This document summarizes Authentic8’s location policy controls, describes Authentic8 tools to verify locations, and discusses some of the challenges and difficulties with 3rd party IP geo-location services.
The concept of “trust, but verify” is an important security principle. If you have used Authentic8’s browser and egress location policy controls to restrict Silo and Toolbox sessions to specific geographic locations, then you (or your auditors) will want to verify that the execution environment location matches policy. However, third party geo-location of IP addresses is not perfect.
Authentic8 Silo & Toolbox Browser Location Settings
Authentic8’s Silo and Toolbox browsers support policy-based location restrictions. An administrator may set policies to restrict Silo to a specific region:
Similarly, when provisioning Toolbox as a Silo app, the administrator may set the location of the Toolbox execution environment as well as the location of the Toolbox egress location. The Provisioning the Authentic8 Toolbox web app guide provides information on Toolbox configuration options, including renaming the app, specifying the browser & egress locations, and customizing the Message Bar.
Verifying Authentic8 Browser Location Settings
Once you’ve configured Silo or Toolbox with location restrictions, how can you be certain that the policy is being followed? This is where the “trust, but verify” principle comes into play. You could simply trust us; but, we understand if you want to verify for yourself.
Verify location using Authentic8’s Message Bar
One way to verify that the browser settings match the policy that is configured is to utilize the Message Bar feature. The Message Bar will report the execution environment and egress IP addresses, as well as showing a country flag. The Message Bar is the simplest way you can verify that the browser has been provisioned according to policy.
Verify location using a 3rd party IP geo-location service
There are a variety of Internet services that attempt to validate the geographic location of IP addresses. For example, MaxMind and WhatIsMyIP are two popular IP address geo-location services that attempt to correlate IP addresses with geographic location by using network path information, domain registrar information, and public business information.
3rd party geo-location (in)accuracy
The 3rd party geo-location services are great when they work. Unfortunately, they are only as accurate as their information sources and the global nature of the Internet results in issues that make accurate geo-location of IP addresses difficult. As an example, the ISP Secured Servers, which has headquarters in Arizona, has registered IP addresses for Virginia machines using the company HQ mailing address. As a result, the geo-location services misattribute Secured Servers’ Virginia IP addresses as being in Arizona.
MaxMind provides a report on the per country accuracy of their dataset. For example, at the time this article was written, MaxMind reported ~83% accuracy for United States IP addresses. Similarly, WhatIsMyIP includes the following caveat on the IP lookup page:
No IP Lookup tool is 100% accurate due to many different factors. Some of those factors include where the owner of the IP has it registered, where the agency that controls the IP is located, proxies, cellular IPs, etc. If you are in the US and the controlling agency of the IP is located in Canada, chances are the IP address lookup results will show as Canada. Showing a Canadian IP while in the US is very common among Blackberry users on the Verizon network.
Feel free to use 3rd party services to verify your location policies; however, please be aware of the limitations of these services.
Verify location manually using traceroute and whois
The traceroute (tracert on Windows) and whois commands can be used to manually determine the location of the browser and egress proxy. From your Message Bar, copy the IP address upon which you wish to perform location verification.
On Linux or Mac OS X machines, run traceroute in a terminal like this:
On a Windows machine, the command is tracert:
The results will show the network path between your computer and the Authentic8 browser.
For each hop in the network path shown by traceroute, you can use the whois command to show the network registry information.
As can be seen in this example, the lookups will be susceptible to the same caveats that apply to 3rd party services -- registrar information may provide incomplete geographic data. Using these tools, you will have the opportunity to validate, for example, that the network devices preceding the endpoint have the expected location and, therefore, the endpoint should be located properly.
Please Contact Support if you have additional questions or concerns here: Support