000013413 - GEOIP Maxmind database update. and changes.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013413
Applies ToA new GeoIP database update is available every month for those customers who have purchased this service.
IssueGEOIP Maxmind database update. and changes.

Depending on an individual customers contract with RSA you may be supplied with a sample GeoIP file at the time of installation or you may have purchased the monthly update service described below.

RSA provides geographic IP location information with your initial build. If included in your contract RSA will provide an updated data file around the middle of each month through your RSA Central reporting account.

By looking up the Geoip data for the source IP of an incoming request we can determine the Country, State, City, ISP and approx Latitude and Longitude of the computer making the request.
Some of these values can then be used in Policies (For example DENY all requests originating in Nigeria) and also factor in to the overall risk score.
In particular since most retail ISP's allocate IP addresses dynamically we can't assume that a home user will maintain the same IP address indefinitely , so when their IP address changes we can asses the probability that the same computer was reassigned a different IP address by comparing the old and newGeoIP data.
Not updating the GeoIP data file regularly can cause some users to have a higher risk score and some a lower risk score. For example a newly assigned IP address not in theGeoIP data will generate a higher risk score than it would if  the GeoIP database had been updated. Conversely if an IP address is reassigned to a new location the new GeoIP data might result in a higher risk score. 
A new GeoIP data is available from RSA every month, however it's up to each individual customer to decide how frequently they want to talke the latest file.. Since the data is derived from updates individual ISP's provide the various registries the frequency varies depending on the volume and timing of those updates.
The typical types of changes that occur are:
    o Blocks of IP addresses are reassigned from one ISP to another
    o New Blocks of IP addresses are allocated that previously didn't exist.
    o ISP's cleanup their data or may re-assign IP locations within their service area.
An auto notification mail would be sent to the customer and the engineers once the new GeoIP database is ready, RSA provides the updated geoIP files through reporting account for customers, and can be picked up by any
of the supported mechanisms for downloading reports, such as rsync over SSH, S FTP, or HTTPS

Legacy Article IDa42258