Forum Discussion
Network Protection - block country
how can I use Network Protection to block connections to entire countries?
In Entra ID conditional access, I can block access from countries that might
- be hostile to a tenant
- have no expected authentications
it makes sense, then, that Network Protection should control connections to entire countries, too; this would be an 'equivalent' function to that in Entra ID.
How can I do this?
- DylanInfosecBrass Contributor
Hi Anwar Mahmood,
looking around the solution for this doesn’t lie in Network Protection which is an extension of Web Protection to the OS. Rather, it’s recommended you attempt to do this via the Windows Firewall which you can configure with whatever you’re using for Device Management.
Poking around there doesn’t seem to be a real direct, reliable or easy way to do what you’re asking for.Personally, I would advise against it. Depending on your use-case and who this policy will affect, there’s no easy way to know where a website might loading from or even a specific piece of content on a web page. With everything up in the cloud hosted worldwide, it’s a risky move if not properly monitored and maintained. If possible (for example, on a restricted network) it might even be easier to take an allow list approach. Discover what you need to allow, configure the rules and deny everything else.
If this is for user systems this is going to be hard to maintain.Again, not knowing your use-case, I’ve seen folks take this approach before and to me it’s a false sense of safety. TA’s of all levels have a wide net to cast with plenty of IP’s in the countries you’re likely not going to be blocking.
You’re much better off focusing on hardening your systems and creating rules around the basics such as locking specific protocols to specific subnets and preventing crosstalk vs trying to block entire country IP space. for example: Preventing SMB traffic from lateral connections and entering or leaving the network
Best,
Dylan
- Anwar MahmoodBrass Contributorthanks
I think the same rationale you would use to apply conditional access policy would apply to network protection.
imagine two countries, Blueland and Redland.
Blueland and Redland are at war.
Imagine Redland's head of state has instructed his Cyberwarfare Command to compromise Blueland's critical national infrastructure.
Blueland's government instructs citizens about this threat, and instructs its organisations to block access from Redland.
I work for Blueland Inc, based in Blueland. I apply a conditional access policy that blocks access from Redland.
Redland uses techniques such has e-mail bombing and phishing to compromise Blueland.
I apply MFA, EDR, etc, but a breach might still be possible (AitM, token theft, etc).
My conditional access policy to block access from Redland is an additional layer of defense.
If Redland does breach defences, then they cannot access anything from Redland.
Both Redland and Blueland understand this is simplistic; Redland could simply compromise something in Blueland, then attack from within Blueland. Blueland Inc acknowledges this; still, blocking access from Redland remains a sensible precaution.
Equally, my organisation does not wish their devices to connect to anything in Redland; there is no legitimate need, and Redland may host AitM targets, such as https://loginn.microsoft.com, from Redland.
Both Redland and Blueland understands this is simplistic; Redland could simply compromise something in Blueland, then recieve connections within Blueland. Blueland Inc acknowledges this; still, blocking access to Redland remains a sensible precaution.
At the end of the day, this is about controlling network traffic. Whether that is within Network Protection or Windows Defender Firewall with Advanced Security, the intent is to block traffic.
Network Protection might be the best method, though; the intent is that all endpoints managed by Blueland Inc apply the same policy - macOS devices, Android phones, etc. These non-Windows endpoints do not have Windows Defender Firewall with Advanced Security, of course.
So, how can I use Network Protection to block connections to entire countries?- DylanInfosecBrass ContributorIf you were to attempt this with Network Protection, you’d need a way to continuously track IPs with a geo-location of Redland.
Network protection does not allow CIDR notated addresses so you would need to enter every IP address possible individually via a script and there is a limit to MDE indicators for a total of 15,000 indicators. Furthermore, NetworkProtection does not support blocking TLD’s or at least not explicitly that I’m aware of. You’d likely need to subscribe to an service such as GeoIP2 or similar service.
Another, perhaps more viable option to you but may also require some elbow grease is deploying an always-on VPN agent to all org-owned devices and blocking traffic to countries that way.
Again, I believe efforts could be spent more wisely elsewhere such as email filtering, user training and awareness, basic security hygiene and hardening for endpoints.
- Dylan