Build a wall around your country

Reduce your public visibility and stay off the hackers’ radar.

Constructing a wall around your country has been a controversial theme in recent years, but in the times we live in, this concept applied to IT adds great value from a cyber security perspective. The internet, by it’s nature, is an interconnected global network, allowing a single person on a device in one part of the world, connect to a resource thousands of kilometers away in milliseconds.

This is generally seen as a good thing, especially considering e-commerce needs and the globalisation of business drivers. However, it also exposes our IT infrastructure to every single person and location in the world.

I’ve a question for you. Why would you want to give absolute global access to your login portal, the form where your employees enter their network credentials, and access all of your internal apps and corporate data, when you know your employees only reside in a single country, or continent?

I can hear various answers.. “Work is not a place”, “Emergency access whilst on vacation”, “Work from home in another country”… There are many good reasons for this. But can you dial the security up for these sorts of use cases, whilst still allowing some level of access? Or do you just slam the door and block everything outside of your jurisdiction?

If you have Citrix ADC in front of your apps, then the answer is yes, you can block OR simply dial up security. You just need a few lines of configuration. Here are some use cases:

  • Allow only traffic from your home country to access your Citrix ICA Proxy, Citrix VPN, or public facing Web App load balanced or published through Citrix ADC, everything else gets dropped.
  • Allow only connections from an allow-list of countries to access your Citrix ICA Proxy, Citrix VPN, or public facing Web App which is load balanced or published through Citrix ADC, everything else gets dropped.
  • Create a deny list of countries you do NOT want to have any access to your systems, and drop all traffic from these countries.
  • Do all of the above, and drop traffic coming from any public cloud. ( Why would your employee be accessing your resources from a public cloud? )

With St. Patrick’s day being tomorrow ( this blog being published on March 16th), I thought I’d keep it Irish – lets say I wanted to only allow connections to my apps from the island of Ireland, and drop everything else. I just need 2 ( yes 2!) lines of configuration.

If we want to allow more than one country, we can tidy things up with some pattern sets. Note that the action is “DROP”. This means we silently drop the packet, with no response to the sender. They are left hanging, which is what we want. If we reset the connection, they will know that they have been blocked.

add responder policy Drop_non_IE "CLIENT.IP.SRC.MATCHES_LOCATION(\".IE....\").NOT && CLIENT.IP.SRC.MATCHES_LOCATION(\".GB.\'Northern Ireland\'...*\").NOT" DROP
bind vpn vserver Corp_Gateway -policy Drop_non_IE -priority 100

In this example, I’ve bound it to the VPN VServer, but if you want to block ALL non-Ireland access, the policy can be bound globally. If you want information about the IP addresses that are being blocked, you can add a message audit action to the responder policy:

add audit messageaction Dropped_IP_Info INFORMATIONAL "\"The following IP was detected and dropped: \"+Client.ip.SRC+\" as it was the Geo IP database located it here: \"+Client.IP.SRC.LOCATION"

This will log the relevant information to on the appliance ( and to ADM if you have it configured, which I cannot recommend enough.)

The location database on the appliance, while accurate, may not have the latest information, especially if you are on an older release. You can update this with a free version, or a more accurate paid version if you like.
Information around where to download and how to convert those files are here:
https://docs.citrix.com/en-us/citrix-adc/current-release/global-server-load-balancing/configuring-static-proximity/add-a-location-file-create-static-proximity-db.html

I mentioned earlier that we can also block cloud users. This can be achieved using IP reputation, OR by simply using Bot Management. This functionality is only available in premium edition. You can add this expression ( with the OR operator: || ) to also block cloud users :

CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(CLOUD_PROVIDERS)

However, that is only one out of 13 potential bad actor categories. Using the following will block them all:

CLIENT.IP.SRC.IPREP_IS_MALICIOUS

This will serve to not only block a nefarious individual, but any botnets, spammers, etc who are running automated IP scans looking to categorise your online presence, and detect what you are running will also draw a blank, which can only be a good thing. You will not even appear on their radar. So – as they say in Star Trek, “Shields Up” for your company resources, using Citrix ADC IP Location, IP Reputation and Responder.

If you want to still allow this traffic, but dial up the security, you can use the above expressions in your Endpoint Analysis and SmartAccess policy expressions. In this way, you can still allow access to resources, but perhaps not permit certain Citrix Published apps to be launched/accessed , or to turn off clipboard/printing/client drive mapping.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.