Using Geo-IP Data to Tighten Firewall Rulesets

Geo-IP blocking, or denying internet traffic from or to a certain geographical location based off of an IP address can be a very useful tool for preventing cyber attacks, malware, phishing, or spam.

One thing to look for when blocking by country is the ability to block by country code – it allows for more granular geo-blocking and better security. There are something like 200 country codes from which internet traffic can be sourced around the globe and this IP list constantly changes as ISPs adjust their networks, etc.

It’s interesting to note, that while it’s true that the majority of attacks originate from a small percentage of country codes on the internet, it doesn’t necessarily mean they’re the nation state behind the attack. The ability to use internet proxies or compromised machines around the world can falsely identify certain countries as the attackers when in fact it’s someone else’s malicious actions. That being said, if certain country codes are known to constantly attack you, they should be Geo-Blocked. An example of this would be an ecommerce site blocking all Chinese requests into their network except for port 80/443. This would enable the business to continue allowing traffic for legitimate services (with monitoring of course), but prohibit any other port scans from China.

Most Next Generation Firewalls (NGFW) can block by country code, so you can leave it up to them to do the heavy lifting when determining which IP range is associated with which country. (As a tip, don’t ever download country IP ranges in a text file and copy them into a firewall rule as it doesn’t allow the NGFW dynamically update country codes.)

Taking geo IP blocking a step further you may want to consider blocking all traffic from a country that you don’t do business with. If there’s a particular country that you have no business with, and don’t anticipate having any business with in the future, the ability to block them completely will eliminate significant risks to your network. But before considering this approach you need to make sure you fully understand your organizations business relationships. If in any doubt consider blocking a country by port and service rather than aggressively blocking them wholesale.

There’s another instance when this aggressive blocking comes in helpful and that’s during an active attack. The best example of this is if your business is under a DDoS attack from multiple countries across the globe. You should quickly determine which countries are the top offenders and then deny them service for the duration of the attack. While it might cause some temporary service interruption, it will help prevent further damage from the attack.

The ability to geo-block countries is a great way to limit malicious requests from entering your network or at the very least reduce the footprint of attack from the internet – it’s a great tool to keep in your security tool box. But be careful. Both country codes and your business will likely change on a regular basis, so make sure to review them on a daily/weekly basis to check if there is legitimate traffic trying access these resources.