GeoDB - Accuracy and expectations

Ella Bella · ‎11-15-2016

So I have a customer that gets hit a fair bit with intrusion attempts etc. They only require external terminal server connections for say country "x".

I have created a firepower control policy which blocks (with reset) all traffic originating externally with an internal destination on port 3389 from all countries except country "x". - I created a geolocation object called "Geo_Restofworld" and selected all continents and countries except country "x".

So the policy only has one rule, which blocks "Geo_Restofworld" traffic to port 3389. The default action is Trust all traffic.

The rule appears to work really really well. It does indeed block a LOT of traffic from outside of country "x", however; there is a single IP that was allowed and logged - which if I do a lookup on the IP address I notice it is definitely from country "y" which is included in my "Geo_Restofworld" object.

So, is the Firepower GeoIP database not to be 100% trusted? I checked and I have the latest version installed (automatic updates). Is there any way to modify or update the current GeoIP database?

Oliver Kaiser · ‎11-26-2016

You will not achieve 100% accuracy using GeoIP. According to MaxMind (widely used GeoIP service provider) an accuracy of 99.8% on country level is to be expected. GeoIP updates are released every week for firepower (~ 5-7 days) so a window for false-positives/negatives is definitely possible.

There is no way to manually edit the geoip database but you could create a custom blacklist which you can automatically download every 30 minutes from a webserver to your FMC and attach to your access control policy

As every security mechanism nothing will ever protect you 100%. Stack various security mechanisms to achieve an acceptable protection rate, false positives and false negatives are to be expected.