Search for a keyword...
GO
Community Area Login
Home Home
Articles & Tutorials
Articles & Tutorials
Products
Reviews
Free Tools
Configuration - Security
Blogs
Register Now
Forums
Contact Us
Newsletter Subscription
Monitoring and Blocking Network Access Based on Geographic Location using Forefront Threat Management Gateway (TMG) 2010
Name and Surname My Subscription
Email Address
Newsletters
SUBMIT
by Richard Hicks [Published on 18 June 2013 / Last Updated on 18 June 2013] Like
9
Tweet
10
4
9
In this article I will demonstrate some methods that security engineers and Forefront TMG firewall administrators can use to identify, monitor, and block network communication based on the geographic location of the source or destination IP address.
Introduction Two recently released information security reports shed important light on the threats to today’s corporate assets. According to the latest Microsoft Security Intelligence Report (SIR), malicious web sites are now the top threat to the enterprise, finally surprising the insidious and difficult to eradicate Conficker. In addition, the recently released Verizon Business 2013 Data Breach Investigations Report (DBIR) indicates that a full 92% of data breaches included in the report were perpetrated by outsiders. Particularly troublesome is the fact that actors affiliated with China accounted nearly one-fifth of all data breaches. The major motivating factor here appears to be the theft of intellection property (IP) targeting primarily the manufacturing sector. With this in mind, it’s an excellent idea to pay close attention to any traffic originating from or destined to IP addresses belonging to countries with a reputation for hosting phishing sites or malicious software. In addition, attempts to access published web sites or services from locations in which you have no customers or remote employees should be highly scrutinized. In some cases, depending on business requirements, it might even be necessary to completely block IP address ranges to increase the protection level for TMG protected clients. In this month’s article I will demonstrate some methods that security engineers and Forefront TMG firewall administrators can use to identify, monitor, and block network communication based on the geographic location of the source or destination IP address.
IP Address to Geography Mapping Creating access rules to identify and potentially block network access to specific geographies can be challenging. Although there are numerous databases and services this information can be extracted from, manually creating Forefront TMG computer sets using available data would be tedious and time consuming, not to mention error prone. There are some third-party utilities that integrate with Forefront TMG to provide IP address to geographic location mapping, but I’m going to demonstrate how to accomplish this using freely available tools. Thankfully the work of building Forefront TMG computer sets for each country has already been done for us. You can download pre-built country-by-country computer sets for ISAServer and Forefront TMG by visiting the Hammer of God web site. These computer sets are available for use at the array level or enterprise level.
ISAserver.org Sections Articles & Tutorials FAQs KBase Tips Newsletters Site News White Papers
Blogs Hardware News Our Authors Software
Featured Products
Advertisement
Security & Monitoring for ISA Server Scan downloads with 3 AV engines, monitor browsing and filter against 165M+ URLs and block MSN! Download free trial!
Featured Book
Order today Amazon.com
Importing Country Specific Computer Sets Once you’ve downloaded and extracted the country-by-country computer sets, select the country or countries you wish to monitor or block and import them in to TMG. This can be accomplished by opening the Forefront TMG management console, highlighting the Firewall Policy node in the navigation tree, then selecting the Toolbox tab. Right-click on Computer Sets and choose Import All.
converted by Web2PDFConvert.com
Figure 1 After the import wizard starts, click next and select the computer set for the country you wish to monitor and/or block.
Which is your preferred ISA Server Appliance? Avantis ContentCache Celestix MSAThreat Management Gateway Series Net-Gateway mISAE - Enterprise Portcullis Systems Unified Access Gateway SecureGUARD TMG Edition Sentinel Firewall Winfrasoft TMG & UAG Appliance Series Other (please specify below)
VOTE
Articles & Tutorials
Figure 2 Leave the option to Import server-specific information unchecked and click next. Review the settings and click Finish to complete the import, then save and apply the configuration. Once complete, the new computer set will appear in the list of computer sets in the toolbox.
View All
Articles Certification Configuration - Alt. Products & Platforms Configuration - General Configuration - Security General Guides and Articles Installation & Planning Miscellaneous Non-ISAserver.org Tutorials
converted by Web2PDFConvert.com
Non-ISAserver.org Tutorials Product Reviews Publishing
Figure 3 Note: Some of the larger computer sets like China take quite a bit of time to load, so don’t be alarmed. In fact, in my rather underpowered lab test machine I used for this demonstration it took several minutes to display the computer set after double-clicking it. Be patient!
Configuring Outbound Access Monitoring Once we’ve successfully imported the desired computer sets we can proceed with creating an access rule to monitor traffic originating from or destined to these countries. Create an access rule allowing HTTP and HTTPS from the Internal network to the corresponding country specific computer set. Where you place this access rule is extremely important! If you have implemented URL filtering, as I have done here, placing this access rule ahead of the Blocked Web Destinations rule will allow any traffic destined for this country to bypass our URL filtering policy. Clearly that’s not a good idea! Be sure to place this monitoring rule immediately before the access rule that would normally allow these requests, and after any URL filtering rules as shown here.
Figure 4 Once this access rule is in place, any traffic allowed by URL filtering policy and destined for an IP addresses associated with a network block assigned to China will match and be logged accordingly.
Configuring Inbound Access Monitoring If you are using Forefront TMG to publish web sites or services, it would be an excellent idea to also monitor them for access from specific geographies. In this example I’ve configured Forefront TMG to publish a web site and an FTP server.
converted by Web2PDFConvert.com
Figure 5 To monitor access to our published services from specific geographies it will be necessary to create a similar web publishing rule that applies only to traffic originating from the specific country you wish to monitor. The easiest way to accomplish this is to copy the existing web publishing rule and paste it immediately ahead of the existing rule. Double-click the duplicate rule and change the name, then select the From tab and remove the Anywhere group and add the country specific network sets you wish to monitor. Note: I’ve included a computer set called ThorSet_Test that includes the IP address of my test workstation for demonstration purposes.
Figure 6 Once complete the rule set will look like this.
Figure 7 The order of the rules is critical. Since the monitoring rule is more specific it should be placed immediately preceding the web publishing rule allowing access from anywhere. If and when a request is made from an IP address included in a country specific computer set you are monitoring it will match the monitor rule first and be easily identifiable in the access logs. It’s important to understand that this technique works only for published web services. Published nonweb services, such as the FTP server in this example, can only be published once because it is not possible to bind more than one server publishing rule to a single TCP port.
Access Monitoring Once the monitoring rules are in place we can use the native Forefront TMG logging and reporting tools to identify any request being made to monitored geographies. To view any traffic in real time, highlight the Logs & Reports node in the navigation tree and choose the Logging tab in the center pane. In the Tasks pane click Edit Filter, then in the Filter by drop down box select Rule, for Condition select Equals, and for Value select the monitoring access rule configured previously. Click Add To List to include this criteria when filtering data.
converted by Web2PDFConvert.com
Figure 8 Once complete, click Start Query to begin observing traffic matching this monitoring rule.
Figure 9 Repeat this procedure for published web site monitoring rule. Highlight the rule in the filtering criteria and select the IIS monitoring rule. Don’t forget to click Update to update the filtering criteria with this new information.
Figure 10 Click Start Query to begin monitoring again.
converted by Web2PDFConvert.com
Figure 11
Convert Monitoring to Blocking Once you are confident that no legitimate network traffic should originate from or be destined to a monitored network block, you can easily configure the monitoring access or web publishing rule to deny instead of allow to further strengthen your company’s secure posture. The advantage to this method is that access from the monitored network, although now being blocked, is still logged separately and is easier to identify in the access logs. For outbound access rules, modify the monitoring rule by double-clicking it, selecting the Action tab, and then change the action from Allow to Deny.
Figure 12 Alternatively you can delete the monitoring access or web publishing rule and simply add the country specific computer sets to the Exceptions list on the To tab.
converted by Web2PDFConvert.com
Figure 13 For published servers, your only option is to add the country specific computer sets to the Exceptions list on the From tab.
Figure 14
Summary Ultimately the decision to block network communication based on geography depends entirely upon your specific requirements. Certainly there is enough information available today that makes it plainly evident that a high percentage of attacks originate from certain specific geographies, so monitoring communication originating from or destined to these regions is an excellent idea. The method I’ve outlined here takes the low-buck approach, and although cost effective (free!), there is some question as to whether these country specific computer sets are being actively maintained so they may not be 100% accurate. Although the solution I’ve presented here might be “good enough” in many cases, if you’re interested in something better I’d suggest investigating some of the commercial third-party products that provide this capability.
See Also Implementing Windows Server 2012 DirectAccess behind Forefront TMG (Part 1) Understanding TMG Logging (Part 2) Understanding TMG Logging (Part 3)
The Author — Richard Hicks Richard Hicks (MCP, MCSE, MCTS, and MCITP Enterprise Administrator) is a network and information security expert specializing in Microsoft technologies.
Microsoft enters WAN optimization market with Packeteer Import Hammer of God Country IPAddress Computer Sets Into ISA Enterprise Policies
Latest Contributions converted by Web2PDFConvert.com
HammerOfGod Computer Sets -- Block and Log by Country GFI WebMonitor for ISA/TMG Voted ISAserver.org Readers’ Choice Award Winner - Access Control Jenna Lane, Inc. to Complete Acquisition of United Kingdom-Based Company Propalms Ltd.
Latest Contributions Monitoring and Blocking Network Access Based on Geographic Location using Forefront Threat Management Gateway (TMG) 2010 on 18 June 2013
Web filtering coverage increased to 165,000,000 URLs
Enable Cross-Premises Connectivity to Amazon EC2 with Forefront Threat Management Gateway (TMG) 2010 on 21 May 2013
ICT Partnership Expands to Provide Solution for SA's Bandwidth Woes Using ISA Firewalls
Forefront TMG 2010 Policy and Configuration Management Tips and Tricks on 23 April 2013 Configuring SafeSearch Enforcement in Forefront Threat Management Gateway (TMG) on 19 March 2013 Enable Cross-Premises Connectivity to Windows Azure with Forefront Threat Management Gateway (TMG) 2010 on 19 Feb. 2013
Featured Links Fastvue for TMG Live Dashboard and Reporting with Alerts Fastvue is the fastest way to view activity from your TMG logs via a live dashboard, alerts, and now with advanced reporting. Free 30 day trial, free support. Web Security, Internet Monitoring and Internet Access Control for ISA/TMG Gear up ISA/TMG with advanced web security (AV scans on dlds and anti-spyware on browsing), internet monitoring and control internet access through flexible user policies.
Software Access Control Bandwidth Control Free Tools Monitoring & Admin
Hardware Anti Virus Caching Intrusion Detection Reporting
Authentication Content Security Misc. ISAserver software
ISAAppliances SSL Acceleration TMG Appliances UAG Appliances
Microsoft Exchange Server Resource Site: Articles & Tutorials
Windows Server 2008 / 2003 & Windows 7 networking resource site.
Network SecurityArticles for Windows Server 2003, 2008 & Vista
The essential Virtualization resource site for administrators.
Resource site for Managed Service Providers.
Networking & Server software / hardware for Windows 2003, 2000, NT & Linux
About Us
Advertise With Us
TechGenix Ltd is an online media company which sets the standard for providing free high quality technical content to IT professionals.
Contact Us
ISAserver.org is in no way affiliated with Microsoft Corp. Copyright Š 2013, TechGenix.com. All rights reserved. Please read our Privacy Policy and Terms & Conditions.
converted by Web2PDFConvert.com