If your business operates exclusively in the United States, there is no legitimate reason for a connection originating from China, Russia, North Korea, or Iran to reach your network. None. And yet, for most organizations, those connections arrive continuously — scanning ports, probing login pages, testing application endpoints, and looking for anything left open. Most are automated. Most go unnoticed. And some succeed.
Geographic-based access control — commonly called geo-blocking or geo-filtering — is one of the highest-value, lowest-complexity controls a network team can implement. If you are not doing it, you are accepting unnecessary risk. This post explains the threat, how to implement geographic restrictions effectively, and — critically — why country of origin is only part of the story.
The Threat Landscape Is Not Evenly Distributed
Nation-state cyber programs represent some of the most persistent and sophisticated threats facing U.S. organizations today. The primary state-sponsored actors consistently identified by U.S. intelligence and cybersecurity agencies include:
- China (PRC): The FBI and CISA have jointly attributed sustained, large-scale intrusion campaigns to PRC-affiliated groups including Volt Typhoon and APT40, targeting critical infrastructure, defense contractors, telecommunications providers, and technology companies. The stated goals include long-term pre-positioning within U.S. networks and intellectual property theft.[1]
- Russia: Russian Intelligence Services — particularly the GRU and SVR — have conducted extensive operations against U.S. government, energy, and financial targets. The 2020 SolarWinds supply chain compromise, attributed to SVR-affiliated group APT29 (Cozy Bear), affected thousands of organizations including U.S. federal agencies.[2]
- North Korea (DPRK): North Korean actors, particularly Lazarus Group, are responsible for a significant volume of financially motivated intrusions — cryptocurrency theft, ransomware operations, and financial institution targeting — as well as espionage against defense and aerospace organizations.[3]
- Iran: Iranian threat actors have targeted U.S. critical infrastructure, government entities, and private sector organizations, with particular focus on energy, financial services, and organizations involved in Middle East policy.[4]
Microsoft's 2023 Digital Defense Report documented that the majority of nation-state cyberattacks observed originated from these four countries, with Russia, China, Iran, and North Korea collectively accounting for the overwhelming share of state-sponsored intrusion activity targeting U.S. organizations.[5]
Against this backdrop, the question is not whether traffic from these countries poses elevated risk. It does. The question is why so many organizations are still accepting it without restriction.
The Case for Geographic Access Control
Geo-blocking operates on a simple principle: if you do not have business partners, customers, or employees in a given country, traffic originating from that country has no legitimate purpose on your network. Restricting it does not eliminate your attack surface — but it eliminates a meaningful and documented source of threat with minimal operational impact.
Think of it as triage. You cannot inspect everything. Every connection your firewall must evaluate consumes resources and creates potential exposure. Dropping traffic from countries you do not operate in before it ever reaches your inspection engine reduces noise, reduces load, and removes a class of attackers from your threat picture entirely — the ones who rely on their geographic infrastructure and have not bothered to route through other means.
For many small and mid-size organizations, a properly configured geo-filter will eliminate the majority of inbound scan and brute-force traffic immediately. The impact is measurable within hours of implementation.
How to Implement Geographic Access Control
Geographic filtering is supported natively by most enterprise-grade security platforms and can be implemented at multiple layers of your infrastructure.
Next-Generation Firewalls
If your organization has a NGFW — Palo Alto Networks, Fortinet FortiGate, Cisco Firepower, or Check Point — geographic filtering is typically built in and maintained through the vendor's threat intelligence subscription.
On Palo Alto Networks, geographic regions are defined as External Dynamic Lists or used directly in security policy as objects. A policy denying traffic from a defined set of countries can be placed at the top of the security rule base and applied inbound on the internet-facing zone. The GeoIP database is updated automatically as part of the content update subscription.
On Fortinet FortiGate, geographic filtering is implemented through Address Objects of type "Geography." You create a deny policy referencing these objects applied to the WAN interface, and FortiGuard maintains the underlying IP-to-country mappings automatically.
On pfSense and OPNsense, the pfBlockerNG package provides robust geographic filtering using GeoIP data from MaxMind. The package allows you to define continent and country-level block lists applied at the firewall level, and the MaxMind GeoLite2 database is freely available for non-commercial use with registration.[6]
Cloud and Edge Filtering
If your organization uses cloud services or has internet-facing applications hosted in AWS, Azure, or Google Cloud, geographic filtering should also be applied at that layer:
- AWS WAF supports geographic match conditions natively. Rules can block or allow traffic by country code and can be applied to CloudFront distributions, Application Load Balancers, and API Gateway endpoints.
- Cloudflare provides country-level blocking through firewall rules on all paid plans. This is particularly effective for organizations using Cloudflare as a reverse proxy, as it filters at the edge before traffic reaches your infrastructure at all.
- Azure Front Door and Application Gateway both support geo-filtering policies that can restrict access by country code.
What to Block — and What to Think About First
The practical approach for most U.S.-based organizations that operate domestically:
- Build a list of every country where you have legitimate employees, customers, vendors, or partners.
- For all other countries, implement a default-deny inbound policy at the perimeter firewall.
- For countries where you have any doubt, monitor before blocking — review logs for a week and confirm that existing traffic from those countries is either legitimate or scan/probe noise.
- Document exceptions and review them quarterly. Business relationships change, and your geo-filter should reflect your current operational footprint.
Pay particular attention to outbound geo-filtering as well. Connections from your internal network to known-hostile countries should be treated with elevated suspicion and, where possible, restricted or at minimum heavily logged. Command-and-control beacons often reach back to infrastructure in high-risk countries — blocking outbound connections to those countries adds another detection and prevention layer.
The Hard Truth: Country of Origin Is Not the Whole Story
Here is where many organizations make a critical mistake: they implement geo-blocking, see their inbound scan traffic drop dramatically, and conclude the problem is solved. It is not. Geo-blocking is a valuable control — but treating it as a trust boundary is one of the most dangerous assumptions in network security today.
The reason is straightforward: sophisticated threat actors do not exclusively operate from their home country's infrastructure. They have not for years.
Nation-State Actors Operate Inside the United States — Routinely
The major state-sponsored threat groups identified by CISA, NSA, and FBI specifically use U.S.-based infrastructure to conduct operations against U.S. targets. This is not an edge case. It is standard tradecraft.
They do this by:
- Renting U.S. cloud infrastructure. AWS EC2 instances, Azure virtual machines, Google Cloud compute resources, and DigitalOcean droplets can be provisioned in U.S. data centers using anonymous or stolen payment credentials. Traffic originating from these instances has a U.S. IP address and passes through major U.S. ASNs. It looks, to a geo-filter, exactly like domestic traffic — because technically it is.[7]
- Compromising U.S. edge devices. The Volt Typhoon campaign, publicly attributed to China's PLA and detailed in a 2024 joint advisory from CISA, NSA, and FBI, specifically used a network of compromised U.S. small office/home office (SOHO) routers to proxy their intrusion traffic. The connections reaching victim networks came from legitimate U.S. IP addresses — residential and small business ranges that would never be flagged by country-based filtering.[1]
- Using residential proxy networks. A thriving market of residential proxy services allows attackers to route traffic through real consumer IP addresses in any country, including the United States. Traffic routed through these networks originates from genuine U.S. residential addresses assigned to real ISPs. No geo-filter can distinguish this from a legitimate American user.
- Exploiting compromised domestic systems. Botnets composed of compromised U.S. computers — home routers, Windows workstations, servers — are used to stage and relay attacks. When the traffic arrives at your firewall, it comes from a U.S. IP address belonging to a compromised manufacturing company in Ohio or a small accounting firm in Texas. It passes your geo-filter without question.
The SolarWinds Orion compromise is perhaps the starkest illustration of this principle. The malicious update that gave Russian intelligence services access to thousands of organizations — including multiple U.S. federal agencies — was delivered through a trusted U.S. software company's legitimate update infrastructure. Every byte of that attack was U.S.-originated. No geo-filter would have touched it.[2]
Trusting U.S. Traffic Is Not a Security Posture
The implication is uncomfortable but important: a U.S. source IP address tells you the geographic origin of the network packet. It tells you nothing about the trustworthiness of the entity behind it. Treating domestic origin as implicit trust is a posture that sophisticated attackers specifically engineer around — and they are very good at it.
This does not mean geo-blocking is not worth doing. It absolutely is. Blocking countries you have no business relationship with eliminates a real and measurable category of threat — opportunistic attackers, automated scanning campaigns, and less sophisticated actors who operate directly from their home-country infrastructure. That is a meaningful reduction in noise and risk.
But it means that geo-blocking must be understood as one layer in a defense-in-depth model — not as a trust boundary. The controls that protect you from the threats that geo-filtering cannot see are different ones entirely.
What Protects You From Threats That Geo-Filtering Can't See
The security controls that address the gap — threats operating through trusted geographies — are behavioral and content-based rather than origin-based:
- Application-layer inspection (NGFW): A command-and-control beacon operating over HTTPS from a U.S.-based cloud server still has behavioral characteristics — specific domains, certificate attributes, traffic patterns — that application-aware inspection can identify. A port-based firewall cannot.
- DNS security: Many intrusion campaigns rely on DNS for C2 communication and exfiltration. DNS filtering against known malicious domains, newly registered domains, and domains with poor reputation scores catches traffic that bypasses geo-filters entirely.
- Threat intelligence feeds: IP reputation databases include known malicious IP addresses regardless of country of origin — cloud infrastructure known to be used for attacks, Tor exit nodes, VPN endpoints, and botnet C2 servers. These are orthogonal to geo-filtering and catch what geo-filtering misses.
- Zero Trust architecture: The principle of verifying every user, device, and connection — regardless of where it originates — is the architectural answer to the problem that geo-filtering exposes. A connection from a U.S. IP address that cannot authenticate, cannot pass device posture checks, and cannot demonstrate it belongs to a known user should be treated identically to a connection from any other untrusted source.
- Behavioral monitoring and anomaly detection: Traffic that matches known-good geographic and temporal patterns but suddenly communicates with new external destinations, transfers unusual data volumes, or accesses resources outside its normal scope should trigger alerts regardless of where the traffic appears to originate.
- Endpoint detection and response (EDR): The Volt Typhoon campaign specifically targeted SOHO routers because they are endpoints without meaningful detection capability. For systems you control, EDR provides the visibility layer that catches compromised hosts before they become attack proxies or pivot points.
Putting It Together
Geographic access control is a high-value, low-effort control that belongs in every organization's security posture. If you are not restricting inbound traffic to countries where you have legitimate business relationships, implement that today. The reduction in attack surface is immediate and measurable.
But implement it understanding what it does and does not protect you against. It removes opportunistic, geography-dependent threats from your exposure. It does not remove sophisticated actors who have learned — long ago — to operate through your trusted geographies. Protecting against those requires application-layer visibility, behavioral detection, strong identity controls, and a security architecture that does not place trust in network location alone.
The organizations that get this right treat every connection as potentially adversarial until it proves otherwise — regardless of where it comes from. That is not paranoia. Given the current threat landscape, it is the only rational posture.
Warden Networks designs and implements geographic filtering policies as part of comprehensive firewall engagements. If you are unsure whether your current controls include geographic restrictions — or whether your inbound traffic is being inspected beyond Layer 3 — that gap is worth closing.
Sources
[1] CISA, NSA, FBI, and partner agencies. (2024). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Joint Cybersecurity Advisory AA24-038A. Cybersecurity and Infrastructure Security Agency. Retrieved from cisa.gov.
[2] CISA. (2021). Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations (SolarWinds). Cybersecurity and Infrastructure Security Agency. Retrieved from cisa.gov.
[3] FBI, CISA, U.S. Department of the Treasury, and OFAC. (2023). North Korean State-Sponsored Cyber Actors Use Ransomware to Fund Espionage Activities. Joint Cybersecurity Advisory. Retrieved from cisa.gov.
[4] CISA and FBI. (2024). Iranian Cyber Actors' Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations. Joint Cybersecurity Advisory AA24-290A. Retrieved from cisa.gov.
[5] Microsoft. (2023). Microsoft Digital Defense Report 2023. Microsoft Corporation. Retrieved from microsoft.com/security.
[6] MaxMind, Inc. (2024). GeoLite2 Free Geolocation Data. MaxMind, Inc. Retrieved from maxmind.com. Note: Commercial use requires a paid GeoIP2 subscription.
[7] NSA and CISA. (2023). Cybersecurity Advisory: People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. National Security Agency / CISA Joint Advisory AA23-144A. Retrieved from nsa.gov.