This section explains IP Reputation service offered as part of Live Security Threat Intelligence. With globally distributed NSX Advanced Load Balancer Controller clusters and with an ever changing landscape of insecure IP addresses, it is extremely channeling to maintain a real-time, up-to-date, consistent security posture and be protected from bad IPs. IP Reputation service solves this by providing a real-time feed of updated IP scores to globally distributed NSX Advanced Load Balancer deployments.

Feature Highlights

  • Protection from bad IPs such as Botnets, Phishing, Spam, and many more.

  • Real-time automatic IP Reputation updates.

  • Used as a source for bot detection and classification.

Data Collection and Retention Policy

Data Collection:

No data is collected by and for this service. IP Reputation is pushed only to NSX Advanced Load Balancer Controllers where this service is opted-in (enabled).

Data Collection:

Does not apply to this service.

Note:
  • This service does not store or exchange any customer data.

  • This service has no access to customer infrastructure, inclusing NSX, vCenter, and others.

  • This service does not read or write any configurations on the registered NSX Advanced Load Balancer Controllers.

How to enable this service

This is an 'opt-in' service and is disabled by default.

The steps to opt-in to this service and enable IP Reputation updates are as follows:

  1. Navigate to Administration > Cloud Services.

  2. Click EDIT.

  3. Under Live Security Threat Intelligence select IP Reputation.

  4. Click SAVE.

Note:

You can opt-out of this service at any time and the User-Agent updates will stop.

Service Details

VMware utilizes WebRoot as its IP Reputation database source. IP reputation data is cached every five minutes on NSX Advanced Load Balancer Cloud Services portal. Registered NSX Advanced Load Balancer Controllers where this service is enabled, pull IP Reputation data from NSX Advanced Load Balancer Cloud Services portal. The Controllers immediately update connected Service Engines as part of its configuration update process.

Note:

Frequency of IP Reputation updates: WebRoot publishes a new IP Reputation database every day. Additionally, minor periodic updates (incremental) to the database are published every few minutes.

The database consists of the following two types of files:

The full database file (base file):

It contains both individual IP addresses and subnets. The size of this file is usually in MB.

The incremental file:

This database has a slightly different format and lesser entries than the full database file. It is available in the form of multiple files throughout the day (24 hours). It can contain additions to the base file or updates and removals of the existing entries. The incremental database files contain the individual IP addresses (/32 IP addresses).

Note:

This feature requires additional shared memory on the Service Engine. Refer to Extra Shared Memory in the NSX Advanced Load Balancer Configuration Guide to understand the additional memory requirements and configure the same.

For more details on IP Reputation, see IP Reputation section in WAF guide.

IP Reputation Sync Interval

The IP Reputation sync interval is the frequency at which the NSX Advanced Load Balancer Controllers poll for IP Reputation database updates. The following code shows how sync interval can be modified using NSX Advanced Load Balancer Controller CLI.

[admin:controller]: > configure albservicesconfig
[admin:controller]: albservicesconfig> ip_reputation_config
[admin:controller]: albservicesconfig:ip_reputation_config> ip_reputation_sync_interval 5
[admin:controller]: albservicesconfig:ip_reputation_config> save
[admin:controller]: albservicesconfig> save

The default value for the sync interval is 60 minutes. The value of sync interval can be between 2 and 60 minutes.

Events of Interest

The following events are generated on the NSX Advanced Load Balancer Controller when IP Reputation service is enabled:

  • IP_REPUTATION_DB_SYNC_SUCCESS: IP Reputation update succeeded.

  • IP_REPUTATION_DB_SYNC_FAILURE: IP Reputation update failed.

Impact of Unavailability

During the period that this service is down, new IP Reputation updates are not pushed to enabled NSX Advanced Load Balancer Controllers. Load Balanced applications continue to utilize cached IP Reputation available on NSX Advanced Load Balancer Controllers to protect against bad IPs.