address, you need to identify the correct IP address or range of IP addresses that you want to block. To do this:

• Check your router's logs or firewall settings to see the IP address that's causing the issue.
• If you're using a network monitoring tool, it might help you identify malicious or troublesome IP addresses. You can then integrate your network monitoring tool with a security solution, such as a SIEM solution, to automate the blocking of malicious IP addresses.

The exact steps to block an IP address may vary depending on the device and your network configuration. Some of the common methods are elaborated on below.

Blocking an IP address on a router

Before you proceed with these steps, ensure you have the appropriate privileges to perform this action.

• Access your router's web interface using your router's IP address and login credentials.
• Look for keywords for settings such as firewall, security, or access controls.
• Look for options like internet filtering" and enter the IP address you want to block.
• Save and test your settings.

Blocking an IP address via a firewall

Firewall devices operate based on rules that regulate incoming traffic. These rules, typically configured through a console interface, determine whether traffic is allowed or denied access to your network. By default, firewalls often permit all traffic, requiring explicit rules to block specific IP addresses. The exact steps for configuring firewall rules can vary depending on the vendor but generally include the following:

• Log in to your firewall's console using admin credentials.
• Look for options relevant to IP filtering.
• Click the Add or Create new rule buttons.
• Configure the rule as per your requirements.
  • Select the deny or block option to indicate that you want to prevent traffic from the specified IP address.
  • Enter the IP address or range of IP addresses you want to block.
  • Specify the destination network or device, if necessary.
  • Choose the protocol (e.g., TCP, UDP, ICMP) that you want to block.
  • If applicable, specify the port number associated with the traffic.
• Save the rule and test it.

Steps to block an IP address on a Cisco firewall

• Access the firewall's web interface.
• Navigate to the Access Control Lists section.
• Create a new ACL and add a deny rule specifying the IP address to block.
• Apply the ACL to the relevant interface.

Remember to test your blocking rule to ensure it's working as expected and that it's not blocking legitimate traffic.

Blocking IP addresses on Windows

Windows Defender Firewall, a host-based firewall, is used to block IP addresses on any version of Windows systems.

• Open the Control Panel by clicking the Start button.
• Click System and Security > Windows Firewall.
• Click Advanced s ettings.
• Click the Outbound Rules tab.
• Click New Rule and select Custom Rule for the rule type.
• Click This program > Browse and select the program or service associated with the IP address you want to block. If you don't know the program, leave it blank.
• Select the appropriate protocol (e.g., TCP, UDP).
• Specify the ports associated with the IP address. If you don't know the ports, leave them blank.
• Select Remote IP addresses and enter the IP address you want to block.
• Select Block the connection.
• Select the profiles (e.g., Domain, Private, Public) where the rule should apply.
• Give the rule a descriptive name and click Finish to create a rule.

How ManageEngine Log360 blocks malicious IP addresses

Log360, a comprehensive SIEM solution from ManageEngine, offers robust capabilities for detecting, investigating, and mitigating security threats. It also assists organizations in achieving compliance with industry regulations.

Key features that enable Log360 to effectively block malicious IP addresses

• Global threat intelligence database: Get access to a vast database containing over 600 million known malicious sources that includes in-depth information about malicious IP addresses, including reputation scores, threat categories, and geolocation.
• Advanced threat analytics: Leverage additional threat feeds with the Advanced Threat Analytics add-on through integration with real-time threat feeds from industry-leading providers like WebRoot and Constella Intelligence.
• Correlation and analysis: Correlate threat intelligence with network logs, particularly firewall data, to identify malicious interactions.
• Automated playbooks: Use predefined workflows that can be triggered to block malicious IP addresses at the firewall level automatically.
• Incident investigation: Log360's Incident Workbench lets you investigate security incidents, identify infected devices, analyze network communication, and assess the impact of threats. This information aids in developing effective incident response plans.
• Custom threat feed ingestion: Log360 supports the automatic ingestion of custom threat feeds in the industry-standard STIX/TAXII format, allowing for more comprehensive and contextual threat analysis.
• VirusTotal integration: Seamlessly integrate with VirusTotal, a leading threat intelligence platform, to access and analyze threat data. This integration leverages the Bring Your Own Key method for enhanced security and flexibility.

By leveraging these features, Log360 empowers organizations to block malicious IP addresses from interacting with the network and respond swiftly to security threats.

Next steps