Geo-Blocks for Enterprise Security
You are familiar with forward geo-blocking if you’ve experienced the societal ramifications of living in a country that restricts the Internet. Usually, this type of suffocating access control is implemented by governments for reasons of acceptable use and information restriction, rather than to prevent cyber security threats from infiltrating the infrastructure of a designated region or country.
You might be less familiar, however, with reverse geo-blocking, unless you are associated with an ISP, where the issue emerges frequently. This type of control is implemented by restricting access to a protected enclave from designated regions – and it is almost always done for cyber security. Unfortunately, ISP managers get migraines from the policy and legal entanglements that emerge as they try to meet customer requests.
The classic example involves an enterprise suspecting that they are under attack from a specific country. Usually, this suspicion produces frightening headlines for senior executives and board members who demand action. “Block China from our network!” they might cry, and the ISP will be summoned to push BGP buttons to divert traffic. As suggested above, nothing like this will ever be done by an ISP unless their lawyers are comfortable.
I spent an interesting afternoon recently with a group of senior executives from Bandura, a cyber security company with offices in St. Louis and Baltimore. Their creative solution, called PoliWall, caused me to slap my own forehead, because it performs a real-time policy-based traffic filtering function so obvious that I can hardly believe it hasn’t registered on my own radar screen earlier.
PoliWall implements bi-directional geo-blocks using an appliance that resides adjacent to an enterprise firewall (physical or virtual). The PoliWall collects intelligence from a Bandura aggregation site in the cloud, which provides real-time, country-related threat information. This is fused with local threat intelligence and any other data that might dictate the need to prevent traffic from flowing to or from some designated region. It gives the enterprise security team a means for handling executive and board demands without involving the ISP.
“Our solution allows the enterprise security team to take steps to block traffic from a specific country,” explained Suzanne Magee, CEO of Bandura. “If the conditions warrant, then all they will need to do is point and click on the visual world map we provide as our platform interface, and they can implement the policy-based block action for the targeted country almost instantaneously.”
I asked the Bandura team about the accuracy of the country mapping on their platform, and they explained how IANA-based numbering and ASN mappings provide them with a sufficiently accurate designation of where IP blocks map to geography. If a security administrator wants to prevent traffic to and from Russia, for example, then this is easily accomplished and will be as accurate as the official mappings. It is straightforward.
The PoliWall solution includes many additional interesting features, such as the ability for administrators to adjust threat scoring to fine-tune policy-based egress and ingress traffic behavior. They also offer a global management console that looks like it was born to reside on your SOC wallboards. I also liked their emphasis on virtualization, with the PoliWall appliance supporting cloud, CASBs, or micro-segment operation.
Look, I fully understand the many drawbacks to geo-blocking: Botnets extend across arbitrary geographies; nation-states will launch attacks from intermediate nodes in other countries; foreign operatives might be resident in your hometown; and on and on. But you should not let these tough use-cases prevent you from the flexibility that comes with the ability to implement forward and reverse geo-blocks should the need arise.
If nothing else sways you, then consider this: The decision to use a PoliWall to geo-block some offending country during a real-time cyber incident might save you and your team from having to join a tedious conference call with a bunch of nervous lawyers. Any product that can save that much anxiety (including for your ISP), is a winner from my perspective.
Let me know what you think.
Strategy, Cybersecurity, Innovation @ Cyera
7 年Ed, when you published this article you put Bandura on my radar. Since then I have learned a little bit more about the category of threat intelligence gateway. I see a number of problems most organizations face today which makes them a compelling solution for many orgs. 1) Many teams are not mature enough to consume TI so mid-market is left with less context 2) The edge firewalls today are challenged in that they can only handle up to 30-300K threat indicators (per Gartner) and most focus just on the domain name and IP addresses. Issue #1 is we have over 1 Billion threat indicators. 3) Many teams use TI for detection/response versus prevention because of this consumption problem. I do however see this changing with the use of EDR technology. So I find the use of TI at the edge a very interesting use case along with the use case you mentioned.
PROJECT SUPPORT AT HANDS AT WORK IN AFRICA ( NGO)
7 年I like that
Senior Manager, Business Development Interconnection at Equinix
7 年Good article Ed. Arbor has been doing IP location blocking for several years now both in the product that ISPs use (TMS) and the CPE product (APS).
Cybersecurity Executive, Board Advisor, CISO, Chief Privacy Officer/DPO, Chief Risk Officer, CAIO
7 年Its a great concept. Proven very effective in many environments I've worked in. Other vendors like Quova (now Neustar), Digital Envoy, MaxMind and even Akamai have been providing this exact capability for at least a dozen years now. Not a silver bullet of course, but a great tool in the defensive toolkit. Happy to share some anonymous war stories offline about my early days working with this kind of capability. As you say... "if you aren't already using this intelligent traffic filtering, you should be".