North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security of National Infrastructure

  • From: Kevin Day
  • Date: Fri Dec 29 18:02:00 2006

On Dec 29, 2006, at 4:19 PM, The Shadow wrote:

Why is it that every company out there allows connections through their
firewalls to their web and mail infrastructure from countries that they
don't even do business in. Shouldn't it be our default to only allow US
based IP addresses and then allow others as needed? The only case I can
think of would be traveling folks that need to VPN or something, which
could be permitted in the Firewall, but WHY WIDE OPEN ACCESS? We still
seem to be in the wild west, but no-one has the [email protected] to be braven and
block the unnecessary access.

I can't quite tell if this is a troll or legit question. Had I not just gone through this same debate with someone else who was serious about it, I would have assumed the former. :)

1) There is no 100% accurate list of what country the assignee of an IP address is. Through our own experiences, the best geotargeting databases are less than 90% accurate at the country level.

2) Even if you were able to 100% accurately list what the country of origin each allocation is, that still doesn't mean you can determine where the system is itself. Out of one /16 allocation it's not uncommon to see chunks of it deployed in several countries. Multinational countries may forward all of their outgoing mail to one or two large servers in a different country than the sender/recipient is in.

3) Even if you can get around #1 and #2, nothing stops the "bad guys" from connecting to a host in your country and forwarding whatever attack they want from there.

4) Even if you can get around #1, #2 and #3, legitimate accesses from people in your country may go through servers in another country. (Non-US users using Gmail for example)

5) Even if you're positive that the above 4 don't matter, you're talking about a HUGE number of firewall entries. In our current geotargeting database, collapsing all known US allocations into as big CIDR blocks as possible while still leaving out uncertain/unknown blocks, that still ends up with around 1,800,000 firewall rules to allow only known US IP addresses. Working off a blacklist isn't much better. If you don't like Canadians, you're adding 80,000 rules. If you want to keep the Chinese out, that's 155,000 rules. If it's British hackers you're concerned about, you've got 308705 distinct IP blocks to ban.

6) Allocations change constantly, how are you keeping this list updated?

7) What about open proxies, botnets, or other nasties inside the "good" countries?

8) The first time your CEO loses an email from his daughter while she's on vacation to Singapore, you're going to have to remove all of this.