Geo-Blocks for Enterprise Security

You are familiar with forward geo-blocking if you’ve experienced the societal ramifications of living in a country that restricts the Internet. Usually, this type of suffocating access control is implemented by governments for reasons of acceptable use and information restriction, rather than to prevent cyber security threats from infiltrating the infrastructure of a designated region or country.

You might be less familiar, however, with reverse geo-blocking, unless you are associated with an ISP, where the issue emerges frequently. This type of control is implemented by restricting access to a protected enclave from designated regions – and it is almost always done for cyber security. Unfortunately, ISP managers get migraines from the policy and legal entanglements that emerge as they try to meet customer requests.

The classic example involves an enterprise suspecting that they are under attack from a specific country. Usually, this suspicion produces frightening headlines for senior executives and board members who demand action. “Block China from our network!” they might cry, and the ISP will be summoned to push BGP buttons to divert traffic. As suggested above, nothing like this will ever be done by an ISP unless their lawyers are comfortable.

I spent an interesting afternoon recently with a group of senior executives from Bandura, a cyber security company with offices in St. Louis and Baltimore. Their creative solution, called PoliWall, caused me to slap my own forehead, because it performs a real-time policy-based traffic filtering function so obvious that I can hardly believe it hasn’t registered on my own radar screen earlier.

PoliWall implements bi-directional geo-blocks using an appliance that resides adjacent to an enterprise firewall (physical or virtual). The PoliWall collects intelligence from a Bandura aggregation site in the cloud, which provides real-time, country-related threat information. This is fused with local threat intelligence and any other data that might dictate the need to prevent traffic from flowing to or from some designated region. It gives the enterprise security team a means for handling executive and board demands without involving the ISP.

“Our solution allows the enterprise security team to take steps to block traffic from a specific country,” explained Suzanne Magee, CEO of Bandura. “If the conditions warrant, then all they will need to do is point and click on the visual world map we provide as our platform interface, and they can implement the policy-based block action for the targeted country almost instantaneously.”

I asked the Bandura team about the accuracy of the country mapping on their platform, and they explained how IANA-based numbering and ASN mappings provide them with a sufficiently accurate designation of where IP blocks map to geography. If a security administrator wants to prevent traffic to and from Russia, for example, then this is easily accomplished and will be as accurate as the official mappings. It is straightforward.

The PoliWall solution includes many additional interesting features, such as the ability for administrators to adjust threat scoring to fine-tune policy-based egress and ingress traffic behavior. They also offer a global management console that looks like it was born to reside on your SOC wallboards. I also liked their emphasis on virtualization, with the PoliWall appliance supporting cloud, CASBs, or micro-segment operation.

Look, I fully understand the many drawbacks to geo-blocking: Botnets extend across arbitrary geographies; nation-states will launch attacks from intermediate nodes in other countries; foreign operatives might be resident in your hometown; and on and on. But you should not let these tough use-cases prevent you from the flexibility that comes with the ability to implement forward and reverse geo-blocks should the need arise.

If nothing else sways you, then consider this: The decision to use a PoliWall to geo-block some offending country during a real-time cyber incident might save you and your team from having to join a tedious conference call with a bunch of nervous lawyers. Any product that can save that much anxiety (including for your ISP), is a winner from my perspective.

Let me know what you think.