Take New Survey on Insider Threats for Chance to Win $400 Amazon Card
Previous Question | Back to Intrusion Detection FAQ Home

Intrusion Detection FAQ: What is Geolocation and How Does it Apply to Network Detection?

Algis Kibirkstis
November 2009

Two-factor authentication mechanisms have commonly combined "something you know", such as a password or passphrase, with a second element to increase authentication reliability: either "something you have" (such as an access card or token), or "something you are" (such as biometrics). A supplementary factor has lately been added to this listing to further enrich authentication capabilities: "somewhere you are", otherwise known as geolocation. Harnessing this capability in multi-factor authentication, organizations can restrict remote access to employees living in proximity to the workplace; and with travel schedule information, they can even introduce special access rules to support road warrior connectivity.

Local adaptations of geolocation can be implemented to support two-factor authentication, through the use of a common token used in corporate environments: the user access card. Through radio-frequency identification (RFID) or similar technologies, workstations can be configured so that they only allow a user to perform password-based authentication if the workstation's radio sensor can detect the proximity of the user's assigned access card. This model can be further extended: systems could be setup to accept authentication requests only if those users accessed the employer's building using ID card access sensors located at a specific building's employee entrance; workstation radio sensors losing signal from an employee's ID card could trigger a screen lock on the workstation (which would happen if the user walked away from their desk). Challenges to the geolocation model, such as how to handle users that forget to card out a data center before leaving on a business trip overseas, will be important obstacles for early adopters to overcome through policies, help desks, escalations and other standard mechanisms generally in place today.

Geolocation is a term used in information systems security circles to extrapolate the geographical location of a subject (a system or a person), based on available information. This location capability is commonly performed by isolating a host system's IP address from a packet header, identifying the owner of the IP address range associated with the target system, discovering the owner's mailing address, and drilling down further -- with the objective of pinpointing the physical location of the target IP address. This aspect of "drilling down" is critical, for although the owner of an IP address range would be located in one part of the world, basic routing capabilities can make any of the individual IP addresses in that range available from virtually anywhere. An organization's network administrator, armed with a current network diagram and perhaps a few network discovery tools, would be instrumental in helping locate a node of interest in his network.

From an IDS and IPS perspective, the ability to restrict or block traffic based on geolocation can greatly simplify a security administrator's job: in the event that a network attack originates from a particular country, packets originating from IP addresses physically located in that country could be summarily dropped for a period in time, all while continuing to accept traffic from "friendlier" areas. Similarly, organizations that only do business in certain parts of the world could configure their perimeter to always drop traffic coming from areas outside of their zones of interest, thereby limiting their potential risk.

Resources:

IP2location: Bringing Geography to the Internet

US Patent 7366919 - Use of geo-location data for spam detection

Previous Question | Back to Intrusion Detection FAQ Home | Next Question