Large blocks of networks have recently taken advantage of zero-day exploits to steal financial data. Attackers manipulated an exploit to transmit an individual's financial information to a country with a poor record of tracking and prosecuting Internet criminals.
I won't mention the name of the country, but these networks are beyond the law enforcement boundaries of most civilized nations. How do you prevent hackers from performing such an attack on your organization's network?
You can regain control of your network by answering a few questions about the purpose of your organization's network:
- Do we have a global business?
- Is our business local or regional?
- Do our internal users need access to every network on the planet?
Answering these questions can greatly limit your company's exposure to attacks beyond the reach of law enforcement in your country. If your business is local or regional, you only need to worry about who else is in your area of the world.
Do your research
The Internet is a big place, and one organization runs it: the Internet Assigned Numbers Authority (IANA). It divides all public IP addresses among the Regional Internet Registries (RIRs) to distribute blocks of IP addresses.
There are four RIRs:
- Asia Pacific Network Information Centre (APNIC) for Asia and the Pacific region
- American Registry for Internet Numbers (ARIN) for North America, parts of the Caribbean, and sub-equatorial Africa
- Latin American and Caribbean Internet Addresses Registry (LACNIC) for Latin America and parts of the Caribbean
- RIPE Network Coordination Centre (RIPE NCC) for Europe, the Middle East, Central Asia, and African countries above the equator
By performing a little bit of detective work at each site, you can determine which IP addresses originate from each country or region.
Combining this information with your answers to the questions about the purpose of your organization's network, you can begin to diminish your vulnerability to hostile networks and concentrate on serving your organization's target communities.
Limit network exposure
Let's look at an example. If a business network serves only the European community, then you could block every IP address at the network boundary that doesn't originate from this area. For example, you would block everything except the following networks:
126.96.36.199 - 188.8.131.52
184.108.40.206 - 220.127.116.11
18.104.22.168 - 22.214.171.124
126.96.36.199 - 188.8.131.52
184.108.40.206 - 220.127.116.11
18.104.22.168 - 22.214.171.124
126.96.36.199 - 188.8.131.52
184.108.40.206 - 220.127.116.11
18.104.22.168 - 22.214.171.124
126.96.36.199 - 188.8.131.52
184.108.40.206 - 220.127.116.11
18.104.22.168 - 22.214.171.124
126.96.36.199 - 188.8.131.52
184.108.40.206 - 220.127.116.11
18.104.22.168 - 22.214.171.124
126.96.36.199 - 188.8.131.52
184.108.40.206 - 220.127.116.11
Apply this block or access list to both inbound and outbound traffic. In addition, integrate this strategy into any existing blocks or filters for services you already have in place.This simple strategy defines the business area of your network, and it reduces your organization's exposure to hostile attacks.