Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default Foreign Countries traffic


  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,210
    Jim.Alles likes this.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,134

    Default

    Is the suggestion that there are countries without legitimate traffic?

    Network-Top_Server_Countries-17.11.2020-1211.png

    Since I live in the United States, I'm stuck with those servers. I can account for most if not all of the traffic to France—Quad9. Of the remaining 5 countries, which have all legitimate servers? Which have no legitimate, acceptable servers? Which have both?

    Why do servers in China dominate all other countries here? Is that expected or unexpected? Is that tolerable or not?

    [rant]I don't know if it's even possible, but it sure would be nice if it was and if Untangle would focus some attention on refining our insights into the traffic we have rather than focusing almost exclusively on blunt instruments. The security questions of the future center on the traffic details, not just canned set-it-and-forget-it "security" solutions, in my opinion.[/rant]

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,210

    Default

    Geo-IP filtering is not reliable. Most malware is spread by compromise sites. Also IP addresses move between providers so there are several known incorrect entries.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,134

    Default

    I think that’s part of the point? What does the phrase “legitimate traffic to Ireland” mean if we don’t for a fact know that it’s traffic to Ireland at all?

  6. #6
    Untangle Ninja proactivens's Avatar
    Join Date
    Sep 2008
    Location
    Greensburg, Pa
    Posts
    2,372

    Default

    From my perspective, geo-ip limiting eliminates some bot traffic, but its otherwise useless. Real threats are just going to use a VPN service to get around the blocks. I've geo-limited several office 365 tenants, and attackers just resorted to using VPNs to look like they were coming from California.
    Jim.Alles likes this.
    www.nexgenappliances.com
    Toll Free: 866-794-8879
    UNTANGLE STAR PARTNER
    Follow us at spiceworks!

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    Quote Originally Posted by Sam Graf View Post
    I think that’s part of the point? What does the phrase “legitimate traffic to Ireland” mean if we don’t for a fact know that it’s traffic to Ireland at all?
    The phrase was meant to be the thread starter, in two ways. Using Ireland as a known destination, I can make a case that if you geo-fence your network to just the US, you will break the Internet.

    The other way is in what I did not say. That would include the big gray slice of pie in your chart.

    My geographic blocks at home are specifically RU, CN, IR, IQ, KP Servers.
    Legitimate organizations are not likely to use VPN to look like they are coming from those places. Those blocks will minimize my users from stumbling on a less-than-desirable website, for whatever reason. I have had to write an exception rule exactly once, in order to get to the tightvnc.com website. It took a little while to realize that I had caused the problem for myself, but easily fixed.

    I also found that I needed to block a specific IP subnet in China because my Verizon-supplied Ellipsis tablet was phoning home to the factory. I found that using NGFW's reporting.

    The other direction is a completely different issue. I do not host web services from home. There are many layers to security inbound. NAT is a big one, but not foolproof. Another one is blocking clients that are NOT US, XL, XU in the firewall. I block a couple of specifc IP addresses for the 'DNSChanger EK' threat.

    That kind of thing can help deflect bots and scriptkiddies, but I agree a targeted, advanced threat to me from those countries, isn't likely to be blocked, as @proactivens stated.

    Another important bit of situational awareness (being a good Netizen) is to be cognizant that I am not inadvertently hosting a botnet.

    Even Flagging traffic by geography can be valuable.
    Last edited by Jim.Alles; 11-19-2020 at 07:49 PM.

  8. #8
    Untangle Ninja
    Join Date
    Feb 2016
    Posts
    1,134

    Default

    I donít disagree with you, but it seems like I am. In point of fact, I also use geoblocking. Not as a security solution in itself, but as one of the layers or bits.

    My comments really amount to a question, or rather, a bundle of questions, about IP-based security strategies. I mean, Intrusion Prevention also includes IP-driven signatures targeting bad actors. Is all this simple and straightforwardóis it an asset or a waste of time?

    Another aspect is genuinely about the nature of legitimate traffic, and how we make that evaluation. For instance, I have a smartphone gimbal made by a non-US company. So far, so good. The smartphone app works fine despite the companyís country being on my block list, with one exception: The company allows product users to upload examples of their work, and because the companyís servers are (understandably) in its home country, I canít see those uploads from behind the block. Which is my loss. I can argue from the traffic reports that that app is engaging in legitimate traffic and nothing else.

    But my pie chart isnít reflecting traffic from that app. Itís reflecting traffic from a very different sort of app supporting business with an American company. Is that traffic legitimate? How can I decide? Why does the app and the service it provides work fine from behind the block? Is that suspicious? And so on.

    Thatís really all Iím getting it. The whole thing seems nuanced to me. Maybe it really isnít.

  9. #9
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,348

    Default

    In my case, I use geolocation as a complement to the services that I offer behind the Internet firewall. For example, if I have an active and published web server but it only makes sense for clients from my country to access, then I make the rule in the firewall application. Is it 100% safe? Obviously not, but I am much calmer if sessions from the other side of the world that not even the local language knows access to said website. It's just another layer of security in this infinite onion
    The world is divided into 10 kinds of people, who know binary and those not

  10. #10
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    Quote Originally Posted by Sam Graf View Post
    But my pie chart ... [is] reflecting traffic from a very different sort of app supporting business with an American company. Is that traffic legitimate? How can I decide? Why does the app and the service it provides work fine from behind the block? Is that suspicious?
    Let me turn that into a hypothetical from my perspective, and the following presumptions.
    Not all American companies have our best interests in mind, from a security standpoint.
    I would prefer to "buy American", and avoid China entirely.
    (China has purchased a lot of interests in the US)

    • If flagging that traffic to [CN] provides those results, then I would block that traffic and see what breaks. Then I decide based on the tradeoffs.
    • If that traffic to [CN] is not blocked then, than I would troubleshoot that rule - something is wrong. Most likely, the rule is out of order.
    • If the traffic is blocked, and the functionality of the device is broken, I would unplug it and destroy it, and find a suitable replacement.


    the terms 'legitimate' and 'suspicious' have to be determined by each user.

    But if it is an established company with a vetted app or device, and traffic appears that is not typical for that designed functionality - well things can be compromised, and that is how botnets are created.

    Then I would be suspicious that it is not legitimate.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2