Risks to Geo Blocking
-
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@travisdh1 said in Risks to Geo Blocking:
I just took a quick look at https://www.iplocation.net/ out of curiosity. Youngstown, OH, Mansfield, OH, Wooster, OH, and Layfayette, LA.
The 4 locations that site showed me are from 4 different private companies selling location services.
That means you are relying on 4 different companies to have their data right.
There is a single authority for every IP block out there. ARIN, RIPE, APNIC, etc. Using anything else is use at your own risk. Just like any other business decision. Is the service you are using correct for your business.
True, but you need your service from somewhere. If you don't use an aggregate service, you get more and more complicated so the cost of overhead increases.
Maybe I'm missing something, but how do you propose using a those services directly as a normal company? Do you have scripts that pull that data? Is it that simple? Or are you just saying that theoretically there is a master list? I get the concept, but as an implementer, I'm not clear on how I would take that knowledge and turn it into an actionable blocking regimen for a router, for example. Maybe it's easy, but if it is, why are people using services like MaxMind or Google?
I would choose to find a service that only relies on solid data such as those. Not one that buys information from everywhere attempting to be "better" and in reality only being less accurate over all.
-
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
I addressed each of these concerns above in narrowing the specificity of my response and scenario when Geo IP is appropriate. Another apparent assumption that you are working from is that the Geo IP blocking is being established on external facing services. Generally that should be hosted. I would want Geo IP blocking on my corporate edge, not my external facing services. You're right, that is a mistake in the majority of scenarios. However, having it on my corporate edge where few services are delivered to the public for a company that does business and only has employees in a given country it can make sense. I'm going to post this instead of dealing with each point because I know you've already posted several other responses that I should probably read.
I get this, I think. So let me see if I agree with your premise.
- This is corporate edge, but public services (so no customers potentially affected?)
- This is outbound traffic, although outbound blocks will affect inbound for bi-directional communications.
- Traffic types assumed to be used here might be internal email, VPN, internal use wiki, RDP, and so forth?
He made no limitation to outbound in his statement. Simply Edge.
It was the OP of the original thread that was looking at outbound only.
Other than that, did I understand the premise?
Yes
-
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@travisdh1 said in Risks to Geo Blocking:
I just took a quick look at https://www.iplocation.net/ out of curiosity. Youngstown, OH, Mansfield, OH, Wooster, OH, and Layfayette, LA.
The 4 locations that site showed me are from 4 different private companies selling location services.
That means you are relying on 4 different companies to have their data right.
There is a single authority for every IP block out there. ARIN, RIPE, APNIC, etc. Using anything else is use at your own risk. Just like any other business decision. Is the service you are using correct for your business.
True, but you need your service from somewhere. If you don't use an aggregate service, you get more and more complicated so the cost of overhead increases.
Maybe I'm missing something, but how do you propose using a those services directly as a normal company? Do you have scripts that pull that data? Is it that simple? Or are you just saying that theoretically there is a master list? I get the concept, but as an implementer, I'm not clear on how I would take that knowledge and turn it into an actionable blocking regimen for a router, for example. Maybe it's easy, but if it is, why are people using services like MaxMind or Google?
I would choose to find a service that only relies on solid data such as those. Not one that buys information from everywhere attempting to be "better" and in reality only being less accurate over all.
I see, that makes sense.
-
@kelly said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
I addressed each of these concerns above in narrowing the specificity of my response and scenario when Geo IP is appropriate. Another apparent assumption that you are working from is that the Geo IP blocking is being established on external facing services. Generally that should be hosted. I would want Geo IP blocking on my corporate edge, not my external facing services. You're right, that is a mistake in the majority of scenarios. However, having it on my corporate edge where few services are delivered to the public for a company that does business and only has employees in a given country it can make sense. I'm going to post this instead of dealing with each point because I know you've already posted several other responses that I should probably read.
I get this, I think. So let me see if I agree with your premise.
- This is corporate edge, but public services (so no customers potentially affected?)
- This is outbound traffic, although outbound blocks will affect inbound for bi-directional communications.
- Traffic types assumed to be used here might be internal email, VPN, internal use wiki, RDP, and so forth?
He made no limitation to outbound in his statement. Simply Edge.
It was the OP of the original thread that was looking at outbound only.
Other than that, did I understand the premise?
Yes
Okay, so in that scenario, we would then be limiting risks only to situations that can be discovered? Meaning, an employee goes home, things don't work, they call in to the office and get their IP whitelisted, for example? So the risk is not of loss of customer revenue, but the risk is simply the overhead of "fixing" the situation for a rare employee?
-
Another apparent assumption (correct me if I'm wrong) is that Geo IP blocking means blocking everything that is not [my country]. I do not advocate for that at all. You take the bad actor states (which for some countries might mean blocking the US), and block them. Your average local business is not going to have to worry about an employee or customer connecting from China, Iran, Russia, etc.
The goal is not to stop all attacks. The goal is drop all the packets that are just noise (most of which is scanning or bot based attacks). It will actually lower the load on your edge overall if done properly on a good firewall.
-
@kelly said in Risks to Geo Blocking:
Another apparent assumption (correct me if I'm wrong) is that Geo IP blocking means blocking everything that is not [my country]. I do not advocate for that at all. You take the bad actor states (which for some countries might mean blocking the US), and block them. Your average local business is not going to have to worry about an employee or customer connecting from China, Iran, Russia, etc.
I wasn't assuming that, though maybe people were. That certainly lowers the risk versus broader blocking. And as a customer, I've never been accidentally marked as being in China or Russia, but "not in the US." This has happened both accidentally (they just get it wrong, this gets me in Texas from time to time) and illogically (I'm trying to order something while traveling and can't place the order even though I'm an American, with American payment, shipping to America.)
-
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@jaredbusch said in Risks to Geo Blocking:
@travisdh1 said in Risks to Geo Blocking:
I just took a quick look at https://www.iplocation.net/ out of curiosity. Youngstown, OH, Mansfield, OH, Wooster, OH, and Layfayette, LA.
The 4 locations that site showed me are from 4 different private companies selling location services.
That means you are relying on 4 different companies to have their data right.
There is a single authority for every IP block out there. ARIN, RIPE, APNIC, etc. Using anything else is use at your own risk. Just like any other business decision. Is the service you are using correct for your business.
True, but you need your service from somewhere. If you don't use an aggregate service, you get more and more complicated so the cost of overhead increases.
Maybe I'm missing something, but how do you propose using a those services directly as a normal company? Do you have scripts that pull that data? Is it that simple? Or are you just saying that theoretically there is a master list? I get the concept, but as an implementer, I'm not clear on how I would take that knowledge and turn it into an actionable blocking regimen for a router, for example. Maybe it's easy, but if it is, why are people using services like MaxMind or Google?
I would choose to find a service that only relies on solid data such as those. Not one that buys information from everywhere attempting to be "better" and in reality only being less accurate over all.
I see, that makes sense.
MaxMind might be one of the best choices. I've not researched them in detail as I do not geo-block.
But let's look at the results of the site @travisdh1 posted with my current IP address.
Go to https://www.iplocation.net and enter 64.53.188.39If you look at the details returned and compare that with ARIN.net, it is very obvious that these services are using more information purchased from somewhere.
Let's also not ignore that this site is obviously pushing VPN services. This link goes to a page filled with affiliate links to VPN services.
https://www.iplocation.net/hide-ip-with-vpn
Here is what ARIN has about my IP.
https://whois.arin.net/rest/net/NET-64-53-188-0-1/pft?s=64.53.188.39
-
@kelly said in Risks to Geo Blocking:
The goal is not to stop all attacks. The goal is drop all the packets that are just noise (most of which is scanning or bot based attacks). It will actually lower the load on your edge overall if done properly on a good firewall.
Absolutely, this I get totally. More than anything, the value is in reducing the amount of spurious logs that need to be collected.
-
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
Another apparent assumption (correct me if I'm wrong) is that Geo IP blocking means blocking everything that is not [my country]. I do not advocate for that at all. You take the bad actor states (which for some countries might mean blocking the US), and block them. Your average local business is not going to have to worry about an employee or customer connecting from China, Iran, Russia, etc.
I wasn't assuming that, though maybe people were. That certainly lowers the risk versus broader blocking. And as a customer, I've never been accidentally marked as being in China or Russia, but "not in the US." This has happened both accidentally (they just get it wrong, this gets me in Texas from time to time) and illogically (I'm trying to order something while traveling and can't place the order even though I'm an American, with American payment, shipping to America.)
And my expressed frustration was sourced in the fact that I stated these things above.
-
@kelly said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
@kelly said in Risks to Geo Blocking:
Another apparent assumption (correct me if I'm wrong) is that Geo IP blocking means blocking everything that is not [my country]. I do not advocate for that at all. You take the bad actor states (which for some countries might mean blocking the US), and block them. Your average local business is not going to have to worry about an employee or customer connecting from China, Iran, Russia, etc.
I wasn't assuming that, though maybe people were. That certainly lowers the risk versus broader blocking. And as a customer, I've never been accidentally marked as being in China or Russia, but "not in the US." This has happened both accidentally (they just get it wrong, this gets me in Texas from time to time) and illogically (I'm trying to order something while traveling and can't place the order even though I'm an American, with American payment, shipping to America.)
And my expressed frustration was sourced in the fact that I stated these things above.
Maybe it wasn't explicit enough given other things mentioned. I wasn't clear that you were meaning purely in a business that had separated out all publicly facing activities. Sorry if I misunderstood.
I see where you are going. This would be akin to adding geo blocking to a home setup where no one ever tries to get in, but you'd still like same casual access from a hotel or something.
-
Just so I understand, Geo blocking can lead to false positives so I should never use it?
So then,
IPS can lead to false positives, so I should never use it?
A/V can give false positives, so I should never use it?
Updates can cause problems, so I shouldn't update?Quite frankly all those positions are ridiculous.
If I get an email saying an IP tried to use Massscan or some Ddos script on my firewall, I goto ripe or lacnic or apnic or arin and it query the ip.
If this ip shows as a datacenter in St Petersburg Russia, or Shenzhen China, what are the chances it is not in St Petersburg or Shenzen? I would guess less than one in one thousand.To the OP, instead of geo blocking you can use an IPS that can block on incoming and outbound traffic.
Rarely here someone will get their workstation on the IPS list because they go to a website that does something weird with a connection, or they click on a fakebook news story link.
Most often though the IPS list is full of people doing masscan or old apache/iis exploits, malformed email headers, illegal file attachments. -
@momurda said in Risks to Geo Blocking:
Just so I understand, Geo blocking can lead to false positives so I should never use it?
So then,
IPS can lead to false positives, so I should never use it?
A/V can give false positives, so I should never use it?
Updates can cause problems, so I shouldn't update?That's not exactly what was said. It's the rate of false positives and the situations in which they occur. Not in the case that @Kelly was saying, but in more general cases, an AV or Update false positive (or problem) would never block a potential customer, but Geo IP often does. IPS blocking customers would absolutely put it on a path to being shut down if it was doing that with any frequency.
But none of those things, in the real world, pose the kinds of threats that geo ip blocking does in the way that most people talk about it and intend to use it.
Super common example: WordFence has super easy to set up geo blocking for WordPress and blocks potential (or existing) customers quite easily from getting to your website. IPS, AV and Updates realistically don't pose a real threat in that way. WordFence is not what we are discussing in this thread, but it is a common style intended when people talk about geo blocking and a very real problem if not understood.
-
@momurda said in Risks to Geo Blocking:
Quite frankly all those positions are ridiculous.
If I get an email saying an IP tried to use Massscan or some Ddos script on my firewall, I goto ripe or lacnic or apnic or arin and it query the ip.
If this ip shows as a datacenter in St Petersburg Russia, or Shenzhen China, what are the chances it is not in St Petersburg or Shenzen? I would guess less than one in one thousand.In that scenario there are two factors, though. We don't care if it is accurate once you know it is an attack. And it's filtered so that yes, attacks are more likely from there, so by isolating the traffic to known attack traffic, and then filtering for none attack locations, then yes, the resulting accuracy would be higher than the general accuracy.
But in those cases, we'd be happy to block using IPS because it's already an attack. Even if it came from Kansas, we'd want to block it. So the location is moot by that point.
It's the case where you don't get an attack but legitimate traffic, and it registers as St. Petersburg (that's where Veeam is, for example), then what are the chances you'd want to block it?
-
So for the first time in YEARS, we just did some geo blocking today. How is this timing possible?
-
This is a pretty good thread on how to argue with @scottalanmiller. Not even a joke.
-
@scottalanmiller said in Risks to Geo Blocking:
So for the first time in YEARS, we just did some geo blocking today. How is this timing possible?
Oh yeah? Which? Why?
-
@obsolesce said in Risks to Geo Blocking:
@scottalanmiller said in Risks to Geo Blocking:
So for the first time in YEARS, we just did some geo blocking today. How is this timing possible?
Oh yeah? Which? Why?
Only access for one tech, so trying to limit as much as possible. But it didn't work, (probably nothing to do with the geo blocking) so I don't know if they ended up keeping it or not.