Security of National Infrastructure

On Dec 29, 2006, at 4:19 PM, The Shadow wrote:

>
> Question:
> Why is it that every company out there allows
connections through  
> their
> firewalls to their web and mail infrastructure from
countries that  
> they
> don't even do business in. Shouldn't it be our default
to only  
> allow US
> based IP addresses and then allow others as needed? The
only case I  
> can
> think of would be traveling folks that need to VPN or
something, which
> could be permitted in the Firewall, but WHY WIDE OPEN
ACCESS? We still
> seem to be in the wild west, but no-one has the blls to be
braven and
> block the unnecessary access.


I can't quite tell if this is a troll or legit question. Had
I not  
just gone through this same debate with someone else who was
serious  
about it, I would have assumed the former. 


1) There is no 100% accurate list of what country the
assignee of an  
IP address is. Through our own experiences, the best
geotargeting  
databases are less than 90% accurate at the country level.

2) Even if you were able to 100% accurately list what the
country of  
origin each allocation is, that still doesn't mean you can
determine  
where the system is itself. Out of one /16 allocation it's
not  
uncommon to see chunks of it deployed in several countries. 

Multinational countries may forward all of their outgoing
mail to one  
or two large servers in a different country than the
sender/recipient  
is in.

3) Even if you can get around #1 and #2, nothing stops the
"bad guys"  
from connecting to a host in your country and forwarding
whatever  
attack they want from there.

4) Even if you can get around #1, #2 and #3, legitimate
accesses from  
people in your country may go through servers in another
country.  
(Non-US users using Gmail for example)

5) Even if you're positive that the above 4 don't matter,
you're  
talking about a HUGE number of firewall entries. In our
current  
geotargeting database, collapsing all known US allocations
into as  
big CIDR blocks as possible while still leaving out
uncertain/unknown  
blocks, that still ends up with around 1,800,000 firewall
rules to  
allow only known US IP addresses. Working off a blacklist
isn't much  
better. If you don't like Canadians, you're adding 80,000
rules. If  
you want to keep the Chinese out, that's 155,000 rules. If
it's  
British hackers you're concerned about, you've got 308705
distinct IP  
blocks to ban.

6) Allocations change constantly, how are you keeping this
list updated?

7) What about open proxies, botnets, or other nasties inside
the  
"good" countries?

8) The first time your CEO loses an email from his daughter
while  
she's on vacation to Singapore, you're going to have to
remove all of  
this.