GeoIP Use Cases for Network Traffic Analysis
Using GeoIP for Network Traffic Analysis & Security Monitoring
GeoIP refers to the method of locating a network device’s geographic location by using that device’s IP address. This can be very useful for identifying where your data is going or for spotting suspicious activity on your network.
For many Network Administrators, Wireshark continues to be the tool of choice when it comes to troubleshooting network issues. I use it all the time myself and it is excellent for diagnosing issues associated with a single client or host. You can also integrate GeoIP databases with Wireshark so you can see countries associated with IP packets.
However, Wireshark struggles when it comes to monitoring traffic flowing through a switch, especially at the network core. You will end up with too much data and it can be hard to spot problems.
This is where our LANGuardian product fits in, as you can use it to monitor network traffic on your network. You simply need to deploy it as a physical or virtual appliance, setup a SPAN or mirror port and you are good to go! I am using a beta version of LANGuardian with GeoIP features in my home lab and I am using it for some interesting use cases.
GeoIP Use Case #1: Where is my data going?
I use a lot of cloud services for both personal and work tasks. If we upload something to Google drive or synchronize something with Dropbox, do we care about where our data goes? For most people, the answer to that is no, but if you are dealing with sensitive data, then you may want to check this out.
Thankfully most cloud service providers encrypt all sessions now, but that makes things difficult for network monitoring tools. However, if you use a product like LANGuardian which can extract metadata from network packets then you can get an understanding as to what is happening. In the example below, we can see encrypted connections from my network to Google drive addresses which are registered in the US.
GeoIP Use Case #2: What servers are users\devices connecting to outside my network?
Watch out for any connections to servers in countries where you would not expect. For example, on my network I noticed a lot of traffic associated with a server in The Netherlands. Drilling down on this revealed the traffic was associated with connections over UDP 443 which is typical of private VPN connections.
GeoIP Use Case #3: Check for suspicious inbound activity
Most networks will have a very strict policy on what traffic is allowed inbound into a network. What I mean by inbound is where the connection is established by a client or server outside the networks perimeter. Typically this will be limited to services like email. A review of the activity within my lab showed some activity associated with UDP connections. Further analysis revealed this to be BitTorrent activity – the high server port number is also an indicator of BitTorrent activity.
GeoIP Use Case #4: When investigating IDS\security events, what are the associated countries?
When you are investigating a security issue you need to have as much data as possible. What devices were targeted, where did the activity come from, what applications were used, was any data copied etc. In this next image, we can see that an IDS event has triggered due to BitTorrent activity and the client in question has made connections to other clients in many different countries.
If you are interested in testing a beta version of our GeoIP integration, please email us at: firstname.lastname@example.org