Posts Tagged ‘Country Blocking’

Geo IP (Country) filtering is growing more and more popular given the distribution of global network attacks. IDS/IPS systems do their best in anticipating malicious network activities. Some of problems network security teams have experienced is extended implementation times, cost, learning curves, false positives, complex management, and how to deal with distributed large attacks or the speed in how attacks, viruses, and malware adapt.

Intrusion Detection/Prevention Systems (SecurityWizardy.com)
Intrusion Detection Systems form a small but critical piece of the computer security jigsaw, alerting to intrusions and attacks aimed at computers or networks.  They’re not the computer security panacea.  But, they are your eyes and ears, essential in knowing whether you are under attack. Intrusion Prevention Systems take this concept to the next level and sit inline blocking the packets you tell them to based on signatures as per the IDS.  They can be highly effective as a defensive tool but need to be configured with great care and attention in stages…… Read More

Unfortunately there is no silver bullet in network security! Network Security needs to be approached in layers, and most will say it should look like this:

  • Firewall /NDIS (network Intrusion and Detection)
  • Email Scanning
  • Web Security
  • Sever Level Virus
  • Workstation Virus
  • Patch Updating Systems
  • Attentive Employees
This is where I believe security environments fall short, and why Geo IP (country) filtering layers are vital in the network security. I’m not saying to throw some broad stroking country blocker into your environment, what I am saying is having a robust Geo IP  filtering system, which is granular and simple to operated! Blindly blocking country ranges is just not practical if you are a global business.

Our security layer looks like this

Image

I’ve seen several vendors which have integrated Geo-IP filtering into their appliances, but when you actually start using their Geo-IP tools you quickly realize their Geo-IP is not the products strong point. Some would say it was added only for marketing reasons, even not taken seriously.

In the small Geo IP (country) blocking market there really is not too much to choose from. It seems most of the products consist of downloading some sort of list regularly, then applying them to a firewall. The lists come in many different formats to accommodate the varieties of firewall systems. There are many problems with these services like accuracy, manual updating, implementation complexity, support, and troubleshooting to name some.

I’ve also seen services, which provide you code for your web site. The code is inserted into your web pages, and as traffic accesses your web service, it’s evaluated, and filtered like a country RBL. These types of services, although creative seem they would generate more traffic, just like RBL services do. I’m sure in a very small percentage would be useful useful, but high-volume web servers would suffer. Not to mention you are only protecting the web server, and it would need to be applied to all web servers. The few hardware-based products I found range from; little to no country filtering smarts, to price points in excessive of 75K. The higher priced product I found seems to claim 50-100K is the right price for country filtering? I would emphatically disagree.

Because we do not to have many choices when it comes to Geo IP (country) filters, we could conclude country filtering is not really important to firewall manufacturers. In fact, it seems the perception is ” Geo IP (country) blocking is impractical ” and unnecessary in some circles. I couldn’t disagree completely.

If I would tell you there is a product which;

  • Low cost
  • Inline and Transparent
  • Fail open NIC’s
  • Used on your own hardware
  • Filters countries by port bi-directionally
  • Includes alerts, country/network/ip triggers, honeypots, tarpits, country redirection
  • Complete with its own global network lists of well known/bad networks
  • Web based and accessible from mobile devices
  • Purchased as an appliance or downloadable software
  • Works in VM Environments.

Wouldn’t you get it immediately?

Viper Network Systems (VNS) launched a product called PacketViper in 2011 we does exactly what everyone has been missing, per port geo IP filtering,  The product quickly installs into most hardware platforms, or can be purchased as an appliance. PacketViper likes to sit in front of the security environment, to clean up the unwanted traffic before entering.

Viper Network Systems ripped a few pages out of VMWare ESXi, and released PacketViper Starter. It’s completely free, and never expires. You wonder what the catch would be? No catch other than some limitation on how many countries you can block at once, NetCheck (IP Search/Block feature), Global Network Lists are limited, and a couple of other minor limitations. Other than that the product is free to use.

PacketViper was built for security teams to quickly respond to global threats in real time. Frank Trama, President & Co-Founder whose roots stem from network administrations, design, and management found there was need that needed to be filled. Partnering with Dan Gynn, now Chief product Officer & Co-Founder turned this need into an incredible and practical product call PacketViper, a security layer I cannot see my network without. The products’ focus is Geo IP (country) filtering with a style and grace not seen in any other product in the market today. PacketViper fills the gaps which all environments are missing.

PacketViper blocks countries by simply clicking on a map, setting which ports to block/allow (all or some), and clicking apply. It’s really that simple. There is so much more though like real time clickable logs, which you can quickly select and see the complete details of the IP, which is called NetCheck;

Image

NetCheck is the feature administrators have been waiting for. The cure-all for understanding the IP origins, its assigned network ranges, and much more. NetCheck can quickly block the IP or every registered network range it’s assigned to. A great tool when you want to eliminate complete spamming networks. We could go on for a while with its features, just check them out at here.

So is country filtering impractical? Let’s all admit it. IP Blocking is a pain! What the folks at Viper Network Systems did is put it all together in an affordable package. Image what happens when you start filtering out the unwanted country traffic (SQL management port attempts from China, RPC attempts from Russia, Telnet attacks from Romania, spam from Africa and Brazil). IDS/IPS experiences fewer false positives, which can be dialed in better to become more effective, spam and system loads are reduced; bandwidth is freed up of unproductive global traffic, and network security is further hardened. Why you ask? It’s simple; you reduce the attack space to your exposed ports in your security environment. There is less intention analysis needed.

If you filter out just 30% of the unwanted traffic to your internet facing servers and devices. That’s 30% you do not have to worry about again, then dial in the country blocker like PacketViper to drop 50% of your global traffic. That’s 50% less you have to sift through, 50% fewer loads on your security systems, and 50% fewer chances of malicious traffic finding a vulnerability.

Why would you then allow that obscure country access at VPN, FTP, and the thousands of other ports? I can tell you wouldn’t or wouldn’t want to. This is why smart country blockers are important and needed. —-Frank Trama

Overall Geo IP (Country) blocking can be practical and should be a required layer for every security environment. Personally, I cannot see any of my environments without this feature. For full disclosure, I have the product and contributed to its design.

CEO & Co-Founder
PacketViper, LLC