cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
2012
Newcomer II

Effectiveness of adding IPs pertaining to banned countries to edge routers

Hello All,

 

How effective is the addition of the IP list pertaining to banned countries to the block list? Often the IP-blocks change. Any recommendations on the update frequency? Also has anyone noticed performance impact on the routers if the list is long?

 

Thanks in advance.

5 Replies
CISOScott
Community Champion

I can only speak from my experience. I find it is a short-term solution. The attackers that attack us, once we block their country, compromise a computer in our country and then begin/continue their attack from there. However there still is validity to it, just watch to see if the attack point changes.

Caute_cautim
Community Champion

I agree, Government alerts, provide watch lists and recommendations from various domains to put in place.  But really it is a short term solution, as #CISOScott states the attackers can easily change their IP addresses or switch to another part of their network to redirect the original attack.  

 

"Advantage: Not enough information to speculate. It can provide relief for a temporary attack and help to make the attacker lose interest.

Disadvantage: If the address isn't tied to the person you are trying to block, they may well be able to disconnect from their ISP, reconnect, and hit you from a different IP address. As the IP address blocks gradually shift around for efficiency reasons or as companies disappear and are formed or simply switch providers, you may no longer be blocking the individual you want to block and are instead blocking one or more other parties. Large numbers of rules for blocking IP addresses slow down the webserver or network connection depending on where you block. "

 

However if the attack is automated, they may give you a temporary relief, and then come at you from another angle.

 

Regards

 

Caute_Cautim

Shannon
Community Champion

@2012, further to what's already been stated by here by @Caute_cautim & @CISOScott, let's compile the info...

 

Pros:

  1. An additional layer of defense, assuming you have other protection systems in your IT infrastructure.
  2. Compliance with requirements of regulatory authorities --- if you fail to block an IP when intimated by them, there may be repercussions.
  3. A means to manually counter threats that your other systems aren't aware of: say you discover that there's a particular malicious IP address, but your automated system doesn't know of it.

Cons:

  1. A short-term solution, given that threat sources are continually changing, and there's a huge number of public IP addresses out there.
  2. An potential impact on the performance of the router, as well as all of it's service dependencies.
  3. A potential impact if any blocked IPs turn from malevolent to benevolent, and your business has a need to use them for its services.

Suggestions:

  1. Rather than block public IPs on an edge router, do this on an edge firewall, since the latter is a dedicated solution.
  2. Depending on your organization's need for availability / redundancy, set up the edge devices in clusters to avoid an impact if they are 'overwhelmed.'
  3. Secure your infrastructure with multiple layers of defense --- such as an IPS and APT protection solution --- so that if your edge device misses something, it can be caught by another system before any damage it done.
  4. Properly maintain the block lists in accordance with the requirements of regulatory sources and your organization's business.

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
2012
Newcomer II

Thank you all for your responses. Really appreciate your time.

 

Regards.

 

denbesten
Community Champion

As others point out, maintenance is the big issue.  There are organizations that maintain and publish lists of malicious addresses. If your device supports automated import of such a list, I recommend going that route instead of trying to stay on top of it yourself.

 

Our Palo Alto firewalls and Zscaler proxies both have vendor-maintained lists, which auto-update throughout the day.  Overall, I feel such lists help.  We have had little bad-impact and our siem has alerted us quite a few times regarding PCs that were prevented from going to a known bad site.

 

The one bad time was when Office 365 ended up on the list.  The good news coming out of it is that by the time we called the vendor, they were already working on a fix because many others had also called them.