Blocking countries is a bit tricky using traditional methods, and a broad stroke approach will be followed with headaches the more and more you block. Not mentioning proxies, which leaves the broad stroke approach a weak methodology, and somewhat a waste of time. Even with the obvious choices of countries that are frequently suggested to block, you run a greater risk of precluding legitimate businesses into your public services when blocking.
The trick to Geo-IP blocking is not turning off the country from accessing critical areas of your network, its filtering them to receive only the traffic that is necessary to your business. Firewalls just do not get you there.
Even with well made firewalls like Sonicwall, Foritnet, Checkpoint, and several others that have geo-ip capabilities. Their approach is broad stroking when tackling Geo-IP management. It’s not that they do not care; it could be as simple as a marketing move, limitations given all they do, or simply put “It’s not their focus” for the product line.
If you ever tried really cranking up the geo-ip for any of them you will find internal hardship for your users, latency, load, and frustration. Understandable because the feature isn’t treated very seriously, or an after thought.
The fact is Geo-IP should not be done on any application layer inspecting anything, rather MUST be done within its own layer given the scope of the Geo-IP task.
The question is always asked “What countries should I block?”, as if judging the name of the country, and ideology is the gauge on how to filter it. The fact is there are no borders on the internet, ideology, and greed so asking what country to block is not the best measuring stick. Sure the attackers motivation could stem from that country, but it rarely starts and ends there. An attackers attack surface, and their resources are limitless because of their ability to traverse country to country without resistance. There are many factors why they can do this, and it all starts with what we call “The Human Condition”. The two main traits being imperfection, and the inability to predict the future yet.
Asking the question strictly as a business service need though can yield more accurate results when identifying who needs access to our public services. So in this perspective we can trim away the unnecessary, and focus on the necessary in global network traffic. Even if your business is ideologically based, you can still apply this same consideration when sculpting traffic from around the world.
Sculpting network traffic is the key though! Restricting global traffic based on its value to your business internet services is vital. For instance does the entire world need access to your secure VPN, Webmail, or SFTP servers? Most likely not, so in order for geo-ip filtering to work in your favor you have to accomplish this with little effort and complexity.
Let’s not forget the dreaded logging, reporting, and alerting associated with the large volumes of traffic having carte blanche to essentially every service port opened through firewalls. This in my opinion has become one of the top problems that lulls us into a false sense of security. The reality though of excessive logging, reporting, and alerting associated is in actuality a smoke screen for our enemies, making them virtually invisible for months and years. We are killing ourselves looking at everything because “we must stay in front” of the threats. BUT if you take a breath, step back, and ask yourself “Why am I receiving this traffic in the first place?”. You will find the answer very enlightening.
A product like PacketViper is vital to the security layer because it controls how the country, company, network, or IP accesses to, and from the public areas of your network. This seemingly simple layer is so impactful, most of our customers can not believe the difference it has made. I speak of this not as the CEO of PacketViper, but an early adopter of the technology as a Director.
With PacketViper instead of blocking a country you can filter it, its companies, and networks on how you see fit, instead of the other way around. We are all smart people, and in most cases the smartest to our business. So use this knowledge in shaping the best way customers, vendors, and employees enter and exit. Trust me the downside will be loss of private data or intellectual property to some country you thought you had blocked completely.
There are many upsides to globally limiting how the world enters and exits your environment, it’s just mind boggling. The simple elimination of huge volumes of unwanted traffic before it enters the security inspection process is the one that does it for me. Dropping the traffic volume has built in bonuses like lowering the global risk, logging, alerting, and most importantly curtailing the capabilities of attackers, proxied connections including.
So rethink the question if you are blocking a country with traditional methods. It might not make as much sense.
Francesco Trama, CEO and Co-Founder PacketViper, LLC