Alert Logic® Threat Manager™ can block network connections and traffic from specific addresses at the firewall. This allows the source of threats to be blocked from customer environments at the perimeter. For blocking to work, some upfront configuration is needed. The configuration, done in the Alert Logic console, must provide the addresses and credentials for the firewalls. When blocks are triggered, they are issued from the Threat Manager appliance in the environment to the configured firewalls.
Blocking can be configured to trigger on threat events or incidents or a combination of both. A block is not permanent. Blocks will last for a user-specified duration and then they will be rolled back. To roll back a block, Threat Manager will issue "no shun" or unblock commands to the firewalls. Threat Manager supports policy-based, automatic blocking, and manual blocking. Policy blocking will automatically issue blocks based on a policy that defines the events or incidents that trigger a block and the duration of blocks. Manual blocking is executed by a user using the Alert Logic console to invoke a block based on a user-selected threat event or incident.
Since threat incidents are detected and raised in the back end, the blocks that result from incidents may take a few minutes before they are sent to the appliance and issued to the firewalls. Threat events are raised on the appliance itself, and therefore blocks based on events will be issued immediately. It is also important to consider whitelisting addresses that should never be blocked. This will prevent certain critical systems from becoming inadvertently blocked. A whitelist can be provided as part of the blocking configuration done in the Alert Logic console.
Note: Threat Manager blocking is currently only supported on Cisco PIX and ASA Firewalls. In addition, Alert Logic is presently considering this feature’s future development and viability.