ITworld: Keep bad guys off your network by finding out where they live

The time is ripe to get started using location-based services in your enterprise. No matter that you have Foursquare check in fatigue: this is a different aspect, and something that is useful and worth the time and has direct business benefit. More businesses are using location services such as geofencing, or the ability to set particular geographic limits around a group of IP addresses or GPS coordinates, to focus their marketing efforts and better secure their networks. Using location services can help you do your job better and cut your company’s overhead without spending a lot of additional capital.


There are a lot of great case studies of the benefits of geofencing: Applebee’s and Outback Steakhouse restaurant chains are using it to more closely target their advertising messages and have seen an increase in customers. Shopping malls are producing display ads that eerily mimic those found in “Minority Report” that recognize you as you walk by. And many network administrators are finding that location services keeps the bad guys out of their networks, at least for the moment.


The vendors of typical IT products such as firewalls and intrusion detection appliances in most cases already include location services in their products. They make use of one of the third-party geofencing service providers to build in this feature into their products. You should take some time to understand the concept and make it an important part of your arsenal.


Why? Several reasons. First, geofencing can help you better understand who is coming to visit your corporate website and help you improve your content to match particular audiences, or customize your pages to particular locations. It can also be used to identify your potential threats or particular network traffic patterns that would otherwise be lost in a sea of terse log entries. They can produce powerful visualizations that can be used to illustrate top network bottlenecks, or where you need to add bandwidth to deal with network slowdowns. Geolocation services can help you track down the origin of email spam of particularly egregious offenders. And they are a helpful way to isolate particular customers or see which locations need additional marketing or sales resources too.


The technology does have one drawback, however: the location accuracy isn’t perfect, although the geolocation databases have improved over the past few years to be able to more closely map IP addresses to particular ZIP codes or specific locations. And in some situations, you will be overwhelmed with data whether you display it on a map or review it in a log file. Nevertheless, they do provide a good first cut at seeing what is going on in a number of situations.


Perhaps no better illustration of the power of geofencing and data visualization is that of crime mapping. When you see a crime map, it is abundantly clear what is going in your neighborhood: where are the break-ins and assaults, how close are they to your particular home, and other information. If you had the list of crimes in a tabular form it would take you a lot longer to understand what is going on.

The crime maps have spawned an entire new collection of civic hacking activities called crowdmapping where communities have taken public data and produced a series of powerful visualizations such as locations of street closures, public amenities, and emergency shelters.


But how can you track down crimes (or at least questionable activities) committed on your own network? Let’s first look at your website traffic. There are several public geolocation services, such as Geobytes and IP2Location, that can be added to Web servers to translate the IP addresses in your server logs into actionable location information. They make use of various domain registration information, reverse DNS lookups, and some intelligence about the particular Internet service provider that routes traffic to those addresses. Both services have documented APIs that can be used to work programmatically with a number of different Web languages, including Perl, Ruby and Php.


This is a good start, but what about something that you already are using, such as your network firewalls? Many of them, including Cisco’s ASA, Checkpoint Software and Palo Alto Networks, have integrated geofencing services. When you set up their firewall rules, you can exclude or monitor traffic based on the country of origin. This can be helpful if you examine your firewall logs and see unexpected and unwanted traffic, such as exploits, coming from these countries. For example, let’s say you are prohibited by law from doing business in certain export-controlled countries such as Cuba or North Korea. Wouldn’t you like to know if your staff is handling support requests from Cubans? This could be a good indication that your products are entering those countries through grey markets. That is where some geofencing work could be handy. Set up a firewall rule to report on these activities and you can easily find out.


Some of the firewall vendors have taken this a step further. They have integrated the geofencing with their own reputation management systems so they can tie in their protection and identify particular domains that are known to send malware or to be able to locate where lots of exploits originate. Here is an example using the McAfee Firewall and its reputation management service. You can select particular countries to deny or allow traffic, using a simple series of menus. McAfee comes with some preset groups, such as countries with US export controls.

With another security product, you can actually visualize one of your network attacks as the packets move across the planet from router to router and country to country. This is a feature found in Solera Networks DeepSee intrusion protection system, and they can take packet capture files from their system. When you bring up Google Earth, you see the routes moving back and forth. You can identify unusual traffic patterns and flag suspicious traffic from specific locations and then export them as Google Earth KML files.


In addition to the analytical value, this feature also can be impressive if you need to play the KML visualization for your management and show them how global the threats to your network might be. But network security isn’t the only collection of products that takes advantage of geofencing. Many of the dozens of social media network monitoring tools also come with this feature, which again can be used for visualizing trends in your Tweets or being able to watch for particular customer Facebook interactions paired with individual retail locations, for example. Again, these tools integrate the geofencing feature and allow you to use location as another filter to examine the collection of social media posts, just as you would use keyword searches or time of day filters in these products.


Many of the social media monitoring tools have this feature, including Expion, Simply Measured, Visible Technologies and Ubervu, just to name a few. Tracx takes this a step further. They have this neat heat map showing you the geolocation of the posts that you are analyzing, and how they are concentrated in particular areas. Again, this is useful for spotting trends or to track down particular groups of your customers that may have had a superior or inferior experience at one of your retail locations.

As you can see, it is time to take another look at geolocation services. Location is a lot more than a bunch of Foursquare check ins. It can be handy in a number of circumstances and help you be more effective at doing your job.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.