Overview
Now that we’ve discussed about who, we can move to the next one, which is where? In this post I’m trying to stay more on the conceptual level and bearing in mind that the audience remains the same.
Topics
Why – Why someone tries to access the environment?
Who – Who should be able to access the environment? Can we authenticate the users or identify them in another way?
Where – Where are the users connecting from? From the office network? Some specific country/countries/region? Can we either whitelist or blacklist the locations?
When – Is the environment accessed around the clock? Can we recognize peak usage times?
How – What kind of device they’re using, what possibilities we have locating and authenticating the user?
Breakdown
Where?
One can add an extra-layer of security by limiting where the users can connect to their environment. It’s not perfect, but certainly helps.
I’ve heard more than enough that malicious actors are able to connect via a VPN tunnel or a TOR -proxy connection to anywhere and circumvent geoblocking or any IP-based limitations. This is of course true, but it also means that the malicious actor is likely doing a targeted attack rather than vandalism (which we discussed earlier). And as said before, it’s an extra-layer which compliments to other measures taken.
Office use or internet access?
Before cloud-based services like Microsoft 365, Google Enterprise services and such were a daily thing for enviroments the traditional “castle and moat” defence was the traditional way to approach protecting the environment.
However the cloud-era has been going more than a decade now and we need to figure a way allow our users to access the data and the applications from outside the office and corporate VPNs.
Geoblocking
Whitelisting – It’s often really easy to know where your users are connecting to your enviroments from. One might be able to say really quickly that “In 99% of the cases our users connect to the environment from Finland” or “All of our users connect from Europe and we have a subsidiary in Beinjing, China”.
Blacklisting – Due to “recent” events in Europe, many companies want to block certain countries (you know what I mean) from accessing their enviroments completely.
Bearing that in mind, it’s rather easy to either drop connections from unwanted regions or just log any attempts from suspicious IPs (and implement blocking later).
A lot of different solutions have these capabilities, but at Comping we have mostly used the NetScaler and Microsot Entra (formerly known as Azure AD) Conditional Access to implement geoblocking.
Reputation
Having an edge-solution having a constantly updated reputation database is a great way to block dangerous endpoints from being able to connect to your environment.
We at Comping have been successfully using the NetScaler IP Reputation feature (https://docs.netscaler.com/en-us/citrix-adc/current-release/reputation/ip-reputation.html) which is super easy to set up. It leverages the Webroot database and updates the database every 5 minutes. You can even pick the IP threat category to block or just block all malicious categories.
Exceptions
Even if we can drop 99% traffic outside Europe, a user might travel outside Europe and we need to be able to allow their access during their trip. Or the user ends up in a false-positive case where their source IP is blocked by IP Reputation and can no longer access the environment.
There are ways to allow specific source IPs even if they’re accessing from outside the allowed regions (whitelist), blacklisted regions or source addresses that are categorised as malicious. Depending on configuration, one might be able to allow certain users to connect from outside your geoblocking configuration
Once again, it’s really important to have a working change management process, so you have the readiness to react on attacks or allow a user to temporarily connect from source that is blocked by default.
Make sure that your users are aware of these limitations and know what they should do if they need to work from an “exotic location”. In some environments the solution is that all the basic line-of-business applications are directly blocked from outside the allowed regions, but they’re able to connect via the company’s VPN or ZTNA solution that is accessible globally.
Theft
Have you considered if a malicious actor steals the users device that might be in worst case left open in a public space? What if the thief picks up their laptop and mobile phone?
Naturally this is best avoided by educating your users about security, but if that fails, do the users know where to contact and do you have the processes in place to block the devices and related users accounts in case something like this happens?
What next?
Let’s have a chat
We are experts on what comes to the discussed topics above. Even if these things might appear simple, some things are often overlooked and are noticed when the restrictions have been applied already causing problems for the end users.
As we’re working with more than 30 customers on a daily basis we have ran in to at least as many different ways to protect the IT environments.
If you wan’t to have a chat, don’t hesitate to contact me (kari.ruissalo@comping.fi).
Related links
Webroot / BrightCloud IP reputation online tool https://www.brightcloud.com/tools/url-ip-lookup.php