You read this correctly, amputate that source IP at your firewall network connections and dramatically increase your survival of a CyberAttacks, and this, at a fraction of the cost of zero-trust framework. As a professional IT person with +30 years of experience, I would definately invest in amputating TCP/IP connections before I would spend any time with zero-trusts frameworks, and here’s why.
Zero-Trust or Not Zero-Trust, that is the question
Zero-Trust is a conscientious approach to authenticate and validate every access to service on a network. The problem with this approach is that is allows “non-authorizes” people from still trying to poke and jiggle the doorknobs of exposed services and potentially find a flaws or zeroday vulnerabilities to exploit. Also, implementing a zero-day approach to your network involves a deep understanding of all systems running on your network and each system will require a semi-custom configuration to achieve zero-trust compliancy. Ths can be costly and cumbersome.
Amputate the IP
Amputating IP is a surgical analogy which means to cut-off TCP/IP connections from selected users around the world. It’s simply, quick and effective and only hurst the patient… uhh, I mean hackers. You see, when you expose an IP address to the internet with a couple listening services (Ex: WebServers, SSH remote access, Employee VPN…etc), you are allowing unlimited numbers of attempts to worldwide hackers to take a shot at breaching your network assets.
So, how do you amputate network addresses from being able to poke at your publid network services? You simply don’t allow certain IP addresses from being able to reach your network devices. Here’s how this is done.
Fortinet, among many other firewalls, began offering access to database of services with their yearly subscription. Since IP addresse are allocated to various internet connection providers around the world, each IP address is geo-located according to each regions, providers and/or countries. If for example, you want to block the entire coutry of France from being able to access your public services, you create a policy and add all the IP addresses of France into that policy with a “Block” action. Simply right? Well, it wasn’t simply not so long ago, where you had to research all the network subnets allocate to a specific country, and build each networks objects manually in your firewall, group all of those entries into 1 object group called France for example, and then apply the blocking policy. Fortinately, firewall manufacturers decided to offer this “heavy lifting” into their subscription service to add value to their offering.
Today, you can easily pick countries out of list and build a few simple polcies to block those countries out. In fact, you can virtually block most of the world from being able to poke at your exposed services and that’s how a properly managed network should be managed.
In my oppinion, there are several countries who should have ALL of their internet IP addresses blocked from the rest of the world. Theese countries are rogues and want to exploit and steal assets from richer countries. That is what CyberCrime is all about!
Proxies and VPNs
So what if a country is blocked? They will find a way to bypass your policies by using a Proxy or VPN service somwehere else, and change their source IP, allowing them access to your exposed services. Yes, that is a possibility, but you just made it harder for them to do their work. If Fortinet would research and add VPN/Proxy providers to their database list, it would make it even harder for hackers to find a route to your network. If hackers are busy trying to find Non-Blocked Proxies or VPN services somewhere in the world, they aren’t busy try to breach your network. That’s the whole idea behind an IP amputation concepts. Making it difficult for hackers to attempt to gain access will make them focus their efforts somewhere else.
Hardening before Zero-Trust
Firewalls, such as Fortigates from Fortinet, offer services as objects, with their yearly subscriptions. You can easily implement walls of securiy around your network with half a dozen policies or so. Theses polcies are low maintenance and update themselves regularly. With the objects, you can limit what can be accessed from inside your network (IE: Outlook, Azure, AWS…etc), and limit what external networks can access your services (IE: VPNs, portals…etc). This method will dramatically increase your position in the CyberSecurity field and once this is achieved, you can then focus on implementing Zero-Trust architecture to your most valueable assets.
I have often wondered why countries being hacked were not deliberately block countries which are hacking them. Simply question, but very difficult answer. The internet is supposed to be democratic, which means, it can’t discriminate on countries who have some legitimate reasons to access the internet, even if the majority of their internet access are to breach security of other countries.
This video explains how & why rogues countries still have access to the internet. I have worked long enough around internet service providers to understand that a democratic world network isn’t such a good idea. Don’t wait for your local law enforcement our government to protect your business assets, start protecting yourself using IP amputation.