Risks to Geo Blocking
-
Now MaxMind claims 99.8% for country detection, 90% for state. They are also listed elsewhere as the most accurate database.
-
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Firewall rules for outgoing traffic:
There are days where I question why I even bother trying to persuade...
I never want to persuade, that's not a good goal. The goal should always be to find what is true. Persuading is necessary only when your position isn't correct but you want someone to accept it anyway. Working towards truth is a better goal - put forth ideas and see if they make sense.
I do take issue with you calling into question my use of the word persuasion and contrasting it with the word truth. This is why I question the value in discussing things here on Mangolassi that have been designated as "the right way". The rhetoric does not appear to allow for an honest discussion.
But wasn't your goal, and your complaint, that you were unable to convince us of your point, rather than engaging in a back and forth? It was the back and forth of honest discussion that you were appearing to take issue with.
What if I had said the exact same thing? You'd have taken exception to that, correct?
No one did anything to dissuade you from making points, and you are equally free to point out where our points are incorrect. How has this discussion in any way made you feel that there is a "right way" that is accepted and that counter points can't be made? I see none of that in this thread. There are two sides to the discussion, and multiple people on each side, and both sides attempting to make points. One side doesn't have any automatic advantage, and one hasn't stopped the other from making points any more than the other has.
No, I posted that in frustration because when I get into discussions with you and a few others on here I find that I cannot get engagement on fundamental assumptions. It is at this level that we are disagreeing, but your posts appear to allow for no consideration that your assumptions might be inaccurate or incomplete. This is why I question trying. I have pointed out where your assumptions are incomplete, but those statements get passed over and my replies get nit picked on trivialities or I get castigated for word choice. Yay.
Okay, then correct me. In what way did I not allow for myself to be incorrect, but others have? Find my flaws, point them out. Attack the points, rather than attacking the people.
I think the point that you were upset with was when I said that the protection should have a dollar value on it? That I was agreeing that the value is grey, but saying we needed to figure it out rather than jumping into it.
If that's not it, to which point were you stating the persuasion bit?
How am I attacking you? I did not state anything in the original post in this sub thread. You were the one attacking my use of persuasion.
The persuasion (perhaps poor word choice) was in attempting to discuss the fundamental assumptions that we differ on. Of course our conclusions are different, but if our basic "facts" differ we can never even begin a discussion.
Your facts:
- It is not reliable and allows both bad people in and blocks good people.
- It carries a higher cost to implement than to not implement (even if just in effort.)
- The risk of false positives is generally extremely high.
I addressed each of these concerns above in narrowing the specificity of my response and scenario when Geo IP is appropriate. Another apparent assumption that you are working from is that the Geo IP blocking is being established on external facing services. Generally that should be hosted. I would want Geo IP blocking on my corporate edge, not my external facing services. You're right, that is a mistake in the majority of scenarios. However, having it on my corporate edge where few services are delivered to the public for a company that does business and only has employees in a given country it can make sense. I'm going to post this instead of dealing with each point because I know you've already posted several other responses that I should probably read.
-
@travisdh1 said in Risks to Geo Blocking:
I just took a quick look at https://www.iplocation.net/ out of curiosity. Youngstown, OH, Mansfield, OH, Wooster, OH, and Layfayette, LA.
The 4 locations that site showed me are from 4 different private companies selling location services.
That means you are relying on 4 different companies to have their data right.
There is a single authority for every IP block out there. ARIN, RIPE, APNIC, etc. Using anything else is use at your own risk. Just like any other business decision. Is the service you are using correct for your business.
-
@scottalanmiller said in Risks to Geo Blocking:
Now MaxMind claims 99.8% for country detection, 90% for state. They are also listed elsewhere as the most accurate database.
If you'll check above I referenced them as a source to use for Geo IP. One of my assumptions...
-
@kelly said in Risks to Geo Blocking:
I addressed each of these concerns above in narrowing the specificity of my response and scenario when Geo IP is appropriate. Another apparent assumption that you are working from is that the Geo IP blocking is being established on external facing services. Generally that should be hosted. I would want Geo IP blocking on my corporate edge, not my external facing services. You're right, that is a mistake in the majority of scenarios. However, having it on my corporate edge where few services are delivered to the public for a company that does business and only has employees in a given country it can make sense. I'm going to post this instead of dealing with each point because I know you've already posted several other responses that I should probably read.
I get this, I think. So let me see if I agree with your premise.
- This is corporate edge, but public services (so no customers potentially affected?)
- This is outbound traffic, although outbound blocks will affect inbound for bi-directional communications.
- Traffic types assumed to be used here might be internal email, VPN, internal use wiki, RDP, and so forth?
-
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
I addressed each of these concerns above in narrowing the specificity of my response and scenario when Geo IP is appropriate. Another apparent assumption that you are working from is that the Geo IP blocking is being established on external facing services. Generally that should be hosted. I would want Geo IP blocking on my corporate edge, not my external facing services. You're right, that is a mistake in the majority of scenarios. However, having it on my corporate edge where few services are delivered to the public for a company that does business and only has employees in a given country it can make sense. I'm going to post this instead of dealing with each point because I know you've already posted several other responses that I should probably read.
I get this, I think. So let me see if I agree with your premise.
- This is corporate edge, but public services (so no customers potentially affected?)
- This is outbound traffic, although outbound blocks will affect inbound for bi-directional communications.
- Traffic types assumed to be used here might be internal email, VPN, internal use wiki, RDP, and so forth?
He made no limitation to outbound in his statement. Simply Edge.
It was the OP of the original thread that was looking at outbound only.
-
@jaredbusch said in Risks to Geo Blocking:
@travisdh1 said in Risks to Geo Blocking:
I just took a quick look at https://www.iplocation.net/ out of curiosity. Youngstown, OH, Mansfield, OH, Wooster, OH, and Layfayette, LA.
The 4 locations that site showed me are from 4 different private companies selling location services.
That means you are relying on 4 different companies to have their data right.
There is a single authority for every IP block out there. ARIN, RIPE, APNIC, etc. Using anything else is use at your own risk. Just like any other business decision. Is the service you are using correct for your business.
True, but you need your service from somewhere. If you don't use an aggregate service, you get more and more complicated so the cost of overhead increases.
Maybe I'm missing something, but how do you propose using a those services directly as a normal company? Do you have scripts that pull that data? Is it that simple? Or are you just saying that theoretically there is a master list? I get the concept, but as an implementer, I'm not clear on how I would take that knowledge and turn it into an actionable blocking regimen for a router, for example. Maybe it's easy, but if it is, why are people using services like MaxMind or Google?
-
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
I addressed each of these concerns above in narrowing the specificity of my response and scenario when Geo IP is appropriate. Another apparent assumption that you are working from is that the Geo IP blocking is being established on external facing services. Generally that should be hosted. I would want Geo IP blocking on my corporate edge, not my external facing services. You're right, that is a mistake in the majority of scenarios. However, having it on my corporate edge where few services are delivered to the public for a company that does business and only has employees in a given country it can make sense. I'm going to post this instead of dealing with each point because I know you've already posted several other responses that I should probably read.
I get this, I think. So let me see if I agree with your premise.
- This is corporate edge, but public services (so no customers potentially affected?)
- This is outbound traffic, although outbound blocks will affect inbound for bi-directional communications.
- Traffic types assumed to be used here might be internal email, VPN, internal use wiki, RDP, and so forth?
He made no limitation to outbound in his statement. Simply Edge.
It was the OP of the original thread that was looking at outbound only.
Other than that, did I understand the premise?
-
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@travisdh1 said in Risks to Geo Blocking:
I just took a quick look at https://www.iplocation.net/ out of curiosity. Youngstown, OH, Mansfield, OH, Wooster, OH, and Layfayette, LA.
The 4 locations that site showed me are from 4 different private companies selling location services.
That means you are relying on 4 different companies to have their data right.
There is a single authority for every IP block out there. ARIN, RIPE, APNIC, etc. Using anything else is use at your own risk. Just like any other business decision. Is the service you are using correct for your business.
True, but you need your service from somewhere. If you don't use an aggregate service, you get more and more complicated so the cost of overhead increases.
Maybe I'm missing something, but how do you propose using a those services directly as a normal company? Do you have scripts that pull that data? Is it that simple? Or are you just saying that theoretically there is a master list? I get the concept, but as an implementer, I'm not clear on how I would take that knowledge and turn it into an actionable blocking regimen for a router, for example. Maybe it's easy, but if it is, why are people using services like MaxMind or Google?
I would choose to find a service that only relies on solid data such as those. Not one that buys information from everywhere attempting to be "better" and in reality only being less accurate over all.
-
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
I addressed each of these concerns above in narrowing the specificity of my response and scenario when Geo IP is appropriate. Another apparent assumption that you are working from is that the Geo IP blocking is being established on external facing services. Generally that should be hosted. I would want Geo IP blocking on my corporate edge, not my external facing services. You're right, that is a mistake in the majority of scenarios. However, having it on my corporate edge where few services are delivered to the public for a company that does business and only has employees in a given country it can make sense. I'm going to post this instead of dealing with each point because I know you've already posted several other responses that I should probably read.
I get this, I think. So let me see if I agree with your premise.
- This is corporate edge, but public services (so no customers potentially affected?)
- This is outbound traffic, although outbound blocks will affect inbound for bi-directional communications.
- Traffic types assumed to be used here might be internal email, VPN, internal use wiki, RDP, and so forth?
He made no limitation to outbound in his statement. Simply Edge.
It was the OP of the original thread that was looking at outbound only.
Other than that, did I understand the premise?
Yes
-
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@travisdh1 said in Risks to Geo Blocking:
I just took a quick look at https://www.iplocation.net/ out of curiosity. Youngstown, OH, Mansfield, OH, Wooster, OH, and Layfayette, LA.
The 4 locations that site showed me are from 4 different private companies selling location services.
That means you are relying on 4 different companies to have their data right.
There is a single authority for every IP block out there. ARIN, RIPE, APNIC, etc. Using anything else is use at your own risk. Just like any other business decision. Is the service you are using correct for your business.
True, but you need your service from somewhere. If you don't use an aggregate service, you get more and more complicated so the cost of overhead increases.
Maybe I'm missing something, but how do you propose using a those services directly as a normal company? Do you have scripts that pull that data? Is it that simple? Or are you just saying that theoretically there is a master list? I get the concept, but as an implementer, I'm not clear on how I would take that knowledge and turn it into an actionable blocking regimen for a router, for example. Maybe it's easy, but if it is, why are people using services like MaxMind or Google?
I would choose to find a service that only relies on solid data such as those. Not one that buys information from everywhere attempting to be "better" and in reality only being less accurate over all.
I see, that makes sense.
-
@kelly said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
I addressed each of these concerns above in narrowing the specificity of my response and scenario when Geo IP is appropriate. Another apparent assumption that you are working from is that the Geo IP blocking is being established on external facing services. Generally that should be hosted. I would want Geo IP blocking on my corporate edge, not my external facing services. You're right, that is a mistake in the majority of scenarios. However, having it on my corporate edge where few services are delivered to the public for a company that does business and only has employees in a given country it can make sense. I'm going to post this instead of dealing with each point because I know you've already posted several other responses that I should probably read.
I get this, I think. So let me see if I agree with your premise.
- This is corporate edge, but public services (so no customers potentially affected?)
- This is outbound traffic, although outbound blocks will affect inbound for bi-directional communications.
- Traffic types assumed to be used here might be internal email, VPN, internal use wiki, RDP, and so forth?
He made no limitation to outbound in his statement. Simply Edge.
It was the OP of the original thread that was looking at outbound only.
Other than that, did I understand the premise?
Yes
Okay, so in that scenario, we would then be limiting risks only to situations that can be discovered? Meaning, an employee goes home, things don't work, they call in to the office and get their IP whitelisted, for example? So the risk is not of loss of customer revenue, but the risk is simply the overhead of "fixing" the situation for a rare employee?
-
Another apparent assumption (correct me if I'm wrong) is that Geo IP blocking means blocking everything that is not [my country]. I do not advocate for that at all. You take the bad actor states (which for some countries might mean blocking the US), and block them. Your average local business is not going to have to worry about an employee or customer connecting from China, Iran, Russia, etc.
The goal is not to stop all attacks. The goal is drop all the packets that are just noise (most of which is scanning or bot based attacks). It will actually lower the load on your edge overall if done properly on a good firewall.
-
@kelly said in Risks to Geo Blocking:
Another apparent assumption (correct me if I'm wrong) is that Geo IP blocking means blocking everything that is not [my country]. I do not advocate for that at all. You take the bad actor states (which for some countries might mean blocking the US), and block them. Your average local business is not going to have to worry about an employee or customer connecting from China, Iran, Russia, etc.
I wasn't assuming that, though maybe people were. That certainly lowers the risk versus broader blocking. And as a customer, I've never been accidentally marked as being in China or Russia, but "not in the US." This has happened both accidentally (they just get it wrong, this gets me in Texas from time to time) and illogically (I'm trying to order something while traveling and can't place the order even though I'm an American, with American payment, shipping to America.)
-
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@travisdh1 said in Risks to Geo Blocking:
I just took a quick look at https://www.iplocation.net/ out of curiosity. Youngstown, OH, Mansfield, OH, Wooster, OH, and Layfayette, LA.
The 4 locations that site showed me are from 4 different private companies selling location services.
That means you are relying on 4 different companies to have their data right.
There is a single authority for every IP block out there. ARIN, RIPE, APNIC, etc. Using anything else is use at your own risk. Just like any other business decision. Is the service you are using correct for your business.
True, but you need your service from somewhere. If you don't use an aggregate service, you get more and more complicated so the cost of overhead increases.
Maybe I'm missing something, but how do you propose using a those services directly as a normal company? Do you have scripts that pull that data? Is it that simple? Or are you just saying that theoretically there is a master list? I get the concept, but as an implementer, I'm not clear on how I would take that knowledge and turn it into an actionable blocking regimen for a router, for example. Maybe it's easy, but if it is, why are people using services like MaxMind or Google?
I would choose to find a service that only relies on solid data such as those. Not one that buys information from everywhere attempting to be "better" and in reality only being less accurate over all.
I see, that makes sense.
MaxMind might be one of the best choices. I've not researched them in detail as I do not geo-block.
But let's look at the results of the site @travisdh1 posted with my current IP address.
Go to https://www.iplocation.net and enter 64.53.188.39If you look at the details returned and compare that with ARIN.net, it is very obvious that these services are using more information purchased from somewhere.
Let's also not ignore that this site is obviously pushing VPN services. This link goes to a page filled with affiliate links to VPN services.
https://www.iplocation.net/hide-ip-with-vpn
Here is what ARIN has about my IP.
https://whois.arin.net/rest/net/NET-64-53-188-0-1/pft?s=64.53.188.39
-
@kelly said in Risks to Geo Blocking:
The goal is not to stop all attacks. The goal is drop all the packets that are just noise (most of which is scanning or bot based attacks). It will actually lower the load on your edge overall if done properly on a good firewall.
Absolutely, this I get totally. More than anything, the value is in reducing the amount of spurious logs that need to be collected.
-
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
Another apparent assumption (correct me if I'm wrong) is that Geo IP blocking means blocking everything that is not [my country]. I do not advocate for that at all. You take the bad actor states (which for some countries might mean blocking the US), and block them. Your average local business is not going to have to worry about an employee or customer connecting from China, Iran, Russia, etc.
I wasn't assuming that, though maybe people were. That certainly lowers the risk versus broader blocking. And as a customer, I've never been accidentally marked as being in China or Russia, but "not in the US." This has happened both accidentally (they just get it wrong, this gets me in Texas from time to time) and illogically (I'm trying to order something while traveling and can't place the order even though I'm an American, with American payment, shipping to America.)
And my expressed frustration was sourced in the fact that I stated these things above.
-
@kelly said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
Another apparent assumption (correct me if I'm wrong) is that Geo IP blocking means blocking everything that is not [my country]. I do not advocate for that at all. You take the bad actor states (which for some countries might mean blocking the US), and block them. Your average local business is not going to have to worry about an employee or customer connecting from China, Iran, Russia, etc.
I wasn't assuming that, though maybe people were. That certainly lowers the risk versus broader blocking. And as a customer, I've never been accidentally marked as being in China or Russia, but "not in the US." This has happened both accidentally (they just get it wrong, this gets me in Texas from time to time) and illogically (I'm trying to order something while traveling and can't place the order even though I'm an American, with American payment, shipping to America.)
And my expressed frustration was sourced in the fact that I stated these things above.
Maybe it wasn't explicit enough given other things mentioned. I wasn't clear that you were meaning purely in a business that had separated out all publicly facing activities. Sorry if I misunderstood.
I see where you are going. This would be akin to adding geo blocking to a home setup where no one ever tries to get in, but you'd still like same casual access from a hotel or something.
-
Just so I understand, Geo blocking can lead to false positives so I should never use it?
So then,
IPS can lead to false positives, so I should never use it?
A/V can give false positives, so I should never use it?
Updates can cause problems, so I shouldn't update?Quite frankly all those positions are ridiculous.
If I get an email saying an IP tried to use Massscan or some Ddos script on my firewall, I goto ripe or lacnic or apnic or arin and it query the ip.
If this ip shows as a datacenter in St Petersburg Russia, or Shenzhen China, what are the chances it is not in St Petersburg or Shenzen? I would guess less than one in one thousand.To the OP, instead of geo blocking you can use an IPS that can block on incoming and outbound traffic.
Rarely here someone will get their workstation on the IPS list because they go to a website that does something weird with a connection, or they click on a fakebook news story link.
Most often though the IPS list is full of people doing masscan or old apache/iis exploits, malformed email headers, illegal file attachments. -
@momurda said in Risks to Geo Blocking:
Just so I understand, Geo blocking can lead to false positives so I should never use it?
So then,
IPS can lead to false positives, so I should never use it?
A/V can give false positives, so I should never use it?
Updates can cause problems, so I shouldn't update?That's not exactly what was said. It's the rate of false positives and the situations in which they occur. Not in the case that @Kelly was saying, but in more general cases, an AV or Update false positive (or problem) would never block a potential customer, but Geo IP often does. IPS blocking customers would absolutely put it on a path to being shut down if it was doing that with any frequency.
But none of those things, in the real world, pose the kinds of threats that geo ip blocking does in the way that most people talk about it and intend to use it.
Super common example: WordFence has super easy to set up geo blocking for WordPress and blocks potential (or existing) customers quite easily from getting to your website. IPS, AV and Updates realistically don't pose a real threat in that way. WordFence is not what we are discussing in this thread, but it is a common style intended when people talk about geo blocking and a very real problem if not understood.
