A knowledge base article about bSecure Shared Objects & Threat Intelligence provided by the UC Berkeley IT Service Hub - Knowledge Portal
bSecure Shared Objects & Threat Intelligence
UC Berkeley Information Security and Policy (ISP)
As part of the bSecure project, the Information Security Office (ISO is making a number of firewall objects available for departments to include in their individual rules. Below is a brief outline of those objects and where they can be used.
Note: This document will be updated as shared objects change.
These are objects that can be used in the source or destination address fields of a security policy to either allow or deny the specified campus IPs or IP ranges access to a protected resource.
|
Object Name |
Description |
|
ucbsec-vuln_scanners |
This represents the ISP vulnerability scanners. In creating rules to allow the vulnerability scanners to access systems, this object should be used as the source address of a security policy in an allow rule. When allowing these address blocks, it is best to not attach a Vulnerability Protection Profiles that could hamper the detection of vulnerabilities. |
|
UCB-networks_no_visitor |
This is a grouping of all UC Berkeley network blocks, except the CalVisitor (the open publicly-usable WiFi) subnets. |
|
UCB-airbears2-eduroam |
This is grouping of all network blocks associated with the Airbears/Eduroam wireless services. |
|
UCB-calvisitor |
This represents the on campus IP addresses associated with the CalVisitor wireless service. Because people using these addresses most likely do not have an actual affiliation with the campus, this object will most commonly be used in policies denying access to a resources the general public should not be able to access. |
|
UCB-DHCP |
This is a grouping of the campus operated DHCP servers |
|
UCB-DNS |
This is a grouping of both the authoritative and caching DNS servers operated for the entire campus to use. |
|
UCB-EOS-bigfix |
This is a grouping of the EOS operated bigfix patch management servers |
|
UCB-VPN_All |
This is grouping of all network blocks associated with all of the campus VPN services. |
|
UCB-VPN_restricted |
This is grouping of the network blocks associated with the restricted VPN service only. |
|
threat-AID_list |
This is a group of IP addresses that have been seen specifically attacking the campus network in the previous 24 hours. |
|
threat-malicious_IPv4 |
This list of IPv4 addresses is obtained from outside resources and represents a IP addresses that have been detected in the wild performing various forms of malicious activities. |
|
threat-malicious_IPv6 |
This list of IPv6 addresses is obtained from outside resources and represents a IP addresses that have been detected in the wild performing various forms of malicious activities. |
|
Palo Alto Networks - High risk IP addresses |
A list of high risk IP addresses as provided by our firewall vendor. “High risk IP addresses, shared IP addresses that have recently been featured in threat activity advisories distributed by high-trust organizations, however Palo Alto Networks does not have direct evidence of maliciousness.” |
|
Palo Alto Networks - Known malicious IP addresses |
A list of high risk IP addresses as provided by our firewall vendor. “Malicious IP addresses that are currently used almost exclusively by malicious actors for malware distribution, command-and-control, or for launching various attacks.” |
These objects are specific URLs that may be distributing malware or are parts of phishing campaigns. They can either be used in a “URL Filtering Profile” or as a “URL Category” in a deny policy. Of these two options a URL Filtering Profile is generally the better option because the settings can be set once and made into a profile that is used across all managed systems.
|
Object Name |
Description |
|
ucbsec-URLs |
This is a list of URLs that ISP will populate for issues specifically targeting campus users. An example of when these will be used is a phishing campaign to obtain Calnet credentials. |
|
threat-malicious_URLs |
This list is obtained from outside resources and represents a group of URLs for malware and phishing campaigns that have been detected in the wild. |
These objects are lists of Fully Qualified Domain Names (FQDNs) that have been seen engaging in malicious activity (distributing malware, phishing campaigns, etc.). These objects are used in “Anti-Spyware Profiles” in the DNS Signatures tab.
|
Object Name |
Description |
|
threat-malicious_FQDN |
This list of Fully Qualified Domain Names is obtained from outside resources based on activity that has been detected in the wild. |
For address objects that represent various parts of the campus network controlled by NOS or ISP, the objects should be nearly 100% accurate.
For threat objects (including the objects provided by Palo Alto Networks), there is a high level of confidence in the addresses provided; however, there are times when addresses will be added based on network activity where the activity was not malicious but research in nature.
If you feel an address, domain name, or URL is incorrectly included in one of these lists, please notify us by emailing security@berkeley.edu.