Forum Discussion
Network Protection - block country
how can I use Network Protection to block connections to entire countries? In Entra ID conditional access, I can block access from countries that might be hostile to a tenant have no expected aut...
If you were to attempt this with Network Protection, you’d need a way to continuously track IPs with a geo-location of Redland.
Network protection does not allow CIDR notated addresses so you would need to enter every IP address possible individually via a script and there is a limit to MDE indicators for a total of 15,000 indicators. Furthermore, NetworkProtection does not support blocking TLD’s or at least not explicitly that I’m aware of. You’d likely need to subscribe to an service such as GeoIP2 or similar service.
Another, perhaps more viable option to you but may also require some elbow grease is deploying an always-on VPN agent to all org-owned devices and blocking traffic to countries that way.
Again, I believe efforts could be spent more wisely elsewhere such as email filtering, user training and awareness, basic security hygiene and hardening for endpoints.
- Dylan
Network protection does not allow CIDR notated addresses so you would need to enter every IP address possible individually via a script and there is a limit to MDE indicators for a total of 15,000 indicators. Furthermore, NetworkProtection does not support blocking TLD’s or at least not explicitly that I’m aware of. You’d likely need to subscribe to an service such as GeoIP2 or similar service.
Another, perhaps more viable option to you but may also require some elbow grease is deploying an always-on VPN agent to all org-owned devices and blocking traffic to countries that way.
Again, I believe efforts could be spent more wisely elsewhere such as email filtering, user training and awareness, basic security hygiene and hardening for endpoints.
- Dylan
thanks
Conditional Access policy takes care of IPv4 addresses; I simply specify 'Redland', then set a conditional access policy to block access from Redland.
In the same way that Entra ID already takes care of what 'Redland' means in IP address terms, I would expect Network Protection to use the same source | logic | data store.
This network protection rule would be in addition to "email filtering, user training and awareness, basic security hygiene and hardening for endpoints." - even with all of them in place, attackers can succeed.
Conditional Access policy takes care of IPv4 addresses; I simply specify 'Redland', then set a conditional access policy to block access from Redland.
In the same way that Entra ID already takes care of what 'Redland' means in IP address terms, I would expect Network Protection to use the same source | logic | data store.
This network protection rule would be in addition to "email filtering, user training and awareness, basic security hygiene and hardening for endpoints." - even with all of them in place, attackers can succeed.