Geo-IP Filtering: A little-known layer of network defense

No business appreciates getting spam e-mails, but more harmful are network vulnerability probes and attacks. And while these can strike at a network from anywhere in the world, most small U.S. businesses rarely even make use of their Internet access to distant countries. Despite this, according to Deutsche Telekom, an organization with 97 sensors around the globe that track malicious network traffic, most of the spam and cyberattacks they encounter originate from foreign countries. For instance, they have found that, by far, the greatest source of cyberattacks is Russia, followed by Taiwan, and various European countries. The most spam e-mails, meanwhile, originate from India. Herein lies the value of filtering Internet traffic by country, known as Geo-IP filtering. And, despite its potential value, many businesses have a network firewall capable of Geo-IP filtering, without even being aware of it. In particular, many of Dell’s SonicWALL firewalls, including the NSA series and some TZ series devices have come equipped with Geo-IP filtering since 2011.

At its most basic, Geo-IP filtering works by checking the IP address of incoming Internet traffic against the databases maintained by various international Internet registries, to discern its country of origin. If it comes from a country which the user has selected to filter out, the firewall will deny that data access to the protected network. Likewise, data being sent out to a blocked country will also be denied. This can be quite useful, often significantly reducing unwanted spam and network access attempts. But what if a business has a client in a country which also happens to generate a great deal of spam? In this case, they could add the client’s IP address or address range as an allowable exception but maintain that the country as a whole be denied.

I’ll use the example of SonicWALL’s Geo-IP filter, due to its use here at Syncretic. The Geo-IP filter settings are found in SonicWALL’s firewall management interface, under the “Security Services” tab. From there, selecting “Geo-IP Filter” beings up the Geo-IP settings, including a list of possible countries to be blocked. (It even includes Antarctica!) The filter is enabled if the “Block connections to/from following countries” option is checked. For more specific options, though, you can select the “Firewall Rule-based” filter. Rather than blocking all traffic to the selected countries, this will filter traffic according to a customizable rule, which can be configured in the “Firewall/Access Rules” area of SonicWALL’s interface. This way, a business can create exceptions to the filtering, such as allowing specific IP addresses or ranges of IP addresses (for instance, the address of a foreign client), or allowing e-mails. This allows the filter to remain flexible, while still providing a wide defense.

So, while Geo-IP filtering, like any layer of network security, cannot provide guaranteed protection on its own, it can prove quite valuable as a tool for businesses.

Category: Uncategorized
Tags: , ,
Bookmark the permalink.