Joe Hackman

Joe Hackman

Digital Transformation, Industry 4.0, Tesla, maker, and more...

You are here: Home / Archives for AfriNIC

For Infosec Geeks: Geographic Routing Controls

by 6 Comments

The average PC user does not need access to the entire Internet. The more they have access to the more potential sources of security issues. Consider that many high profile crime syndicates operate out of the APNIC, what if the average user could just turn off that entire address space from his computer with a click of the mouse? Imagine being able to open up a window and just select the Regional Internet Registry zones that you have a need to access from the selections below:

Regional Internet Registry Zones

Regional Internet Registry zones - Image Credit Arin.net

In an “advance mode” you could choose to drill down farther and pick other locales within the zones. For example perhaps you need access to only Japan, Australia and India but want to limit exposure to hosts in China and other ACPNIC countries. Lazy users could just subscribe to “recommended” settings for their region based on levels of security desired.

Why bother?

There are several very good reasons why this approach can contribute to making end users more secure but more importantly make it more difficult for internet criminals and countries that harbor them. This idea actually came to me as a result of writing an article about the RSA hack that resulted in a re-issue of all of their secure-ID products. I learned that the host that the Poison Ivy malware had contacted was a known source in other attacks.

Why was RSA allowing traffic to communicate with a known malicious host?

The host in the RSA hack was located in APNIC, again a zone that the average user does not need access to and probably would not even miss. In this example the attack would have failed and if the criminal was determined they would have to find another way creating more risk for them (of detection) and having to work harder at it. Potentially becoming discouraged and finding something more lucrative to do with their time (with a little luck something legal). As to the governments that allow these sites to function within their borders, they will drive themselves into further isolation. There are few nations in the world that would not be bothered by significant volumes of users bypassing sites in their country.

Corporate and Government Applications

This technology could quite easily be adapted to corporate use, centrally managed and even include a dynamic black list of emerging dangerous addresses. Say for example that a particularly nasty virus was spreading through the internet; most malicious apps have to phone home somewhere (to get instructions, etc). Push that out to the blacklist for millions of users and you have millions of users that even if they do get infected the command and control is effectively cut off instantly.

What would happen when you try to access a site in the blocked zone?

We know malicious programs attempting to access blocked sites would fail but what about when you attempt to access something you know to be legitimate? In these cases the connection would fail if it was within the blocked zone. A screen could easily be added for a web browser “this site falls within your blocked zone” with conceivably the option to allow adding it to the safe list.

It’s not perfect, how can we make it better?

I realize this solution is not perfect but I think the idea is a solid one. It introduces some new leverage to the information security problem. Ok Infosec pros, what would you do to make this an even better solution?