Security of National Infrastructure
toasty at dragondata.com
Fri Dec 29 22:52:27 UTC 2006
On Dec 29, 2006, at 4:19 PM, The Shadow wrote:
> Why is it that every company out there allows connections through
> firewalls to their web and mail infrastructure from countries that
> don't even do business in. Shouldn't it be our default to only
> allow US
> based IP addresses and then allow others as needed? The only case I
> think of would be traveling folks that need to VPN or something, which
> could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still
> seem to be in the wild west, but no-one has the b at lls to be braven and
> block the unnecessary access.
I can't quite tell if this is a troll or legit question. Had I not
just gone through this same debate with someone else who was serious
about it, I would have assumed the former. :)
1) There is no 100% accurate list of what country the assignee of an
IP address is. Through our own experiences, the best geotargeting
databases are less than 90% accurate at the country level.
2) Even if you were able to 100% accurately list what the country of
origin each allocation is, that still doesn't mean you can determine
where the system is itself. Out of one /16 allocation it's not
uncommon to see chunks of it deployed in several countries.
Multinational countries may forward all of their outgoing mail to one
or two large servers in a different country than the sender/recipient
3) Even if you can get around #1 and #2, nothing stops the "bad guys"
from connecting to a host in your country and forwarding whatever
attack they want from there.
4) Even if you can get around #1, #2 and #3, legitimate accesses from
people in your country may go through servers in another country.
(Non-US users using Gmail for example)
5) Even if you're positive that the above 4 don't matter, you're
talking about a HUGE number of firewall entries. In our current
geotargeting database, collapsing all known US allocations into as
big CIDR blocks as possible while still leaving out uncertain/unknown
blocks, that still ends up with around 1,800,000 firewall rules to
allow only known US IP addresses. Working off a blacklist isn't much
better. If you don't like Canadians, you're adding 80,000 rules. If
you want to keep the Chinese out, that's 155,000 rules. If it's
British hackers you're concerned about, you've got 308705 distinct IP
blocks to ban.
6) Allocations change constantly, how are you keeping this list updated?
7) What about open proxies, botnets, or other nasties inside the
8) The first time your CEO loses an email from his daughter while
she's on vacation to Singapore, you're going to have to remove all of
More information about the NANOG