This is an overview of Authentic8’s location policy controls, the tools available to verify session locations, and some of the limitations of 3rd-party IP address geolocation services

As a Silo Administrator, you may be asked why platforms like Google or Bing report unexpected locations in search results. These services rely on proprietary geolocation methods that are not publicly documented and may change without notice. Because of this, Authentic8 does not have direct insights on their reporting behavior

The principle of “trust, but verify” is key to maintaining a strong security posture. If you’ve configured controls to restrict Silo for Safe Access or Silo for Research (Toolbox) sessions to specific geographic regions, it’s important to confirm that sessions are operating in accordance with policy. Just be aware that 3rd-party IP address geolocation is inherently imprecise and shouldn’t be solely relied upon for validation

Authentic8 Browser Location Settings

Silo for Safe Access and Silo for Research (Toolbox) browser environment support policy-based location restrictions.

A Silo Administrator can set the Silo Location policy via the Silo Admin Console > [Manage] Policies > Advanced

When provisioning a Silo for Research (Toolbox) shortcut, a Silo Administrator can set the location of the Toolbox execution environment, as well as the Toolbox egress location. Please refer to the following Support guideline for more information: https://support.authentic8.com/support/solutions/articles/16000026579-how-to-create-a-toolbox-launcher

Verifying Browser Location Settings

Once you’ve set up location policies in Silo for Safe Access or Silo for Research (Toolbox), how can you be sure they’re working as intended? That’s where the “trust, but verify” principle comes in. While you can trust that our controls are enforcing your policy, we also give you the tools to verify it for yourself

Silo for Research Egress Location Information

3rd-party IP address Geolocation

There are many online services that attempt to determine the geographic location of IP addresses. Popular examples include MaxMind and WhatIsMyIP, which use a combination of network path data, domain registration details, and public business records to map IP addresses to physical locations

3rd-party Geolocation Inaccuracy

3rd-party geolocation services can be useful—when they’re accurate. However, their reliability depends entirely on the quality of their data sources. The global and complex nature of the internet often introduces challenges that make precise IP geolocation difficult

For example, the ISP Secured Servers, headquartered in Arizona, has registered some Virginia-based IP addresses using its Arizona mailing address. As a result, geolocation services incorrectly identify those IPs as being located in Arizona instead of Virginia

MaxMind:


WhatIsMyIP:



MaxMind provides a report on the per-country accuracy of their dataset. For example, at the time this article was originally published, MaxMind reported ~83% accuracy for United States IP addresses

On the other hand, WhatIsMyIP includes the following caveat on their IP address lookup page:

"The results are sometimes a hit or miss in a search for an IP address location. A precise IP-to-location converter doesn't exist, and no IP geolocation database is 100% accurate. The results from an IP address search are a collection of data from several IP location databases. Each database reports differently. These variances in data lead to locational information that sometimes isn’t accurate. Your IP address location is what shows up on the IP lookup tool, but it may not be your true location."

For example, if you are in the US and the controlling agency of the IP address is located in Canada, chances are the IP address lookup results will show as Canada. A Canadian IP address record while in the US is very common among Verizon network subscribers

Feel free to use 3rd-party services to verify your location policies, however, please be aware of the limitations of those services

traceroute and whois

The traceroute (tracert on Windows) and whois commands can be used to manually determine the location of the browser and egress node. Copy and paste the Silo for Research IP address in which you wish to verify

• macOS and Linux traceroute [command]: traceroute 66.85.157.7

• Windows tracert [command]: tracert 66.85.157.7

The results will show the path from your local network and on the way to the Authentic8 endpoint:

For each hop in the network path shown in traceroute, you can also utilize the whois command to review the Network registry information

• whois [command]: whois 4.28.82.150

As shown in the example, these lookups are subject to the same limitations inherent to third-party services, as registrar information can often be incomplete or inaccurate, particularly regarding geographic data. By using these tools, you'll be able to validate whether the network path leading to the endpoint aligns with the expected location

Please contact Support for any additional questions