https://www.tahoebiltmore.com/
http://www.wiresharktraining.com/
Anyone else experiencing this? What service does Sophos use to map IP addr to country?
This thread was automatically locked due to age.
https://www.tahoebiltmore.com/
http://www.wiresharktraining.com/
Anyone else experiencing this? What service does Sophos use to map IP addr to country?
I cannot say this is the case for you, but I had sites getting blocked by country blocking because they had a quick redirect in them. The site was US, but got redirected to a analytics site in south america for a second so the country blocking kicked in and stopped it. I have actually changed some of my stance on country blocking in the last six months as well. I have From blocked everywhere, but TO I allow to many countries because of this or Microsoft or AWS data centers being all around the world. I still block many 3rd world ones and China and Russia, etc. etc. etc. nothing personal, I just turned them on and watched the logs on and off for a day or two and did not see any so why not.
Respectfully,
Badrobot
In general, I don't recommend blocking "To" or "All." "From" is the place to start.
Cheers - Bob
BAlfson said:In general, I don't recommend blocking "To" or "All." "From" is the place to start.
As a 20+ year security guy, I one billion percent disagree with this statement. It violates the best practice principle of least privilege and is a great way to permit remote command and controller after a successful phishing attack. Practically speaking, unless you are doing business with another country, there is seldom a reason to permit inbound or outbound traffic from/to that country. I myself was surprised that the majority of usual web use never leaves the US.
'All' is the place to start, change to 'From' if necessary.
I do agree with principal of the least privilege and myself did start with blocking ALL for To and From, making exceptions along the way if I deemed it business necessary.
However as I said above my stance has changed somewhat, before 6 months ago I just believed there was no reason for us to even have traffic outside the US unless we specifically had a customer need. But things they are a changing.
My issue is Microsoft or AWS or other hosted analytic site, etc. etc. keep using servers outside the US causing applications to not update, I have tried to keep up on IP CIDR's for some like Microsoft but I feel like it is never ending, sure the things like Windows Updates work but Office 365 seems to have issues. What really gets me is a business partner or customer who has their website hosted in the US, but the hosting company is using a analytical company located physically in the US but has their servers around the world, then the redirects fail to load the full page or even the page.
A good example of this was last week, I was out for the day and someone had their Office 365 just break, there are a couple people on site that have enough privileges to run a Office 365 repair, this got hung up, ran for around 3 hours and nothing, finally they gave up restarted and uninstalled all of it. They went to download Office 365 again and it just hangs there, eventually I just drive in and look, here the installer was being country blocked by the firewall, there was no choice on where to get the installer from, we are a US based company but Microsoft shot us across the globe. I should also note that I have made exceptions for this occurrence on 3 occasions now as well and the IP range keeps changing.
Any hoot, got a few years security experience myself figured I would throw in my two cents lol.
Respectfully,
Badrobot
I do agree with principal of the least privilege and myself did start with blocking ALL for To and From, making exceptions along the way if I deemed it business necessary.
However as I said above my stance has changed somewhat, before 6 months ago I just believed there was no reason for us to even have traffic outside the US unless we specifically had a customer need. But things they are a changing.
My issue is Microsoft or AWS or other hosted analytic site, etc. etc. keep using servers outside the US causing applications to not update, I have tried to keep up on IP CIDR's for some like Microsoft but I feel like it is never ending, sure the things like Windows Updates work but Office 365 seems to have issues. What really gets me is a business partner or customer who has their website hosted in the US, but the hosting company is using a analytical company located physically in the US but has their servers around the world, then the redirects fail to load the full page or even the page.
A good example of this was last week, I was out for the day and someone had their Office 365 just break, there are a couple people on site that have enough privileges to run a Office 365 repair, this got hung up, ran for around 3 hours and nothing, finally they gave up restarted and uninstalled all of it. They went to download Office 365 again and it just hangs there, eventually I just drive in and look, here the installer was being country blocked by the firewall, there was no choice on where to get the installer from, we are a US based company but Microsoft shot us across the globe. I should also note that I have made exceptions for this occurrence on 3 occasions now as well and the IP range keeps changing.
Any hoot, got a few years security experience myself figured I would throw in my two cents lol.
Respectfully,
Badrobot