Geo-IP filtering has been around for quite some time.  TCS has been configuring it for at least a decade on our next-generation firewalls.  This article will define what Geo-IP filtering is and why it is critical for any CyberSecurity model.  Before we get too carried away, it’s imperative that we emphasize that Geo-IP filtering is one of MANY layers that should comprise a CyberSecurity posture. Nevertheless, it is a vital layer.  What is Geo-IP filtering?

Geo-IP Filtering Defined

In writing an article of this nature, it would be foolish to assume everyone understands Geo-IP filtering is.  Every device that connects to the Internet is assigned an IP address, and the IANA (Internet Assigned Numbers Authority) allots different numbered IP addresses to different countries.  Since every country registers its own numbering format, this makes it possible to determine if Internet requests are coming from the US or Canada, British Isles, or even Zimbabwe. 

For SMBs and local governments and municipalities, there really is no need to allow your network to communicate with the entire world.  If you’re not running or managing a global enterprise, odds are allowing communication with every country in the world is more of a liability than a necessity.  Even global enterprises can benefit by whitelisting specific international IP addresses necessary for their business, but that is very complex – something that enterprises generally have the resources to handle internally.  Exceptions aside, the bottom line is a local plumbing company, doctor’s office, or financial institution probably has little need to communicate with Vietnam, North Korea (Democratic People’s Republic of Korea), or South Sudan.  Why South Sudan?  According to Kaspersky’s World Threat Map, It registers as number two (#2) on the world map of attack sources accounting for 8.49% of all attacks worldwide.  Who would have thought that?

Why Geo-IP Filtering Is So Critical

It might be obvious to some why filtering out countries known for their bad actors would be a good thing, but some might remain unconvinced.  One lead question I often use with potential clients is, “Do you want your business to be able to communicate with enemies of the US?”  Most business owners, unless they have some alliance to trade in other countries, answer “No way!”  That settles it for them.  But what are some of the nuances of how Geo-IP protection can benefit an SMB?

1. Many Crypto-Ransomware attacks depend on being able to communicate with out countries in order to complete the ransomware hijack. 

Here is a very helpful infographic from Sophos showing the five stages of a crypto-ransomware attack: 

Note:  Full article including the graphic can be located here.

Notice Step 2 of their graphic:  Contacting Headquarters.  Often, these ransomware headquarters are off-shore, because they are trying to avoid legal accountability, or they are state-funded attacks to create disruption.

If the ransomware needs to contact a server in one of the blocked countries in order to complete the process, you have blocked an integral part of the process.  That doesn’t mean you are safe just yet, BUT your files aren’t encrypted yet either.

• Email Scams with hyperlinks often originate in Eastern Europe and countries in Africa.  When you receive an email stating there is a problem with your Amazon purchase, or you have a UPS package that is undeliverable, those emails will often include a link to click on in order to resolve the issue.  Those links often point to webservers in other countries.  Filtering communications with those countries helps protect your users, should one click on the link.  This isn’t a substitute for end user security awareness training, but it does add another layer of protection against user error.

• The final way that Geo-IP filtering can prove helpful is the all-to-common mistyped web address, or typo-squatting as it has commonly called in the industry.  While protections have been put in place to guard against these mishaps, they still occur.  The most well-known historical example is misspelling Google.com as Goggle.com.  This led to Google purchasing the rights to Goggle to ensure it didn’t get misused.  If the misspelling is attempting to connect a user to a server in a restricted country, the end user is blocked from accessing the site, which cues them to investigate the spelling instead of opening up your organization to malicious attacks.

Conclusion 

No single security layer is the end-all security measure for businesses and organizations, but Geo-IP filtering can help mitigate against malicious attacks on your network from other countries.  Management of Geo-IP filtering can be tricky and tedious at times, but the juice is most certainly worth the squeeze.  There’s no reason to allow communications with other countries beyond those mission-critical sites necessary for your business to function properly.