Security of National Infrastructure

Kevin Day toasty at
Fri Dec 29 22:52:27 UTC 2006

On Dec 29, 2006, at 4:19 PM, The Shadow wrote:

> Question:
> Why is it that every company out there allows connections through  
> their
> firewalls to their web and mail infrastructure from countries that  
> they
> don't even do business in. Shouldn't it be our default to only  
> allow US
> based IP addresses and then allow others as needed? The only case I  
> can
> think of would be traveling folks that need to VPN or something, which
> could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still
> seem to be in the wild west, but no-one has the b at lls to be braven and
> block the unnecessary access.

I can't quite tell if this is a troll or legit question. Had I not  
just gone through this same debate with someone else who was serious  
about it, I would have assumed the former. :)

1) There is no 100% accurate list of what country the assignee of an  
IP address is. Through our own experiences, the best geotargeting  
databases are less than 90% accurate at the country level.

2) Even if you were able to 100% accurately list what the country of  
origin each allocation is, that still doesn't mean you can determine  
where the system is itself. Out of one /16 allocation it's not  
uncommon to see chunks of it deployed in several countries.  
Multinational countries may forward all of their outgoing mail to one  
or two large servers in a different country than the sender/recipient  
is in.

3) Even if you can get around #1 and #2, nothing stops the "bad guys"  
from connecting to a host in your country and forwarding whatever  
attack they want from there.

4) Even if you can get around #1, #2 and #3, legitimate accesses from  
people in your country may go through servers in another country.  
(Non-US users using Gmail for example)

5) Even if you're positive that the above 4 don't matter, you're  
talking about a HUGE number of firewall entries. In our current  
geotargeting database, collapsing all known US allocations into as  
big CIDR blocks as possible while still leaving out uncertain/unknown  
blocks, that still ends up with around 1,800,000 firewall rules to  
allow only known US IP addresses. Working off a blacklist isn't much  
better. If you don't like Canadians, you're adding 80,000 rules. If  
you want to keep the Chinese out, that's 155,000 rules. If it's  
British hackers you're concerned about, you've got 308705 distinct IP  
blocks to ban.

6) Allocations change constantly, how are you keeping this list updated?

7) What about open proxies, botnets, or other nasties inside the  
"good" countries?

8) The first time your CEO loses an email from his daughter while  
she's on vacation to Singapore, you're going to have to remove all of  

More information about the NANOG mailing list