In our ongoing series about implementing robust conditional access policies, we will be exploring various tactics to enhance your organization’s security posture. Each of these tactics will add another layer to your cyber defenses and make your network more secure.
Before diving into today’s focus on geofencing, it’s worth noting that conditional access policies serve as your digital organization’s security guards, making real-time decisions about who can access what resources and under what conditions. These conditions are determined by various scenarios that assume how a bad actor might attempt to breach. Today, we will assume that the bad actors are located in a foreign country/location.
Overall, a comprehensive conditional access strategy typically incorporates multiple policy types working in concert. Some other key policies you might consider implementing include:
- Authentication-based policies that require Multi-Factor Authentication (MFA) for specific applications or user groups
- Device compliance policies ensuring only managed and compliant devices can access corporate resources
- Risk-based policies that adapt security requirements based on sign-in risk levels
- Application-based policies restricting access to specific cloud apps
- Session control policies limiting download and sharing capabilities
- Network location policies governing access from trusted networks
- Time-based policies restricting access during specific hours
- User and group-based policies targeting specific segments of your workforce
- Platform-based policies controlling access from different operating systems
- Data sensitivity policies protecting classified information
Today, we’re focusing on one of the most powerful yet often overlooked security measures: geofencing. Recent events have highlighted why this geographic-based access control is crucial in today’s global threat landscape.
The Real Cost of Geographic Blind Spots: A Cautionary Tale
Consider this very possible hypothetical incident: A non-profit organization faced a severe security breach when an employee fell victim to a sophisticated phishing attack. The aftermath? Their email account was compromised, and unauthorized external emails were sent en masse from their mailbox. As the cybersecurity team investigated, the malicious login was traced to an IP address in Nigeria – thousands of miles away from any legitimate business operations.
The most frustrating aspect? This entire incident could have been prevented with a properly configured geofencing policy.
Understanding Geofencing in Conditional Access
Simply put geofencing creates a virtual perimeter around your network based on geographic locations. By implementing location-based access controls, you can effectively block connection attempts from countries where your organization doesn’t operate, significantly reducing your attack surface.
Implementation Strategies
Several platforms offer robust geofencing capabilities (these are by no means the only solutions that provide geofencing):
- Microsoft Azure AD Conditional Access
- Cisco Meraki
- Nerdio Management Portal
Each solution allows you to create granular policies that align with your security requirements while maintaining business functionality. Talk to a member of R3 to learn more about these features.
Accommodating Remote Workers and International Travel
One common concern about geofencing is its impact on legitimate international travel. Here’s a practical framework for managing this scenario:
- Create a dedicated “Travelers Group” in your identity management system
- Implement a policy that blocks sign-ins from restricted countries unless the user belongs to the Travelers Group
- Establish a process where employees submit travel requests through your ticketing system
- Have your Security Operations Center (SOC) add travelers to the group for the duration of their trip
- Automatically remove users from the Travelers Group when their travel period ends
Best Practices for Geofencing Implementation
- Start with a baseline policy blocking high-risk countries
- Document all countries where your organization legitimately operates
- Maintain an up-to-date inventory of excluded regions
- Implement robust logging and monitoring
- Regular review and adjustment of policies based on business needs
- Create clear procedures for handling exceptions
Strategies for Bypassing Geofencing
It’s important to understand vulnerabilities of each conditional access strategy. The main ways users might try to bypass geofencing include:
VPNs and Proxies
VPNs work by creating an encrypted tunnel between the user and VPN server. Traffic appears to originate from the VPN server’s location rather than the user’s. Users can indeed use VPNs or proxy servers to mask their true location. This makes their traffic appear to originate from wherever the VPN server is located. If your geofencing only blocks specific countries but allows VPN server locations, this creates a bypass
Protection measures:
- Block access from known VPN and proxy IP ranges
- Use Azure AD or similar platforms to detect and block VPN/proxy connections
- Implement policies that require managed devices, which prevent unauthorized VPN usage
- Consider blocking all connections except from approved corporate VPN solutions
- Maintain updated lists of known VPN/proxy IP ranges in your blocking rules
- Look for connection metadata that indicates VPN usage:
- Multiple logins from different countries in short timeframes
- Known VPN port usage (1194, 443, 500, 4500)
- Suspicious TLS/SSL certificate patterns
- Implement Azure AD’s “Block access when using VPN” condition
- Use endpoint management tools to prevent unauthorized VPN client installation
- Consider allowing only approved corporate VPN solutions through Mobile Device Management (MDM) policies
Types of problematic VPN services:
- Commercial VPNs (NordVPN, ExpressVPN, etc.)
- Self-hosted VPNs on cloud services
- Browser-based VPNs (Opera VPN, browser proxies)
- TOR network connections
IP Spoofing
More sophisticated attackers might attempt to spoof their IP address. This is harder to accomplish but still possible. Attackers modify packet headers to show false source IP addresses. Common techniques include:
- TCP/IP stack manipulation
- Man-in-the-middle attacks
- BGP hijacking (more sophisticated)
- Source routing manipulation
Protection measures:
- Implement additional authentication factors beyond just location
- Use tools that can detect IP spoofing attempts
- Monitor for suspicious login patterns
- Implement ingress filtering (RFC 2827)
- Use reverse-path forwarding checks
- Monitor for impossible travel scenarios
- Deploy IDS/IPS systems configured to detect spoofing patterns
- Implement strict SPF, DKIM, and DMARC for email systems
- Use TCP sequence number randomization
- Deploy anti-spoofing rules on firewalls
DNS Manipulation
Attackers might try to manipulate DNS settings to bypass location checks. This is particularly relevant for systems that use DNS-based geolocation. Methods attackers use:
- DNS cache poisoning
- Rogue DNS servers
- DNS tunneling
- Local DNS resolver manipulation
- DNS rebinding attacks
Protection measures:
- Enforce DNS settings through group policy
- Use secure DNS protocols
- Monitor for unauthorized DNS changes
- Implement DNSSEC
- Use DNS over HTTPS (DoH) or DNS over TLS (DoT)
- Lock down DNS settings via Group Policy
- Monitor for:
- Unusual DNS query patterns
- High volumes of DNS requests
- Requests to suspicious domains
- DNS requests to non-standard ports
- Deploy DNS filtering solutions (like Cisco Umbrella)
Comprehensive Protection Framework
Network Level:
- Implement Zero Trust Network Access (ZTNA)
- Deploy Next-Generation Firewalls (NGFW) with geolocation capabilities
- Use Network Access Control (NAC) solutions
- Enable NetFlow monitoring for traffic analysis
Identity Level:
- Require device certificates for authentication
- Implement conditional access policies beyond location:
- Device health checks
- User risk levels
- Application sensitivity
- Time-based access controls
- Use adaptive MFA that considers location context
Monitoring & Detection:
- Set up SIEM rules for:
- Rapid geography changes
- Off-hours access
- Multiple failed login attempts
- Unusual device characteristics
- Deploy User and Entity Behavior Analytics (UEBA)
- Implement continuous authentication monitoring
Conclusion
Geographic-based access control represents a crucial layer in your security strategy. While no single security measure is foolproof, combining geofencing with other conditional access policies creates a robust defense against unauthorized access attempts.
Remember: in cybersecurity, prevention is always less costly than remediation. The non-profit organization in our example learned this lesson the hard way – don’t let your organization be next.
Stay tuned for our next installment in this series, where we’ll explore risk-based conditional access policies and their role in adaptive security frameworks.
