Forum Discussion
Network Protection - block country
how can I use Network Protection to block connections to entire countries? In Entra ID conditional access, I can block access from countries that might be hostile to a tenant have no expected aut...
thanks
I think the same rationale you would use to apply conditional access policy would apply to network protection.
imagine two countries, Blueland and Redland.
Blueland and Redland are at war.
Imagine Redland's head of state has instructed his Cyberwarfare Command to compromise Blueland's critical national infrastructure.
Blueland's government instructs citizens about this threat, and instructs its organisations to block access from Redland.
I work for Blueland Inc, based in Blueland. I apply a conditional access policy that blocks access from Redland.
Redland uses techniques such has e-mail bombing and phishing to compromise Blueland.
I apply MFA, EDR, etc, but a breach might still be possible (AitM, token theft, etc).
My conditional access policy to block access from Redland is an additional layer of defense.
If Redland does breach defences, then they cannot access anything from Redland.
Both Redland and Blueland understand this is simplistic; Redland could simply compromise something in Blueland, then attack from within Blueland. Blueland Inc acknowledges this; still, blocking access from Redland remains a sensible precaution.
Equally, my organisation does not wish their devices to connect to anything in Redland; there is no legitimate need, and Redland may host AitM targets, such as https://loginn.microsoft.com, from Redland.
Both Redland and Blueland understands this is simplistic; Redland could simply compromise something in Blueland, then recieve connections within Blueland. Blueland Inc acknowledges this; still, blocking access to Redland remains a sensible precaution.
At the end of the day, this is about controlling network traffic. Whether that is within Network Protection or Windows Defender Firewall with Advanced Security, the intent is to block traffic.
Network Protection might be the best method, though; the intent is that all endpoints managed by Blueland Inc apply the same policy - macOS devices, Android phones, etc. These non-Windows endpoints do not have Windows Defender Firewall with Advanced Security, of course.
So, how can I use Network Protection to block connections to entire countries?
I think the same rationale you would use to apply conditional access policy would apply to network protection.
imagine two countries, Blueland and Redland.
Blueland and Redland are at war.
Imagine Redland's head of state has instructed his Cyberwarfare Command to compromise Blueland's critical national infrastructure.
Blueland's government instructs citizens about this threat, and instructs its organisations to block access from Redland.
I work for Blueland Inc, based in Blueland. I apply a conditional access policy that blocks access from Redland.
Redland uses techniques such has e-mail bombing and phishing to compromise Blueland.
I apply MFA, EDR, etc, but a breach might still be possible (AitM, token theft, etc).
My conditional access policy to block access from Redland is an additional layer of defense.
If Redland does breach defences, then they cannot access anything from Redland.
Both Redland and Blueland understand this is simplistic; Redland could simply compromise something in Blueland, then attack from within Blueland. Blueland Inc acknowledges this; still, blocking access from Redland remains a sensible precaution.
Equally, my organisation does not wish their devices to connect to anything in Redland; there is no legitimate need, and Redland may host AitM targets, such as https://loginn.microsoft.com, from Redland.
Both Redland and Blueland understands this is simplistic; Redland could simply compromise something in Blueland, then recieve connections within Blueland. Blueland Inc acknowledges this; still, blocking access to Redland remains a sensible precaution.
At the end of the day, this is about controlling network traffic. Whether that is within Network Protection or Windows Defender Firewall with Advanced Security, the intent is to block traffic.
Network Protection might be the best method, though; the intent is that all endpoints managed by Blueland Inc apply the same policy - macOS devices, Android phones, etc. These non-Windows endpoints do not have Windows Defender Firewall with Advanced Security, of course.
So, how can I use Network Protection to block connections to entire countries?
If you were to attempt this with Network Protection, you’d need a way to continuously track IPs with a geo-location of Redland.
Network protection does not allow CIDR notated addresses so you would need to enter every IP address possible individually via a script and there is a limit to MDE indicators for a total of 15,000 indicators. Furthermore, NetworkProtection does not support blocking TLD’s or at least not explicitly that I’m aware of. You’d likely need to subscribe to an service such as GeoIP2 or similar service.
Another, perhaps more viable option to you but may also require some elbow grease is deploying an always-on VPN agent to all org-owned devices and blocking traffic to countries that way.
Again, I believe efforts could be spent more wisely elsewhere such as email filtering, user training and awareness, basic security hygiene and hardening for endpoints.
- Dylan
Network protection does not allow CIDR notated addresses so you would need to enter every IP address possible individually via a script and there is a limit to MDE indicators for a total of 15,000 indicators. Furthermore, NetworkProtection does not support blocking TLD’s or at least not explicitly that I’m aware of. You’d likely need to subscribe to an service such as GeoIP2 or similar service.
Another, perhaps more viable option to you but may also require some elbow grease is deploying an always-on VPN agent to all org-owned devices and blocking traffic to countries that way.
Again, I believe efforts could be spent more wisely elsewhere such as email filtering, user training and awareness, basic security hygiene and hardening for endpoints.
- Dylan
- I appreciate Network Protection cannot do this right now; my point is, it *should* be able to.
- thanks
Conditional Access policy takes care of IPv4 addresses; I simply specify 'Redland', then set a conditional access policy to block access from Redland.
In the same way that Entra ID already takes care of what 'Redland' means in IP address terms, I would expect Network Protection to use the same source | logic | data store.
This network protection rule would be in addition to "email filtering, user training and awareness, basic security hygiene and hardening for endpoints." - even with all of them in place, attackers can succeed.