Risks to Geo Blocking
-
@kelly said in Risks to Geo Blocking:
The goal is not to stop all attacks. The goal is drop all the packets that are just noise (most of which is scanning or bot based attacks). It will actually lower the load on your edge overall if done properly on a good firewall.
Absolutely, this I get totally. More than anything, the value is in reducing the amount of spurious logs that need to be collected.
-
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
Another apparent assumption (correct me if I'm wrong) is that Geo IP blocking means blocking everything that is not [my country]. I do not advocate for that at all. You take the bad actor states (which for some countries might mean blocking the US), and block them. Your average local business is not going to have to worry about an employee or customer connecting from China, Iran, Russia, etc.
I wasn't assuming that, though maybe people were. That certainly lowers the risk versus broader blocking. And as a customer, I've never been accidentally marked as being in China or Russia, but "not in the US." This has happened both accidentally (they just get it wrong, this gets me in Texas from time to time) and illogically (I'm trying to order something while traveling and can't place the order even though I'm an American, with American payment, shipping to America.)
And my expressed frustration was sourced in the fact that I stated these things above.
-
@kelly said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
Another apparent assumption (correct me if I'm wrong) is that Geo IP blocking means blocking everything that is not [my country]. I do not advocate for that at all. You take the bad actor states (which for some countries might mean blocking the US), and block them. Your average local business is not going to have to worry about an employee or customer connecting from China, Iran, Russia, etc.
I wasn't assuming that, though maybe people were. That certainly lowers the risk versus broader blocking. And as a customer, I've never been accidentally marked as being in China or Russia, but "not in the US." This has happened both accidentally (they just get it wrong, this gets me in Texas from time to time) and illogically (I'm trying to order something while traveling and can't place the order even though I'm an American, with American payment, shipping to America.)
And my expressed frustration was sourced in the fact that I stated these things above.
Maybe it wasn't explicit enough given other things mentioned. I wasn't clear that you were meaning purely in a business that had separated out all publicly facing activities. Sorry if I misunderstood.
I see where you are going. This would be akin to adding geo blocking to a home setup where no one ever tries to get in, but you'd still like same casual access from a hotel or something.
-
Just so I understand, Geo blocking can lead to false positives so I should never use it?
So then,
IPS can lead to false positives, so I should never use it?
A/V can give false positives, so I should never use it?
Updates can cause problems, so I shouldn't update?Quite frankly all those positions are ridiculous.
If I get an email saying an IP tried to use Massscan or some Ddos script on my firewall, I goto ripe or lacnic or apnic or arin and it query the ip.
If this ip shows as a datacenter in St Petersburg Russia, or Shenzhen China, what are the chances it is not in St Petersburg or Shenzen? I would guess less than one in one thousand.To the OP, instead of geo blocking you can use an IPS that can block on incoming and outbound traffic.
Rarely here someone will get their workstation on the IPS list because they go to a website that does something weird with a connection, or they click on a fakebook news story link.
Most often though the IPS list is full of people doing masscan or old apache/iis exploits, malformed email headers, illegal file attachments. -
@momurda said in Risks to Geo Blocking:
Just so I understand, Geo blocking can lead to false positives so I should never use it?
So then,
IPS can lead to false positives, so I should never use it?
A/V can give false positives, so I should never use it?
Updates can cause problems, so I shouldn't update?That's not exactly what was said. It's the rate of false positives and the situations in which they occur. Not in the case that @Kelly was saying, but in more general cases, an AV or Update false positive (or problem) would never block a potential customer, but Geo IP often does. IPS blocking customers would absolutely put it on a path to being shut down if it was doing that with any frequency.
But none of those things, in the real world, pose the kinds of threats that geo ip blocking does in the way that most people talk about it and intend to use it.
Super common example: WordFence has super easy to set up geo blocking for WordPress and blocks potential (or existing) customers quite easily from getting to your website. IPS, AV and Updates realistically don't pose a real threat in that way. WordFence is not what we are discussing in this thread, but it is a common style intended when people talk about geo blocking and a very real problem if not understood.
-
@momurda said in Risks to Geo Blocking:
Quite frankly all those positions are ridiculous.
If I get an email saying an IP tried to use Massscan or some Ddos script on my firewall, I goto ripe or lacnic or apnic or arin and it query the ip.
If this ip shows as a datacenter in St Petersburg Russia, or Shenzhen China, what are the chances it is not in St Petersburg or Shenzen? I would guess less than one in one thousand.In that scenario there are two factors, though. We don't care if it is accurate once you know it is an attack. And it's filtered so that yes, attacks are more likely from there, so by isolating the traffic to known attack traffic, and then filtering for none attack locations, then yes, the resulting accuracy would be higher than the general accuracy.
But in those cases, we'd be happy to block using IPS because it's already an attack. Even if it came from Kansas, we'd want to block it. So the location is moot by that point.
It's the case where you don't get an attack but legitimate traffic, and it registers as St. Petersburg (that's where Veeam is, for example), then what are the chances you'd want to block it?
-
So for the first time in YEARS, we just did some geo blocking today. How is this timing possible?
-
This is a pretty good thread on how to argue with @scottalanmiller. Not even a joke.
-
@scottalanmiller said in Risks to Geo Blocking:
So for the first time in YEARS, we just did some geo blocking today. How is this timing possible?
Oh yeah? Which? Why?
-
@obsolesce said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
So for the first time in YEARS, we just did some geo blocking today. How is this timing possible?
Oh yeah? Which? Why?
Only access for one tech, so trying to limit as much as possible. But it didn't work, (probably nothing to do with the geo blocking) so I don't know if they ended up keeping it or not.