Active Blocking of Malicious IPs with InproTech Guardian

The threat landscape in OT cybersecurity environments is evolving at an increasing pace. Industrial digitalisation, IT/OT convergence and the need for remote connectivity have significantly expanded the exposure surface of critical infrastructures.

Traditionally, OT networks were designed under principles of strict isolation and segmentation. However, integration with corporate networks, external services, remote suppliers and maintenance platforms has progressively reduced that isolation, broadening the attack vector available to malicious actors.

This new scenario poses a significant technical challenge: maintaining the availability, operational continuity and stability requirements inherent to industrial environments, whilst incorporating defence mechanisms capable of responding to increasingly automated and distributed threats.

Traditional monitoring solutions, based exclusively on detection and alerting, prove insufficient against attacks that can escalate within seconds. The ability to automatically contain a threat before it impacts industrial processes becomes a critical requirement.

In this context, InprOTech Guardian introduces a new Active Blocking capability, designed to detect potentially malicious connectivity and execute immediate containment actions through direct integration with firewall infrastructures from multiple vendors.

This article details the architecture, operation and technical integration of this capability, as well as its application in OT environments that demand high standards of availability and control.

 

Problem Context

Controlled exposure of OT services to external networks:

The evolution of OT environments has made it necessary to expose certain services in a controlled manner towards external networks or the Internet. VPN access, remote administration services, industrial web portals or third-party integrations require publishing entry points protected by perimeter firewalls.

Although these openings are implemented under segmentation and control criteria, their mere existence introduces a constant flow of unsolicited traffic originating from external public IP addresses.

In practice, any service accessible from the Internet becomes a target for:

• Automated scans.
• Repeated authentication attempts.
• Service enumeration.
• Automated exploitation attempts.

Automated nature of external malicious traffic:

A large proportion of today’s malicious traffic does not correspond to targeted attacks, but rather to automated processes that traverse complete ranges of public IP addresses in search of exposed services.

These activities share common characteristics:

• Origin in globally distributed public IP addresses.
• Constant repetition of connection attempts.
• High frequency within short time windows.
• Use of previously compromised infrastructures.

Although many of these attempts fail to compromise the system, they generate:

• Unnecessary load increase on perimeter devices.
• Operational noise in monitoring systems.
• Cumulative risk if they coincide with unpatched vulnerabilities.
• Resource consumption in manual analysis.

Limitations of manual blocking at the perimeter

When a public IP address exhibiting malicious behaviour is identified, the standard procedure involves:

1. Event verification.
2. Identification of the source IP.
3. Accessing the firewall.
4. Manually creating a blocking rule.
5. Validating the configuration.

This process presents several limitations:

• Dependency on human intervention.
• Delay between detection and mitigation.
• Difficulty scaling when facing multiple simultaneous IPs.
• Potential for configuration errors.
• Lack of consistency in applying temporary blocks.

In environments with continuous Internet exposure, where the volume of automated attempts is high, this approach becomes inefficient.

The need for automatic containment of malicious public IPs

Given this scenario, it becomes necessary to incorporate mechanisms that enable:

• Automatic identification of public IP addresses exhibiting anomalous or malicious behaviour.
• Immediate application of blocking measures at the firewall.
• Controlled management of block duration.
• Full traceability of all actions taken.

The ability to automate the blocking of external malicious IPs at the perimeter reduces exposure time and optimises operational management, without altering the existing network architecture.

Active Blocking in Guardian

In response to the needs outlined above, Guardian introduces a new active blocking module for malicious IP addresses. This capability allows plant operators to detect, analyse and mitigate access attempts from potentially malicious public IP addresses, significantly reducing incident response times.

Through this mechanism, security teams can act quickly and efficiently, applying blocking measures directly within the network infrastructure to prevent unauthorised access or suspicious behaviour.

To ensure integration across heterogeneous industrial environments, the module has been designed to interoperate with some of the most widely used firewall vendors in the industry, including Palo Alto Networks, Stormshield, Fortinet, Check Point and OPNsense. The latter is worth highlighting — an open-source firewall and routing platform widely adopted in corporate and industrial environments, listed in the ICT Security Products and Services Catalogue (CPSTIC) of the National Cryptologic Centre (CCN). Its inclusion in this catalogue, within the framework of recommendations associated with the National Security Scheme (ENS) and the CCN-STIC guides, such as CCN-STIC 105, demonstrates its suitability for use in infrastructures requiring high levels of security and regulatory compliance. This recognition reinforces its position within the perimeter security solutions ecosystem and justifies its integration into Guardian.

The system architecture has been conceived to allow straightforward incorporation of new vendors in the future, progressively expanding the catalogue of compatible devices and ensuring Guardian’s adaptability to different network infrastructures.

Module Configuration

The active IP blocking module in InprOTech Guardian has been designed to offer operators a high degree of flexibility and control, allowing its behaviour to be adapted to the security requirements of each industrial environment.

The system allows the IP reputation check for public addresses to be enabled or disabled. This component is responsible for analysing external IPs detected by Guardian and assessing whether they show signs of malicious or suspicious behaviour based on reputation systems and threat intelligence.

Once this assessment has been carried out, the blocking module determines what action should be taken against those IP addresses. To this end, Guardian offers different operating modes that allow the level of system automation to be adjusted:

• Off: The system takes no action on the firewall. The blocking rule remains disabled.
• Informative: Guardian analyses the reputation of detected IPs and provides information to the operator, suggesting possible blocking actions, but without interacting with the firewall.
• Manual: The system enables the ability to block IP addresses from the Guardian interface, allowing the operator to make the final decision before applying the block on the firewall.
• Automatic: Guardian applies the block directly on the firewall when an IP address is identified as malicious according to the defined reputation criteria.

These operating modes allow Guardian to adapt the level of human intervention and automation, facilitating adoption both in environments requiring manual supervision and in infrastructures that need automatic, rapid responses to external threats.

Firewall Configuration

The firewall integration configuration has been designed to be simple and fast, minimising the effort required to deploy the active blocking capability.

To configure a vendor, it is only necessary to register the firewall in Guardian, specifying the corresponding vendor and the required connection parameters (such as host, credentials or API access keys). From this information, Guardian is able to manage communication with the device internally, applying the specific procedure required by each vendor.

In some cases, depending on the firewall vendor, it may be necessary to configure additional permissions for the user account used by Guardian, ensuring it has the capabilities required to query configurations and apply changes to security policies.

Once the firewall has been configured and the blocking policy defined, Guardian allows operators to block IP addresses quickly and easily directly from the platform. When an IP address is identified as potentially malicious, the system facilitates its immediate blocking on the firewall, significantly reducing response times to potential threats.

Flexibility in Reputation Evaluation

In order to adapt to diverse industrial environments and the particularities of each infrastructure, Guardian incorporates flexibility mechanisms in the IP address reputation evaluation process.

In certain scenarios, a public IP address may be flagged as potentially malicious by reputation systems, even though the operator knows with certainty that the address corresponds to a legitimate service or a trusted partner. To address these situations, Guardian allows the configuration of whitelists for both IP addresses and MAC addresses.

This capability allows operators to explicitly authorise certain communication sources, ensuring these connections are not automatically blocked by the reputation mechanisms.

In this way, Guardian keeps reputation analysis and protection against external threats active, whilst providing operational teams with the control needed to adapt security policies to their operational reality, avoiding unnecessary disruption to legitimate communications.

Firewall Integration

To ensure consistency and facilitate interoperability, InprOTech Guardian has defined a common integration methodology for all firewall vendors supported by the platform.

This approach means that, regardless of the device used, Guardian follows a consistent operational flow to apply blocking policies and manage malicious IP addresses. This simplifies both implementation and system maintenance, whilst ensuring predictable behaviour across different network infrastructures.

The following is a practical example of this integration, intended to illustrate what actions Guardian performs within a firewall and how the blocking policy is applied. The procedure described is representative and analogous to that used with other compatible vendors.

For this example, a Palo Alto Networks virtual firewall deployed via VM-Series will be used. Through this environment, the configuration and block management flow performed by Guardian within the firewall can be observed.

Initial State

Once the integration process between InprOTech Guardian and the firewall is complete, the system automatically prepares the infrastructure needed to manage IP address blocking.

As part of this process, Guardian creates a dedicated filtering rule for blocking malicious IP addresses. This rule is associated with the blocking logic managed by the platform.

By default, this rule is created in a disabled state, ensuring that the integration does not interfere with the existing security policy until the operator decides to activate the blocking module.

This behaviour allows the environment to be prepared safely, leaving the firewall ready to apply blocks at the moment the capability is enabled from Guardian.

Activating the Blocking Module

Once the blocking module is enabled in Guardian, whether in Manual or Automatic mode, the system begins interacting directly with the firewall to apply the defined protection policy.

At this point, Guardian automatically activates the filtering rule associated with blocking, allowing the firewall to begin evaluating traffic based on the IP addresses managed by the platform.

It is important to note that Informative mode does not modify the firewall configuration, as its function is solely to provide context and recommendations to the operator without applying any blocking actions.

With the rule activated, the firewall is ready to dynamically apply blocks to IP addresses that Guardian identifies as malicious, either through operator intervention or automatically according to the configured mode.

IP Blocking

As can be observed in the filtering rule configuration, it references an IP address group named “guardian_public_ips”. This group acts as a dynamic container that stores the IP addresses blocked by Guardian.

This approach enables centralised and efficient block management, eliminating the need to constantly modify the firewall policy. The rule simply references this group, whilst Guardian handles updating its contents as needed.

Initially, the group is empty. When Guardian identifies and blocks a malicious IP address, the platform automatically adds that IP to the group. Once part of this group, the firewall immediately applies the blocking policy defined by the rule.

Similarly, if a decision is later made to unblock the IP address, Guardian removes it from the group, causing the filtering rule to no longer apply to that address.

This mechanism enables dynamic block management, keeping the firewall policy stable and giving operators control over blocked IP addresses.

Benefits

In industrial environments, where system availability and operational continuity are critical factors, the ability to detect and mitigate threats rapidly becomes a key element of any cybersecurity strategy. The malicious IP active blocking module of InprOTech Guardian has been designed precisely to meet these needs, providing operators with effective tools to protect their network infrastructure against unauthorised access.

The main benefits of this capability include:

• Reduced incident response time: traditionally, managing blocks on firewalls requires a manual process involving threat identification, accessing the security device, modifying the filtering policy and applying the changes. With Guardian, this process is significantly simplified, enabling blocks to be applied immediately from a single platform, reducing the time needed to contain potential threats.
• Centralised visibility over external IP addresses interacting with the infrastructure: allowing operators to quickly identify suspicious or potentially malicious behaviour. This visibility supports informed decision-making and contributes to improving the organisation’s security posture.
• Mitigation process automation: through the different operating modes — informative, manual and automatic — organisations can adapt the level of human intervention to their security policies. This supports everything from highly supervised environments, where every action is validated by an operator, to infrastructures that need to respond automatically to external threats within seconds.
• High operational flexibility: through integration with multiple firewall vendors. Many industrial infrastructures use heterogeneous security solutions, so having a platform capable of interacting with different devices simplifies management and unifies incident response.
• Modularity and scalability: the design ensures this capability can evolve and adapt to new industry requirements, enabling the incorporation of new firewall vendors and expanding the platform’s protection capabilities.

Taken together, the active blocking module makes Guardian a tool capable of detecting threats, supporting decision-making and applying protective measures rapidly and effectively, helping industrial organisations to strengthen their infrastructure security without increasing operational complexity.

Conclusion

The growing exposure of industrial infrastructures to external networks and connected services has significantly expanded the attack surface of OT systems. In this context, having tools that enable rapid detection, analysis and response to external threats has become a fundamental requirement for ensuring the security and continuity of operations.

The malicious IP active blocking module of InprOTech Guardian was developed to address this need, providing operators with a straightforward and effective means of identifying suspicious access attempts and applying mitigation measures directly within the network security infrastructure.

Thanks to its modular architecture and ability to integrate with multiple firewall vendors, Guardian enables centralised block management and significantly reduces incident response times, whilst maintaining the flexibility needed to adapt to different industrial environments.

With this new capability, Guardian continues to expand its features as a protection and monitoring platform for industrial environments, helping organisations strengthen their cybersecurity posture without increasing the operational complexity of their systems.

The development of this module also represents a further step in the platform’s evolution, with the aim of continuing to incorporate new integrations and threat response capabilities, adapting to the security needs of an increasingly connected industrial sector.

Resources

[1] Guardian – InprOTech

[2] https://docs.paloaltonetworks.com/ngfw/api/getting-started

[3] https://sc1.checkpoint.com/documents/latest/APIs/#introduction~v2.1%20

[4] https://docs.fortinet.com/document/fortigate/7.2.0/secgw-for-mobile-networks-deployment/238243/fortios-rest-api

[5] https://docs.opnsense.org/development/api.html

[6] https://documentation.stormshield.eu/SNS/v5/en/Content/User_Configuration_Manual_SNS_v5/REST_API/REST_API.htm