Monitoring and Blocking Network Access

Based on Geographic Location using

Forefront Threat Management Gateway
(TMG) 2010
Richard HicksP O S T E D O N J U N E 1 1 , 2 0 1 3

0
335 Views
0

Two recently released information security reports shed important light on the threats to
todays corporate assets. According to the latest Microsoft Security Intelligence Report
(SIR), malicious web sites are now the top threat to the enterprise, finally surprising the
insidious and difficult to eradicate Conficker. In addition, the recently released Verizon
Business 2013 Data Breach Investigations Report (DBIR) indicates that a full 92% of
data breaches included in the report were perpetrated by outsiders. Particularly
troublesome is the fact that actors affiliated with China accounted nearly one-fifth of all
data breaches. The major motivating factor here appears to be the theft of intellection
property (IP) targeting primarily the manufacturing sector. With this in mind, its an
excellent idea to pay close attention to any traffic originating from or destined to IP
addresses belonging to countries with a reputation for hosting phishing sites or malicious
software. In addition, attempts to access published web sites or services from locations in
which you have no customers or remote employees should be highly scrutinized. In some
cases, depending on business requirements, it might even be necessary to completely
block IP address ranges to increase the protection level for TMG protected clients. In this
months article I will demonstrate some methods that security engineers and Forefront
TMG firewall administrators can use to identify, monitor, and block network
communication based on the geographic location of the source or destination IP address.

IP Address to Geography Mapping

Creating access rules to identify and potentially block network access to specific
geographies can be challenging. Although there are numerous databases and services this
information can be extracted from, manually creating Forefront TMG computer sets
using available data would be tedious and time consuming, not to mention error prone.
There are some third-party utilities that integrate with Forefront TMG to provide IP
address to geographic location mapping, but Im going to demonstrate how to accomplish
this using freely available tools. Thankfully the work of building Forefront TMG
computer sets for each country has already been done for us. You can download pre-built
country-by-country computer sets for ISA Server and Forefront TMG by visiting the
Hammer of God web site. These computer sets are available for use at the array
level or enterprise level.
Importing Country Specific Computer Sets
Once youve downloaded and extracted the country-by-country computer sets, select the
country or countries you wish to monitor or block and import them in to TMG. This can
be accomplished by opening the Forefront TMG management console, highlighting
the Firewall Policy node in the navigation tree, then selecting the Toolbox tab. Right-
click on Computer Sets and choose Import All.

Figure 1
After the import wizard starts, click next and select the computer set for the country you
wish to monitor and/or block.

Figure 2
Leave the option to Import server-specific information unchecked and click next.
Review the settings and click Finish to complete the import, then save and apply the
configuration. Once complete, the new computer set will appear in the list of computer
sets in the toolbox.
Figure 3
Note:
Some of the larger computer sets like China take quite a bit of time to load, so dont be
alarmed. In fact, in my rather underpowered lab test machine I used for this
demonstration it took several minutes to display the computer set after double-clicking it.
Be patient!
Configuring Outbound Access Monitoring
Once weve successfully imported the desired computer sets we can proceed with
creating an access rule to monitor traffic originating from or destined to these countries.
Create an access rule allowing HTTP and HTTPS from the Internal network to the
corresponding country specific computer set. Where you place this access rule is
extremely important! If you have implemented URL filtering, as I have done here,
placing this access rule ahead of the Blocked Web Destinations rule will allow any
traffic destined for this country to bypass our URL filtering policy. Clearly thats not a
good idea! Be sure to place this monitoring rule immediately before the access rule that
would normally allow these requests, and after any URL filtering rules as shown here.
Figure 4
Once this access rule is in place, any traffic allowed by URL filtering policy and destined
for an IP addresses associated with a network block assigned to China will match and be
logged accordingly.
Configuring Inbound Access Monitoring
If you are using Forefront TMG to publish web sites or services, it would be an excellent
idea to also monitor them for access from specific geographies. In this example Ive
configured Forefront TMG to publish a web site and an FTP server.

Figure 5
To monitor access to our published services from specific geographies it will be
necessary to create a similar web publishing rule that applies only to traffic originating
from the specific country you wish to monitor. The easiest way to accomplish this is to
copy the existing web publishing rule and paste it immediately ahead of the existing rule.
Double-click the duplicate rule and change the name, then select the From tab and
remove the Anywhere group and add the country specific network sets you wish to
monitor.
Note:
Ive included a computer set called ThorSet_Test that includes the IP address of my test
workstation for demonstration purposes.
Figure 6
Once complete the rule set will look like this.

Figure 7
The order of the rules is critical. Since the monitoring rule is more specific it should be
placed immediately preceding the web publishing rule allowing access from anywhere. If
and when a request is made from an IP address included in a country specific computer
set you are monitoring it will match the monitor rule first and be easily identifiable in the
access logs. Its important to understand that this technique works only for published web
services. Published non-web services, such as the FTP server in this example, can only be
published once because it is not possible to bind more than one server publishing rule to a
single TCP port.
Access Monitoring
Once the monitoring rules are in place we can use the native Forefront TMG logging and
reporting tools to identify any request being made to monitored geographies. To view any
traffic in real time, highlight the Logs & Reports node in the navigation tree and choose
the Logging tab in the center pane. In the Tasks pane click Edit Filter, then in the Filter
by drop down box select Rule, for Condition select Equals, and for Value select the
monitoring access rule configured previously. Click Add To List to include this criteria
when filtering data.

Figure 8
Once complete, click Start Query to begin observing traffic matching this monitoring
rule.

Figure 9
Repeat this procedure for published web site monitoring rule. Highlight the rule in the
filtering criteria and select the IIS monitoring rule. Dont forget to click Update to update
the filtering criteria with this new information.

Figure 10
Click Start Query to begin monitoring again.

Figure 11
Convert Monitoring to Blocking
Once you are confident that no legitimate network traffic should originate from or be
destined to a monitored network block, you can easily configure the monitoring access or
web publishing rule to deny instead of allow to further strengthen your companys secure
posture. The advantage to this method is that access from the monitored network,
although now being blocked, is still logged separately and is easier to identify in the
access logs. For outbound access rules, modify the monitoring rule by double-clicking it,
selecting the Action tab, and then change the action from Allow to Deny.

Figure 12
Alternatively you can delete the monitoring access or web publishing rule and simply add
the country specific computer sets to the Exceptions list on the To tab.
Figure 13
For published servers, your only option is to add the country specific computer sets to
the Exceptions list on the From tab.
Figure 14
Summary
Ultimately the decision to block network communication based on geography depends
entirely upon your specific requirements. Certainly there is enough information available
today that makes it plainly evident that a high percentage of attacks originate from certain
specific geographies, so monitoring communication originating from or destined to these
regions is an excellent idea. The method Ive outlined here takes the low-buck approach,
and although cost effective (free!), there is some question as to whether these country
specific computer sets are being actively maintained so they may not be 100% accurate.
Although the solution Ive presented here might be good enough in many cases, if
youre interested in something better Id suggest investigating some of the commercial
third-party products that provide this capability.