Risks to Geo Blocking
-
@phlipelder said in Firewall rules for outgoing traffic:
We saw a situation where the perps were definitely Russian and the IPs they were operating out of were definitely Russian but the edge had no ability to Geo Block. This would have been a classic case and point.
Sure, but this assumes several things that are not stated...
- That there was no collateral damage from the assumed blocking (any legit customers caught in the sweeping block.)
- That the perps would not have attempted any other trivially easy vector.
- That geo blocking would not flag you as a high profit target.
- That their attacks were successful.
That's a lot of assumptions required to make even that use case valid for wanting to geo block.
-
@travisdh1 said in Firewall rules for outgoing traffic:
@phlipelder said in Firewall rules for outgoing traffic:
We saw a situation where the perps were definitely Russian and the IPs they were operating out of were definitely Russian but the edge had no ability to Geo Block. This would have been a classic case and point.
So what about the hundreds of people you unintentionally block because the GeoIP service you use put them in Russia instead of eastern Europe? Which is worse, purposely loosing business, or having to block malicious IP addresses (which should be automatic)?
This is also a lot of assumption.
-
@jaredbusch said in Firewall rules for outgoing traffic:
@travisdh1 said in Firewall rules for outgoing traffic:
@phlipelder said in Firewall rules for outgoing traffic:
We saw a situation where the perps were definitely Russian and the IPs they were operating out of were definitely Russian but the edge had no ability to Geo Block. This would have been a classic case and point.
So what about the hundreds of people you unintentionally block because the GeoIP service you use put them in Russia instead of eastern Europe? Which is worse, purposely loosing business, or having to block malicious IP addresses (which should be automatic)?
This is also a lot of assumption.
It is. The assumption should be that there is a risk of someone being blocked. How much risk, if it's not worth figuring out, it's not worth blocking.
-
@scottalanmiller said in Firewall rules for outgoing traffic:
@phlipelder said in Firewall rules for outgoing traffic:
We saw a situation where the perps were definitely Russian and the IPs they were operating out of were definitely Russian but the edge had no ability to Geo Block. This would have been a classic case and point.
Sure, but this assumes several things that are not stated...
- That there was no collateral damage from the assumed blocking (any legit customers caught in the sweeping block.)
- That the perps would not have attempted any other trivially easy vector.
- That geo blocking would not flag you as a high profit target.
- That their attacks were successful.
That's a lot of assumptions required to make even that use case valid for wanting to geo block.
Your intentional actions that cause your alleged repeated false positives are not the proof you are requiring of others.
-
@jaredbusch said in Firewall rules for outgoing traffic:
@scottalanmiller said in Firewall rules for outgoing traffic:
@phlipelder said in Firewall rules for outgoing traffic:
We saw a situation where the perps were definitely Russian and the IPs they were operating out of were definitely Russian but the edge had no ability to Geo Block. This would have been a classic case and point.
Sure, but this assumes several things that are not stated...
- That there was no collateral damage from the assumed blocking (any legit customers caught in the sweeping block.)
- That the perps would not have attempted any other trivially easy vector.
- That geo blocking would not flag you as a high profit target.
- That their attacks were successful.
That's a lot of assumptions required to make even that use case valid for wanting to geo block.
Your intentional actions that cause your alleged repeated false positives are the proof you are requiring of others.
It's not the same. One is taking an action known to risk loss of business, the other is de facto state without demonstrated value to action.
The two are not the same.
-
I can't believe this is still discussed.
One is taking an action that puts the business at risk.
The other is blocking randomly an unknown risk.
Put this before a CEO and see if he would agree that blocking potential customers to protect against a risk that is unknown to even exist is worth spending money on. This isn't a technical thing, it's pure business.
-
Simple guide to fill out before presenting to the business:
- Estimated financial value to the blocking: _________________
- Estimated risk of customer loss from blocking: __________________
- Impact assessment if second factor is miscalculated: ______________
Fill those out before considering even discussing blocking of this nature.
-
@scottalanmiller said in Firewall rules for outgoing traffic:
I can't believe this is still discussed.
One is taking an action that puts the business at risk.
The other is blocking randomly an unknown risk.
Put this before a CEO and see if he would agree that blocking potential customers to protect against a risk that is unknown to even exist is worth spending money on. This isn't a technical thing, it's pure business.
It is 100% not unknown risk. It is basic mitigation from known risks.
But again, you took this thread south from the OP on your one sided opinion.
The OP is discussing outbound traffic. Not inbound.
So fork this out of the OP's thread and rant elsewhere.
-
@jaredbusch said in Firewall rules for outgoing traffic:
@scottalanmiller said in Firewall rules for outgoing traffic:
I can't believe this is still discussed.
One is taking an action that puts the business at risk.
The other is blocking randomly an unknown risk.
Put this before a CEO and see if he would agree that blocking potential customers to protect against a risk that is unknown to even exist is worth spending money on. This isn't a technical thing, it's pure business.
It is 100% not unknown risk. It is basic mitigation from known risks.
Right, and the risk as we know them are nominal - roughly $0.
It's attacks that are annoying, but carry no financial harm. That's the point. The value to blocking approaches zero. But the risk of blocking is non-zero. Hence why it is generally reckless.
-
@jaredbusch said in Firewall rules for outgoing traffic:
But again, you took this thread south from the OP on your one sided opinion.
Wasn't me. I was only a respondant.
-
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
The purpose of Geo IP has nothing to do with stopping a directed attacker. It is about lowering the load on your edge from the useless noise and reducing the impact of automated attacks.
What about false positives? If you are willing to block so broadly, why not block completely? Or whitelist?
What false positives? We don't care. This is about blocking incoming on an edge router. not something service websites. Although we are already off topic as the OP was talking about outbound traffic.
You just told me that I was ranting and off topic because we were discussing outbound. But you were definitely already discussing inbound as well.
-
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
The purpose of Geo IP has nothing to do with stopping a directed attacker. It is about lowering the load on your edge from the useless noise and reducing the impact of automated attacks.
What about false positives? If you are willing to block so broadly, why not block completely? Or whitelist?
What false positives? We don't care. This is about blocking incoming on an edge router. not something service websites. Although we are already off topic as the OP was talking about outbound traffic.
You just told me that I was ranting and off topic because we were discussing outbound. But you were definitely already discussing inbound as well.
Ah, if you read my post in context, I was simply replying to another (incorrect) response and attempting to bring it back on topic. I was definitely not discussing inbound.
-
@kelly said in Risks to Geo Blocking:
@travisdh1 said in Firewall rules for outgoing traffic:
@phlipelder said in Firewall rules for outgoing traffic:
- Edge should support subnet/IP/Country and other forms of blacklist blocking.
We've been over how bad blocking by Country is around here. I've "hacked" that system just by putting a used router online. It's seriously bad and not worth anyone's time.
I don't necessarily agree with the common wisdom on this one. It is easily bypassed with a targeted attack, but it can significantly reduce your scanning activity and automated attacks. It isn't the answer but it is a layer in a defense in depth.
Layers is often used to excuse over the top and unnecessary security. Yes, all defense is in layers. But excusing bad layers as "just another layer" often is misleading. The problem is is that the value to the defense is low, while it creates risks that most other layers do not.
Blacklisting, for example, blocks exclusively known attackers, not actual customers. Geo blocking blocks mostly bad actors, but some good ones. A very different thing with a totally different value discussion that cannot be discussed in terms of "being a layer."
Security can't be viewed in a vacuum. It's a business decision like anything else, and IT has no place making a call about this kind of tech without a business evaluating the risks that it proposes. All security comes at a price. Some costs, like a basic firewall, are trivial and pose no measurable risk. Others, like geo blocking, cost more and pose varying risk from small to enormous. It's never something that can be done without understanding the business in question, very thoroughly, in ways that are often impossible to measure and can only be calculated as a risk.
-
@travisdh1 This has to do with traffic leaving the corporate/production network.
I don't see how this is applicable since folks looking to do business would be browsing an Internet based site outside those limits as well as emailing and/or phoning from outside of the business?
-
@phlipelder said in Risks to Geo Blocking:
@travisdh1 This has to do with traffic leaving the corporate/production network.
I don't see how this is applicable since folks looking to do business would be browsing an Internet based site outside those limits as well as emailing and/or phoning from outside of the business?
To which point was this a response?
-
@travisdh1 said in Risks to Geo Blocking:
@phlipelder said in Firewall rules for outgoing traffic:
We saw a situation where the perps were definitely Russian and the IPs they were operating out of were definitely Russian but the edge had no ability to Geo Block. This would have been a classic case and point.
So what about the hundreds of people you unintentionally block because the GeoIP service you use put them in Russia instead of eastern Europe? Which is worse, purposely loosing business, or having to block malicious IP addresses (which should be automatic)?
@scottalanmiller This one. I must have goofed on the QUOTE step ...
-
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Firewall rules for outgoing traffic:
There are days where I question why I even bother trying to persuade...
I never want to persuade, that's not a good goal. The goal should always be to find what is true. Persuading is necessary only when your position isn't correct but you want someone to accept it anyway. Working towards truth is a better goal - put forth ideas and see if they make sense.
I do take issue with you calling into question my use of the word persuasion and contrasting it with the word truth. This is why I question the value in discussing things here on Mangolassi that have been designated as "the right way". The rhetoric does not appear to allow for an honest discussion.
-
@kelly said in Risks to Geo Blocking:
@travisdh1 said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
@travisdh1 said in Firewall rules for outgoing traffic:
@phlipelder said in Firewall rules for outgoing traffic:
- Edge should support subnet/IP/Country and other forms of blacklist blocking.
We've been over how bad blocking by Country is around here. I've "hacked" that system just by putting a used router online. It's seriously bad and not worth anyone's time.
I don't necessarily agree with the common wisdom on this one. It is easily bypassed with a targeted attack, but it can significantly reduce your scanning activity and automated attacks. It isn't the answer but it is a layer in a defense in depth.
It doesn't do that tho. It can't, because the system itself is that flawed.
We're going down a rabbit trail here, but I'll bite. How is the system flawed? I understand that address blocks are being sold off and assigned outside of their original IANA country designation, but aside from that how does it not work? What about if you are updating your tables from a source like Maxmind that is updated frequently?
It doesn't work because the primary systems out there routinely don't know the source of IPs. This is why I constantly point out that these systems believe my Dallas Fiber service is from Toronto, an entirely different country thousands of miles away. My phone often registers as a different state, but not country. When working in NY I was consistently listed as Germany.
And those are the "accidents". As a traveler, it's common to use VPN services to "choose" which country people think you are in. That's very common. And trivially easy, for consumers. Loads of people do that just to watch movies.
Geo blocking works, I would estimate, about 95-98% of the time when no one is attempting to get around it. But even if it worked 99% of the time, 1% poses a significant business risk to a normal business.
-
On topic here.
Risks to geo-blocking inbound traffic.
First you have to define what kind of inbound you are talking about.
As I stated in my reply above where @scottalanmiller is trying to blame me for what he does, geo blocking inbound traffic on an edge router carries little to no penalty but solid benefits as it should cause drop rules to execute earlier in the firewall chain.This is no different than a drop all but my trusted IP rule setup for anything.
Your default inbound rule should be drop all new connections.
You first rules should be allow from trusted IP 1-6.
That's it.If you are in the inbound scenario that you need a more open set than can easily be whitelisted, a drop on geo IP match can easily slim up the subsequent rul processing or limit what is forwarded inbound.
-
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
@travisdh1 said in Firewall rules for outgoing traffic:
@kelly said in Firewall rules for outgoing traffic:
@travisdh1 said in Firewall rules for outgoing traffic:
@phlipelder said in Firewall rules for outgoing traffic:
- Edge should support subnet/IP/Country and other forms of blacklist blocking.
We've been over how bad blocking by Country is around here. I've "hacked" that system just by putting a used router online. It's seriously bad and not worth anyone's time.
I don't necessarily agree with the common wisdom on this one. It is easily bypassed with a targeted attack, but it can significantly reduce your scanning activity and automated attacks. It isn't the answer but it is a layer in a defense in depth.
It doesn't do that tho. It can't, because the system itself is that flawed.
We're going down a rabbit trail here, but I'll bite. How is the system flawed? I understand that address blocks are being sold off and assigned outside of their original IANA country designation, but aside from that how does it not work? What about if you are updating your tables from a source like Maxmind that is updated frequently?
It doesn't work because the primary systems out there routinely don't know the source of IPs. This is why I constantly point out that these systems believe my Dallas Fiber service is from Toronto, an entirely different country thousands of miles away. My phone often registers as a different state, but not country. When working in NY I was consistently listed as Germany.
You. You. You.
No one else.
Prove this is actually more than just you.
Because none of this ever happens to any of my clients, myself, or anyone else I professionally work with.