Two recently released information security reports shed important light on the threats to today’s corporate assets. According to the latest Microsoft Security Intelligence Report (SIR), malicious web sites are now the top threat to the enterprise, finally surprising the insidious and difficult to eradicate Conficker. In addition, the recently released Verizon Business 2013 Data Breach Investigations Report (DBIR) indicates that a full 92% of data breaches included in the report were perpetrated by outsiders. Particularly troublesome is the fact that actors affiliated with China accounted nearly one-fifth of all data breaches. The major motivating factor here appears to be the theft of intellection property (IP) targeting primarily the manufacturing sector. With this in mind, it’s an excellent idea to pay close attention to any traffic originating from or destined to IP addresses belonging to countries with a reputation for hosting phishing sites or malicious software. In addition, attempts to access published web sites or services from locations in which you have no customers or remote employees should be highly scrutinized. In some cases, depending on business requirements, it might even be necessary to completely block IP address ranges to increase the protection level for TMG protected clients. In this month’s article I will demonstrate some methods that security engineers and Forefront TMG firewall administrators can use to identify, monitor, and block network communication based on the geographic location of the source or destination IP address.
IP Address to Geography Mapping
Creating access rules to identify and potentially block network access to specific geographies can be challenging. Although there are numerous databases and services this information can be extracted from, manually creating Forefront TMG computer sets using available data would be tedious and time consuming, not to mention error prone. There are some third-party utilities that integrate with Forefront TMG to provide IP address to geographic location mapping, but I’m going to demonstrate how to accomplish this using freely available tools. Thankfully the work of building Forefront TMG computer sets for each country has already been done for us. You can download pre-built country-by-country computer sets for ISA Server and Forefront TMG by visiting the Hammer of God web site. These computer sets are available for use at the array level or enterprise level.
Importing Country Specific Computer Sets
Once you’ve downloaded and extracted the country-by-country computer sets, select the country or countries you wish to monitor or block and import them in to TMG. This can be accomplished by opening the Forefront TMG management console, highlighting the Firewall Policy node in the navigation tree, then selecting the Toolbox tab. Right-click on Computer Sets and choose Import All.
After the import wizard starts, click next and select the computer set for the country you wish to monitor and/or block.
Leave the option to Import server-specific information unchecked and click next. Review the settings and click Finish to complete the import, then save and apply the configuration. Once complete, the new computer set will appear in the list of computer sets in the toolbox.
Some of the larger computer sets like China take quite a bit of time to load, so don’t be alarmed. In fact, in my rather underpowered lab test machine I used for this demonstration it took several minutes to display the computer set after double-clicking it. Be patient!
Configuring Outbound Access Monitoring
Once we’ve successfully imported the desired computer sets we can proceed with creating an access rule to monitor traffic originating from or destined to these countries. Create an access rule allowing HTTP and HTTPS from the Internal network to the corresponding country specific computer set. Where you place this access rule is extremely important! If you have implemented URL filtering, as I have done here, placing this access rule ahead of the Blocked Web Destinations rule will allow any traffic destined for this country to bypass our URL filtering policy. Clearly that’s not a good idea! Be sure to place this monitoring rule immediately before the access rule that would normally allow these requests, and after any URL filtering rules as shown here.
Once this access rule is in place, any traffic allowed by URL filtering policy and destined for an IP addresses associated with a network block assigned to China will match and be logged accordingly.
Configuring Inbound Access Monitoring
If you are using Forefront TMG to publish web sites or services, it would be an excellent idea to also monitor them for access from specific geographies. In this example I’ve configured Forefront TMG to publish a web site and an FTP server.
To monitor access to our published services from specific geographies it will be necessary to create a similar web publishing rule that applies only to traffic originating from the specific country you wish to monitor. The easiest way to accomplish this is to copy the existing web publishing rule and paste it immediately ahead of the existing rule. Double-click the duplicate rule and change the name, then select the From tab and remove the Anywhere group and add the country specific network sets you wish to monitor.
I’ve included a computer set called ThorSet_Test that includes the IP address of my test workstation for demonstration purposes.
Once complete the rule set will look like this.
The order of the rules is critical. Since the monitoring rule is more specific it should be placed immediately preceding the web publishing rule allowing access from anywhere. If and when a request is made from an IP address included in a country specific computer set you are monitoring it will match the monitor rule first and be easily identifiable in the access logs. It’s important to understand that this technique works only for published web services. Published non-web services, such as the FTP server in this example, can only be published once because it is not possible to bind more than one server publishing rule to a single TCP port.
Once the monitoring rules are in place we can use the native Forefront TMG logging and reporting tools to identify any request being made to monitored geographies. To view any traffic in real time, highlight the Logs & Reports node in the navigation tree and choose the Logging tab in the center pane. In the Tasks pane click Edit Filter, then in the Filter by drop down box select Rule, for Condition select Equals, and for Value select the monitoring access rule configured previously. Click Add To List to include this criteria when filtering data.
Once complete, click Start Query to begin observing traffic matching this monitoring rule.
Repeat this procedure for published web site monitoring rule. Highlight the rule in the filtering criteria and select the IIS monitoring rule. Don’t forget to click Update to update the filtering criteria with this new information.
Click Start Query to begin monitoring again.
Convert Monitoring to Blocking
Once you are confident that no legitimate network traffic should originate from or be destined to a monitored network block, you can easily configure the monitoring access or web publishing rule to deny instead of allow to further strengthen your company’s secure posture. The advantage to this method is that access from the monitored network, although now being blocked, is still logged separately and is easier to identify in the access logs. For outbound access rules, modify the monitoring rule by double-clicking it, selecting the Action tab, and then change the action from Allow to Deny.
Alternatively you can delete the monitoring access or web publishing rule and simply add the country specific computer sets to the Exceptions list on the To tab.
For published servers, your only option is to add the country specific computer sets to the Exceptions list on the From tab.
Ultimately the decision to block network communication based on geography depends entirely upon your specific requirements. Certainly there is enough information available today that makes it plainly evident that a high percentage of attacks originate from certain specific geographies, so monitoring communication originating from or destined to these regions is an excellent idea. The method I’ve outlined here takes the low-buck approach, and although cost effective (free!), there is some question as to whether these country specific computer sets are being actively maintained so they may not be 100% accurate. Although the solution I’ve presented here might be “good enough” in many cases, if you’re interested in something better I’d suggest investigating some of the commercial third-party products that provide this capability.