Network Protection - block country

Brass Contributor

how can I use Network Protection to block connections to entire countries?

In Entra ID conditional access, I can block access from countries that might

  • be hostile to a tenant
  • have no expected authentications

it makes sense, then, that Network Protection should control connections to entire countries, too; this would be an 'equivalent' function to that in Entra ID.

How can I do this?

5 Replies

Hi @Anwar Mahmood,

looking around the solution for this doesn’t lie in Network Protection which is an extension of Web Protection to the OS. Rather, it’s recommended you attempt to do this via the Windows Firewall which you can configure with whatever you’re using for Device Management.
Poking around there doesn’t seem to be a real direct, reliable or easy way to do what you’re asking for.

 

Personally, I would advise against it. Depending on your use-case and who this policy will affect, there’s no easy way to know where a website might loading from or even a specific piece of content on a web page. With everything up in the cloud hosted worldwide, it’s a risky move if not properly monitored and maintained. If possible (for example, on a restricted network) it might even be easier to take an allow list approach. Discover what you need to allow, configure the rules and deny everything else.


If this is for user systems this is going to be hard to maintain.

 

Again, not knowing your use-case, I’ve seen folks take this approach before and to me it’s a false sense of safety. TA’s of all levels have a wide net to cast with plenty of IP’s in the countries you’re likely not going to be blocking.

You’re much better off focusing on hardening your systems and creating rules around the basics such as locking specific protocols to specific subnets and preventing crosstalk vs trying to block entire country IP space. for example: Preventing SMB traffic from lateral connections and entering or leaving the network 

 

Best,

Dylan

thanks
I think the same rationale you would use to apply conditional access policy would apply to network protection.

imagine two countries, Blueland and Redland.

Blueland and Redland are at war.

Imagine Redland's head of state has instructed his Cyberwarfare Command to compromise Blueland's critical national infrastructure.

Blueland's government instructs citizens about this threat, and instructs its organisations to block access from Redland.

I work for Blueland Inc, based in Blueland. I apply a conditional access policy that blocks access from Redland.
Redland uses techniques such has e-mail bombing and phishing to compromise Blueland.

I apply MFA, EDR, etc, but a breach might still be possible (AitM, token theft, etc).

My conditional access policy to block access from Redland is an additional layer of defense.

If Redland does breach defences, then they cannot access anything from Redland.

Both Redland and Blueland understand this is simplistic; Redland could simply compromise something in Blueland, then attack from within Blueland. Blueland Inc acknowledges this; still, blocking access from Redland remains a sensible precaution.

Equally, my organisation does not wish their devices to connect to anything in Redland; there is no legitimate need, and Redland may host AitM targets, such as https://loginn.microsoft.com, from Redland.

Both Redland and Blueland understands this is simplistic; Redland could simply compromise something in Blueland, then recieve connections within Blueland. Blueland Inc acknowledges this; still, blocking access to Redland remains a sensible precaution.

At the end of the day, this is about controlling network traffic. Whether that is within Network Protection or Windows Defender Firewall with Advanced Security, the intent is to block traffic.

Network Protection might be the best method, though; the intent is that all endpoints managed by Blueland Inc apply the same policy - macOS devices, Android phones, etc. These non-Windows endpoints do not have Windows Defender Firewall with Advanced Security, of course.

So, how can I use Network Protection to block connections to entire countries?
If you were to attempt this with Network Protection, you’d need a way to continuously track IPs with a geo-location of Redland.
Network protection does not allow CIDR notated addresses so you would need to enter every IP address possible individually via a script and there is a limit to MDE indicators for a total of 15,000 indicators. Furthermore, NetworkProtection does not support blocking TLD’s or at least not explicitly that I’m aware of. You’d likely need to subscribe to an service such as GeoIP2 or similar service.
Another, perhaps more viable option to you but may also require some elbow grease is deploying an always-on VPN agent to all org-owned devices and blocking traffic to countries that way.
Again, I believe efforts could be spent more wisely elsewhere such as email filtering, user training and awareness, basic security hygiene and hardening for endpoints.
- Dylan
thanks
Conditional Access policy takes care of IPv4 addresses; I simply specify 'Redland', then set a conditional access policy to block access from Redland.

In the same way that Entra ID already takes care of what 'Redland' means in IP address terms, I would expect Network Protection to use the same source | logic | data store.

This network protection rule would be in addition to "email filtering, user training and awareness, basic security hygiene and hardening for endpoints." - even with all of them in place, attackers can succeed.
I appreciate Network Protection cannot do this right now; my point is, it *should* be able to.