An Information Security Community
Maybe you already have read the news: the local authority of the state of Niedersachsen in Germany seems to have blocked various anonymizing services such as Tor from accessing the state's websites.
The state office for statistics and communications technology stated that they have blacklisted several anonymizing services for security reasons, to better protect their infrastructure from the cyber threat.
Of course there is already an outrage going on in the internet and privacy community.
But let's think about that for a moment. Why is blocking anonymizing services a good or bad idea?
I must admit that I too sometimes think about how to minimize attack surface of systems that are exposed to the internet.
Depending on the service I want to protect the following things spring to mind:
1.) Block/allow depending on regional registry / geo-ip information
Why should I allow the whole world to connect to my extranet vpn-server when my partners only need to connect from within the country. I could at least limit it to RIPE addresses.
2.) Block/allow depending on local time.
Why should I allow people to connect to a system that is only needed during business hours?
If I don't have the staff to monitor the service and corresponding infrastructure 24/7 but I have one that is able to cover normal business hours, that could actually make sense, as long as my customers only need the service during normal business hours.
Unfortunately today most things on the internet are there for exactly one reason: people don't want to be limited to a physical location or to certain business hours. This is one of the most important advantages of the internet, that you can have exactly this independence and freedom.
3.) If you want to use my service it is totally acceptable that I want to know who I am dealing with, isn't it?
Or would you let random people enter your house that are totally unknown to you and are not willing to tell who they are?
So far, so good. But if you want to put these ideas to praxis, you quickly realize that they are just not the right answer to the problem of protecting your systems - at least in most instances.
1.) We are using the internet because it is the internet. Blocking based on geo-ip will only give you a false sense of security and not protect you if you are vulnerable. If someone wants to attack you, he would just use an ip-address which isn't blocked. You could reduce the number of IDS alerts caused by the usual "internet-attacks background noise" for a while though. When we were thinking about geo-ip based filtering, we quickly realized that there are too many cases in which we would deny legitimate access. Even if those were only corner cases the resulting management overhead would have just been disproportionate and inefficient. It's far more effective and efficient to concentrate on hardening and monitoring.
2.) We are using the internet because it is the internet. 24/7/365. This is what people want and expect from the internet. So time based filtering is not an option for most internet services.
3.) Filtering anonymizers. Well, if you really need to know the identity of your customer, users or guest, there are other means to achieve that, e.g. requiring registration of a login-account for certain services.
Ip-addresses change. And as we all know at least since M.J. Ranum's article on the Six Dumbest Ideas in Computer Security, enumerating badness a.k.a blacklisting is the second dumbest idea of computer security.
But blocking access to normal websites? I mean, c'mon!
But there is another angle to it, if you are a local state government. I this case, blocking anonymizing services is just not acceptable. Citizens have a right to inform themselves about what the government does and how they do it. It is each persons chartered right to do that without having to fear repression or influence or surveillance. For this reason it is just not okay to block anonymizing services.
Apart from that, it ist just pointless. There are a million things that are more effective and more efficient. And when you have implemented only the most effective of these and come back to the thought of blocking anonymizing services, you will realize that you just don't need to do that anymore.