Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Braden_Bersik
Participant

Restrict VPN access by GEO location

I've been tasked with restricting access to our VPN by source country. I've been given a list of "approved countries" to allow, all others are to be denied access. We are currently restricting inbound/outbound Internet access by country (separate gateways from our VPN gateways), which I fully understand and support (especially the outbound!).

Conceptually

What are the benefits or value of restricting access to VPN gateways by source country?

Is the security gain worth the effort when it is fairly easy to circumvent?

Is anyone else doing / trying to do this?

 

Technically

We are currently using the Mobile Access Portal (ssl vpn) for third party access, and Remote Access (client-based) for employee remote access.

Gateways are running R80.40 JHF 91

I've implemented an access control layer with explicit rules using updatable GEO objects. This layer is the first layer of 3, so that it is processed first. However, implied rules take precedent. So in conjunction with the policy, I've implemented configuration based on 2 sk's:

SK105740 - HTTP and HTTPS requests to external interfaces create implied rule 0 accepts in SmartView Tracker (c... - This allows policy to control access to the Mobile Access Portal (clientless). This works brilliantly. We have successfully restricted access based on our "approved countries" list.

SK62692 - Ports used on Security Gateway for SecureClient and Endpoint Security VPN (checkpoint.com) - This was provided to us by TAC and handles the Remote Access configuration. The idea is to disable the "Accept Remote Access control connections" under Global Properties --> Firewall. This SHOULD disable the implied rules and allow explicit rules in policy take over. After implementing this, implied rules are still allowing all connections.

I've updated the TAC case and waiting for further guidance. However, I'm interested in everyone's input, suggestions, recommendations, etc. Especially if you've implemented this in your environment and can share insight on how you have it working.

I'm also very curious about anyone's thoughts around the "conceptual" questions above.

 

Much obliged,

Braden

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

I haven't heard of anyone implementing this for remote access.
The fact disabling the relevant implied rules option isn't working will definitely require some assistance from R&D (possibly a bug).

_Val_
Admin
Admin

Personally, I do not see a point of applying GEO restrictions to RAS VPN. Proper user/endpoint auth should be much more effective when filtering unwanted connections.