Risks to Geo Blocking
-
@phlipelder said in Risks to Geo Blocking:
@travisdh1 This has to do with traffic leaving the corporate/production network.
I don't see how this is applicable since folks looking to do business would be browsing an Internet based site outside those limits as well as emailing and/or phoning from outside of the business?
To which point was this a response?
-
@travisdh1 said in Risks to Geo Blocking:
@phlipelder said in Firewall rules for outgoing traffic:
We saw a situation where the perps were definitely Russian and the IPs they were operating out of were definitely Russian but the edge had no ability to Geo Block. This would have been a classic case and point.
So what about the hundreds of people you unintentionally block because the GeoIP service you use put them in Russia instead of eastern Europe? Which is worse, purposely loosing business, or having to block malicious IP addresses (which should be automatic)?
@scottalanmiller This one. I must have goofed on the QUOTE step ...
-
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Firewall rules for outgoing traffic:
There are days where I question why I even bother trying to persuade...
I never want to persuade, that's not a good goal. The goal should always be to find what is true. Persuading is necessary only when your position isn't correct but you want someone to accept it anyway. Working towards truth is a better goal - put forth ideas and see if they make sense.
I do take issue with you calling into question my use of the word persuasion and contrasting it with the word truth. This is why I question the value in discussing things here on Mangolassi that have been designated as "the right way". The rhetoric does not appear to allow for an honest discussion.
-
@kelly said in Risks to Geo Blocking:
@travisdh1 said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
@travisdh1 said in Firewall rules for outgoing traffic:
@phlipelder said in Firewall rules for outgoing traffic:
- Edge should support subnet/IP/Country and other forms of blacklist blocking.
We've been over how bad blocking by Country is around here. I've "hacked" that system just by putting a used router online. It's seriously bad and not worth anyone's time.
I don't necessarily agree with the common wisdom on this one. It is easily bypassed with a targeted attack, but it can significantly reduce your scanning activity and automated attacks. It isn't the answer but it is a layer in a defense in depth.
It doesn't do that tho. It can't, because the system itself is that flawed.
We're going down a rabbit trail here, but I'll bite. How is the system flawed? I understand that address blocks are being sold off and assigned outside of their original IANA country designation, but aside from that how does it not work? What about if you are updating your tables from a source like Maxmind that is updated frequently?
It doesn't work because the primary systems out there routinely don't know the source of IPs. This is why I constantly point out that these systems believe my Dallas Fiber service is from Toronto, an entirely different country thousands of miles away. My phone often registers as a different state, but not country. When working in NY I was consistently listed as Germany.
And those are the "accidents". As a traveler, it's common to use VPN services to "choose" which country people think you are in. That's very common. And trivially easy, for consumers. Loads of people do that just to watch movies.
Geo blocking works, I would estimate, about 95-98% of the time when no one is attempting to get around it. But even if it worked 99% of the time, 1% poses a significant business risk to a normal business.
-
On topic here.
Risks to geo-blocking inbound traffic.
First you have to define what kind of inbound you are talking about.
As I stated in my reply above where @scottalanmiller is trying to blame me for what he does, geo blocking inbound traffic on an edge router carries little to no penalty but solid benefits as it should cause drop rules to execute earlier in the firewall chain.This is no different than a drop all but my trusted IP rule setup for anything.
Your default inbound rule should be drop all new connections.
You first rules should be allow from trusted IP 1-6.
That's it.If you are in the inbound scenario that you need a more open set than can easily be whitelisted, a drop on geo IP match can easily slim up the subsequent rul processing or limit what is forwarded inbound.
-
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
@travisdh1 said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
@travisdh1 said in Firewall rules for outgoing traffic:
@phlipelder said in Firewall rules for outgoing traffic:
- Edge should support subnet/IP/Country and other forms of blacklist blocking.
We've been over how bad blocking by Country is around here. I've "hacked" that system just by putting a used router online. It's seriously bad and not worth anyone's time.
I don't necessarily agree with the common wisdom on this one. It is easily bypassed with a targeted attack, but it can significantly reduce your scanning activity and automated attacks. It isn't the answer but it is a layer in a defense in depth.
It doesn't do that tho. It can't, because the system itself is that flawed.
We're going down a rabbit trail here, but I'll bite. How is the system flawed? I understand that address blocks are being sold off and assigned outside of their original IANA country designation, but aside from that how does it not work? What about if you are updating your tables from a source like Maxmind that is updated frequently?
It doesn't work because the primary systems out there routinely don't know the source of IPs. This is why I constantly point out that these systems believe my Dallas Fiber service is from Toronto, an entirely different country thousands of miles away. My phone often registers as a different state, but not country. When working in NY I was consistently listed as Germany.
You. You. You.
No one else.
Prove this is actually more than just you.
Because none of this ever happens to any of my clients, myself, or anyone else I professionally work with.
-
@kelly said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Firewall rules for outgoing traffic:
There are days where I question why I even bother trying to persuade...
I never want to persuade, that's not a good goal. The goal should always be to find what is true. Persuading is necessary only when your position isn't correct but you want someone to accept it anyway. Working towards truth is a better goal - put forth ideas and see if they make sense.
I do take issue with you calling into question my use of the word persuasion and contrasting it with the word truth. This is why I question the value in discussing things here on Mangolassi that have been designated as "the right way". The rhetoric does not appear to allow for an honest discussion.
But wasn't your goal, and your complaint, that you were unable to convince us of your point, rather than engaging in a back and forth? It was the back and forth of honest discussion that you were appearing to take issue with.
What if I had said the exact same thing? You'd have taken exception to that, correct?
No one did anything to dissuade you from making points, and you are equally free to point out where our points are incorrect. How has this discussion in any way made you feel that there is a "right way" that is accepted and that counter points can't be made? I see none of that in this thread. There are two sides to the discussion, and multiple people on each side, and both sides attempting to make points. One side doesn't have any automatic advantage, and one hasn't stopped the other from making points any more than the other has.
-
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
@travisdh1 said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
@travisdh1 said in Firewall rules for outgoing traffic:
@phlipelder said in Firewall rules for outgoing traffic:
- Edge should support subnet/IP/Country and other forms of blacklist blocking.
We've been over how bad blocking by Country is around here. I've "hacked" that system just by putting a used router online. It's seriously bad and not worth anyone's time.
I don't necessarily agree with the common wisdom on this one. It is easily bypassed with a targeted attack, but it can significantly reduce your scanning activity and automated attacks. It isn't the answer but it is a layer in a defense in depth.
It doesn't do that tho. It can't, because the system itself is that flawed.
We're going down a rabbit trail here, but I'll bite. How is the system flawed? I understand that address blocks are being sold off and assigned outside of their original IANA country designation, but aside from that how does it not work? What about if you are updating your tables from a source like Maxmind that is updated frequently?
It doesn't work because the primary systems out there routinely don't know the source of IPs. This is why I constantly point out that these systems believe my Dallas Fiber service is from Toronto, an entirely different country thousands of miles away. My phone often registers as a different state, but not country. When working in NY I was consistently listed as Germany.
You. You. You.
No one else.
Prove this is actually more than just you.
Because none of this ever happens to any of my clients, myself, or anyone else I professionally work with.
Well I knew thousands of people who had this happen when I worked in NY. How many do you need?
-
@jaredbusch said in Risks to Geo Blocking:
Prove this is actually more than just you.
Because none of this ever happens to any of my clients, myself, or anyone else I professionally work with.
And you've tested that, how exactly? Would you even know? Not likely.
-
@scottalanmiller said in Risks to Geo Blocking:
And those are the "accidents". As a traveler, it's common to use VPN services to "choose" which country people think you are in. That's very common. And trivially easy, for consumers. Loads of people do that just to watch movies.
Trivially easy for consumers is certainly your opinion. But easy, yes.
-
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
Prove this is actually more than just you.
Because none of this ever happens to any of my clients, myself, or anyone else I professionally work with.
And you've tested that, how exactly? Would you even know? Not likely.
I do not have to prove a negative. You have to prove a positive.
-
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
And those are the "accidents". As a traveler, it's common to use VPN services to "choose" which country people think you are in. That's very common. And trivially easy, for consumers. Loads of people do that just to watch movies.
Trivially easy for consumers is certainly your opinion. But easy, yes.
Well the least technical people I know do it without asking anyone. It's advertised as a home user service. And often used without any support. It's in the range of "if you can use Netflix...."
-
@scottalanmiller said in Risks to Geo Blocking:
Geo blocking works, I would estimate, about 95-98% of the time when no one is attempting to get around it. But even if it worked 99% of the time, 1% poses a significant business risk to a normal business.
And you have magic numbers to back that 1% theory up?
-
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
Prove this is actually more than just you.
Because none of this ever happens to any of my clients, myself, or anyone else I professionally work with.
And you've tested that, how exactly? Would you even know? Not likely.
I do not have to prove a negative. You have to prove a positive.
I have, but now you need "more" proof. You say "never" for a kind of thing that you haven't been looking for. I've shown that it happens to thousands of people I've interacted with without looking for it. But how many does it take before it's a reasonable example?
-
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
Prove this is actually more than just you.
Because none of this ever happens to any of my clients, myself, or anyone else I professionally work with.
And you've tested that, how exactly? Would you even know? Not likely.
I do not have to prove a negative. You have to prove a positive.
I have, but now you need "more" proof. You say "never" for a kind of thing that you haven't been looking for. I've shown that it happens to thousands of people I've interacted with without looking for it. But how many does it take before it's a reasonable example?
You have not. All you ever state is your opinion of assumed business numbers.
-
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
Geo blocking works, I would estimate, about 95-98% of the time when no one is attempting to get around it. But even if it worked 99% of the time, 1% poses a significant business risk to a normal business.
And you have magic numbers to back that 1% theory up?
Someone mentions that 99% is the claimed number being debunked, rather than the number strived for.
-
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
Prove this is actually more than just you.
Because none of this ever happens to any of my clients, myself, or anyone else I professionally work with.
And you've tested that, how exactly? Would you even know? Not likely.
I do not have to prove a negative. You have to prove a positive.
I have, but now you need "more" proof. You say "never" for a kind of thing that you haven't been looking for. I've shown that it happens to thousands of people I've interacted with without looking for it. But how many does it take before it's a reasonable example?
You have not. All you ever state is your opinion of assumed business numbers.
I stated that I knew of thousands. That's first hand. None assumed.
-
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Firewall rules for outgoing traffic:
There are days where I question why I even bother trying to persuade...
I never want to persuade, that's not a good goal. The goal should always be to find what is true. Persuading is necessary only when your position isn't correct but you want someone to accept it anyway. Working towards truth is a better goal - put forth ideas and see if they make sense.
I do take issue with you calling into question my use of the word persuasion and contrasting it with the word truth. This is why I question the value in discussing things here on Mangolassi that have been designated as "the right way". The rhetoric does not appear to allow for an honest discussion.
But wasn't your goal, and your complaint, that you were unable to convince us of your point, rather than engaging in a back and forth? It was the back and forth of honest discussion that you were appearing to take issue with.
What if I had said the exact same thing? You'd have taken exception to that, correct?
No one did anything to dissuade you from making points, and you are equally free to point out where our points are incorrect. How has this discussion in any way made you feel that there is a "right way" that is accepted and that counter points can't be made? I see none of that in this thread. There are two sides to the discussion, and multiple people on each side, and both sides attempting to make points. One side doesn't have any automatic advantage, and one hasn't stopped the other from making points any more than the other has.
No, I posted that in frustration because when I get into discussions with you and a few others on here I find that I cannot get engagement on fundamental assumptions. It is at this level that we are disagreeing, but your posts appear to allow for no consideration that your assumptions might be inaccurate or incomplete. This is why I question trying. I have pointed out where your assumptions are incomplete, but those statements get passed over and my replies get nit picked on trivialities or I get castigated for word choice. Yay.
-
@kelly said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Firewall rules for outgoing traffic:
There are days where I question why I even bother trying to persuade...
I never want to persuade, that's not a good goal. The goal should always be to find what is true. Persuading is necessary only when your position isn't correct but you want someone to accept it anyway. Working towards truth is a better goal - put forth ideas and see if they make sense.
I do take issue with you calling into question my use of the word persuasion and contrasting it with the word truth. This is why I question the value in discussing things here on Mangolassi that have been designated as "the right way". The rhetoric does not appear to allow for an honest discussion.
But wasn't your goal, and your complaint, that you were unable to convince us of your point, rather than engaging in a back and forth? It was the back and forth of honest discussion that you were appearing to take issue with.
What if I had said the exact same thing? You'd have taken exception to that, correct?
No one did anything to dissuade you from making points, and you are equally free to point out where our points are incorrect. How has this discussion in any way made you feel that there is a "right way" that is accepted and that counter points can't be made? I see none of that in this thread. There are two sides to the discussion, and multiple people on each side, and both sides attempting to make points. One side doesn't have any automatic advantage, and one hasn't stopped the other from making points any more than the other has.
No, I posted that in frustration because when I get into discussions with you and a few others on here I find that I cannot get engagement on fundamental assumptions. It is at this level that we are disagreeing, but your posts appear to allow for no consideration that your assumptions might be inaccurate or incomplete. This is why I question trying. I have pointed out where your assumptions are incomplete, but those statements get passed over and my replies get nit picked on trivialities or I get castigated for word choice. Yay.
Okay, then correct me. In what way did I not allow for myself to be incorrect, but others have? Find my flaws, point them out. Attack the points, rather than attacking the people.
I think the point that you were upset with was when I said that the protection should have a dollar value on it? That I was agreeing that the value is grey, but saying we needed to figure it out rather than jumping into it.
If that's not it, to which point were you stating the persuasion bit?
-
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
@travisdh1 said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
@travisdh1 said in Firewall rules for outgoing traffic:
@phlipelder said in Firewall rules for outgoing traffic:
- Edge should support subnet/IP/Country and other forms of blacklist blocking.
We've been over how bad blocking by Country is around here. I've "hacked" that system just by putting a used router online. It's seriously bad and not worth anyone's time.
I don't necessarily agree with the common wisdom on this one. It is easily bypassed with a targeted attack, but it can significantly reduce your scanning activity and automated attacks. It isn't the answer but it is a layer in a defense in depth.
It doesn't do that tho. It can't, because the system itself is that flawed.
We're going down a rabbit trail here, but I'll bite. How is the system flawed? I understand that address blocks are being sold off and assigned outside of their original IANA country designation, but aside from that how does it not work? What about if you are updating your tables from a source like Maxmind that is updated frequently?
It doesn't work because the primary systems out there routinely don't know the source of IPs. This is why I constantly point out that these systems believe my Dallas Fiber service is from Toronto, an entirely different country thousands of miles away. My phone often registers as a different state, but not country. When working in NY I was consistently listed as Germany.
You. You. You.
No one else.
Prove this is actually more than just you.
Because none of this ever happens to any of my clients, myself, or anyone else I professionally work with.
I've unintentionally "hacked" the system. How can it possibly work?
Also, I make at least 2 that we know of.
Generally, it will get the network POP instead of your actual connection, when it's close to accurate.
I just took a quick look at https://www.iplocation.net/ out of curiosity. Youngstown, OH, Mansfield, OH, Wooster, OH, and Layfayette, LA.
At least in this case, 3 out of 4 are completely wrong. Of the 3 wrong locations, 2 are at least in the same state and one is halfway across the country.