In a scenario where your SMB or enterprise gets constantly bombarded (portscans, brute force, spam, etc.) by Russia, China, Brazil, et al., and where you don’t do business in these countries, where’s the best place to block them?
Here are a few options (add as necessary):
- Border router ACL
- Firewall ACL
- Separate, dedicated appliance
- Network IPS
- Border router routing (blackholing)
This is also assuming you can’t do a simple, tight whitelist ACL on the firewall–which would make the solution pretty easy–and instead have to specifically blacklist because there are a large number of legitimate foreign IP blocks.
Related: Do you guys blacklist at a granular level (hundreds or thousands of networks), or do you do only the few primary /8’s?
What are your thoughts on the best method?