Firewall Geo Protection

[ubern00b]

Hi All

I enabled Geo Protection on our CheckPoint firewalls a few days ago. I blocked the whole of Russia and China, both in and outbound.

Ran a report for my boss yesterday showing roughly 5000 attempts being blocked per day. He has asked me find out what this means, is that a high number, normal, low?

Most of the traffic appears to be port scanning or trying to access services that we know don't exist. Only 1/5 of the traffic is HTTP/HTTPS bound. Last year we were DDoS'd by China for about a week. Yes, it takes a year in the NHS to get protection against things like this

Anyway, any help is appreciated. More so, if anyone has any links to security sites that detail what I am asking, even better. I have to be evidence based when replying to my boss and I don't think "but someone on OCUK said x" is going to stand much ground, however if it is my only source of reference then he will have to accept it

 

[GhostlyPea]

Do you have SmartEvent/Smart Reporter? the UI there is really good for this type of correlation. What models are you running and are you on 77.10+?

If you're a fairly big organisation or you have some clear public facing services then they are clearly trying their luck

- GP

 

[ubern00b]

Yes, I am using SmartReporter to generate the reports, that is where I got the figure of 5000 attempts per day from. I just don't know what that means in terms of being high, "normal" or low in terms of being "attacked" (using the word attacked as we have no legitimate reason for traffic from these countries as well as the obvious port scanning etc).

Being public facing and a largish organisation within the NHS and the powers that be being incredibly risk averse they want to know what each little figure means instead of just saying "well, the CheckPoint is doing exactly what you asked of it, does it really matter if its 5 or 50k attempts per day?".

The next step in this process is to sign up to a protection service like CloudFlare but that tender has been going on for 12 months already...

 

[GhostlyPea]

Hard to say really, which isn't very helpful to you. We'll get thousands of protection events per day on various parts of our platform so I wouldn't say its anything out of the ordinary. Sequential port scans are pretty common

- GP

 

[matthab]

Depends what the traffic flow is like. On a very busy customer that is about normal, expecially for a internet faced firewall. You should see how many scanning attempts my home firewall drops.

I would be very careful blocking on GEO Location we did this awhile back and it was so inaccurate we had to remove it. One reason is organisations buying IPv4 space from other countries, plusnet did this and I sometimes get US search engines etc. Another problem was users using proxies/vpns etc.

If it was me a Good firewall lockdown and using the latest IPS/IDS software does a good job at fending off attacks. We have just rolled out new 5545x's with Sourcefire and they do a great job at reporting and mitigating attacks.

 

[Little_Crow]

What sort of stuff are you making available to the Internet?

Provided you've taken all reasonable precautions like having the target servers on a DMZ as opposed to your LAN and are having penetration testing done regularly I'd say the firewalls are doing what they were purchased for.

I'm going to assume you're already using your N3 connection for traffic between yourselves and other NHS organisations, and if not you certainly should be...

 

[GhostlyPea]

I'm going to assume you're already using your N3 connection for traffic between yourselves and other NHS organisations, and if not you certainly should be...

I was under the impression there was near-no choice on this? I do a fair amount of work for health-care providers and any time the shops/clinics are set up it's over N3

- GP

 

[Little_Crow]

I was under the impression there was near-no choice on this? I do a fair amount of work for health-care providers and any time the shops/clinics are set up it's over N3

- GP

Everything like that 'should' be done over N3, that's not to say that it necessarily is.
We're pretty strict on the security front, but we never assume everyone else involved is. Handily Illustrated by it being not uncommon for the NHS Mail relay being blacklisted by Hotmail and the like

 

[GhostlyPea]

Yes true enough! Anyway, apologies for de-railing

- GP

 

[ubern00b]

What sort of stuff are you making available to the Internet?

Provided you've taken all reasonable precautions like having the target servers on a DMZ as opposed to your LAN and are having penetration testing done regularly I'd say the firewalls are doing what they were purchased for.

I'm going to assume you're already using your N3 connection for traffic between yourselves and other NHS organisations, and if not you certainly should be...

Yes, all traffic that should be pushed over the N3 is however we cater to Flexible Workers who need to access services via non-trust networks so we have to expose over the internet. We host other services exposed to Azure, 3rd party clients etc so not everything can be N3 bound. The usual security practices are in place for these servers (DMZ).

Enabling the Geo Protection is above my paygrade. They tell me to do it, I do it. However, I also have to deal with the fall out. It's a lose-lose for me

 

[GhostlyPea]

Did you not enable it for alert-only first? Generally anything that is IPS should be monitor only for a few weeks before allowing it to function as a full IPS solution so you can see what it's flagging

- GP

 

[ubern00b]

Did you not enable it for alert-only first? Generally anything that is IPS should be monitor only for a few weeks before allowing it to function as a full IPS solution so you can see what it's flagging

- GP

Sure, that would have probably been the better option. One that I will keep in mind for future deployments. Thanks!

 

[Little_Crow]

If you have the information in a useable format, it might be worth cross referencing how many of those 5000 'attacks' would have been allowed through the firewall to a server if Geo Protection wasn't on.
If they would have got blocked anyway, then geolocation hasn't done anything for you that the firewall wouldn't have dealt with any way.

If you can get that scary sounding 5,000 number down, along with some assurances to your boss that failed login attempts are being monitored, have account lockout rules in place, etc you might make your life a little easier.

 

[ubern00b]

If you have the information in a useable format, it might be worth cross referencing how many of those 5000 'attacks' would have been allowed through the firewall to a server if Geo Protection wasn't on.
If they would have got blocked anyway, then geolocation hasn't done anything for you that the firewall wouldn't have dealt with any way.

If you can get that scary sounding 5,000 number down, along with some assurances to your boss that failed login attempts are being monitored, have account lockout rules in place, etc you might make your life a little easier.

Good ideas, thanks. The CheckPoint is the border device and behind that sits a Netscaler which only allows HTTP/HTTPS traffic, so any scans on other ports will be blocked by the CheckPoint and if not, the Netscaler would not pass on the traffic anyway.

My bosses know this but they still want all these additional layers put in place. I will try approach it in the way you have suggested and see what comes of it.