1. Using Oracle CASB Cloud Service
  2. Enhancing Security
  3. Maintaining Secure Configuration Settings
  4. Putting IP Addresses on Blacklists or Whitelists

Putting IP Addresses on Blacklists or Whitelists

Add an IP address to a blacklist to automatically generate an alert when the IP address is detected, or add an IP address to a whitelist to suppress alerts when it is detected.

Oracle CASB Cloud Service ingests information about suspicious IP addresses from external threat feeds. These are listed in the Configuration section of the console, Manage IP Addresses page. In addition to discovering suspicious IP addresses from third parties, Oracle CASB Cloud Service can monitor for specific IP addresses and address ranges, and either whitelist or blacklist them.

  • Blacklisting: Oracle CASB Cloud Service creates threat alerts when it detects access from these IP addresses or address ranges.

  • Whitelisting: Oracle CASB Cloud Service never creates threat alerts when it detects one of these IP addresses or address ranges.

You can apply blacklisting and whitelisting universally or restrict it to particular application instances.

Exceptions to this functionality:

  • Office 365. You currently can't whitelist IP addresses that access Office 365 Exchange.

You can also designate trusted IP addresses and users that are to be excluded from consideration by the threat engine and user behavior analytics. For this functionality, you provide the information about the trusted entities directly to Oracle CASB Cloud Service.

Note:

You can control automatic whitelisting of trusted network addresses by selecting or deselecting the Allow Oracle CASB to automatically whitelist trusted network addresses check box - above the Blacklist and Whitelist tabs.

If the Allow Oracle CASB to automatically whitelist trusted network addresses check box is selected, trusted network addresses are automatically whitelisted. A "trusted network address" meets the example criteria below:

  • The IP address is not associated with any Tor network, botnet command and control server, or terrorist organization or state sponsor of terrorism as defined by the United States Department of State.

  • The top level domain linked to an IP Address and or CIDR block is owned or leased from a known cloud services or infrastructure provider (for example, AWS, Office 365, or Oracle Cloud Infrastructure).

  • The networking address is owned or leased by your organization.

  • The entry and exit ASN (autonomous system number) in the traceroute are owned by a reputable company.

  1. Select Configuration, Manage IP addresses from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.
  2. Select the tab for the action you want to take:

    • Blacklist: to blacklist IP addresses. If a user or web service accesses a monitored application from this address, then generate a threat and update the Access Map in the Dashboard with a red pin.

    • Whitelist: to whitelist IP addresses. If a user or web service accesses a monitored application from this address, then classify this as a normal access.

  3. Click Add IP Address.
  4. From the Address format list, select any of the following:

    • IPV4: provide an IP address in the IPv4 format in the corresponding field.

    • IPV4 CIDR: provide an IP address in the IPv4 CIDR format in the corresponding field.

    • IPV4 Range: provide a range of IPv4 addresses in the corresponding fields.

    • IPV6: provide an IP address in the IPv6 format in the corresponding field.

      Note:

      Compact formats are not accepted for IPv6 addresses.

    • IPV6 CIDR: provide an IP address in the IPv6 CIDR format in the corresponding field.

      Note:

      You can also specify IPv6 CIDR addresses in the compact format.

    • IPV6 Range: provide a range of IPv6 addresses in the corresponding fields.

      Note:

      Compact formats are not accepted for IPv6 addresses.

    Note:

    For IPv6 CIDR addresses, IP address combinations starting with "fe" (for example, fexx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/<subnet>) with the subnet range 0 - 8, are not accepted.
  5. Enter a description (for example, what's being blacklisted and why).
  6. Select the cloud applications and instances that these IP addresses apply to.

    In general, whitelists should be restricted to particular instances because Oracle CASB Cloud Service will flag access attempts from all IP addresses outside of the whitelist.

  7. Click Save.
You can search for IP addresses that you’ve added to your whitelist or blacklist:

  1. Select Configuration, Manage IP addresses from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.

  2. Select the tab for in which you want to search for IP addresses.

  3. Click the Search icon Search icon and enter text to search for.

    Note:

    Text can appear in any field in the IP address record.