Restrict access to US ip addresses only

Hi all, I have a firewall in the USA used for remote access by a small group of sales people. These users roam all over the USA and access this firewall from different locations, hotels/local dial up ISP numbers, hot spots etc. Is there an access list which I can apply to my firewall which will restrict access to the firewall to IP addresses sourced from the USA only? It would be too much to hope that this is a contiguous block of address but how unwieldy is it? As always your help is appreciated. Regards, FWS

Reply to
firewallstarter
Loading thread data ...

This item was discussed at length in the html group a month or two ago. The consensus there was

1 - There is no single range for the US, or any other country. Blocks are assigned as needed, somewhat at random. I would suspect that there would be several hundred, perhaps thousand, list segments in which you would find US service providers. 2- Some companies operate internationally, so for example an access site in Canada may have a 'US' listed source. 3 - You can get around this using proxy servers, so you can appear to be anywhere that there is an open proxy.

There are other forms of security which will work much better. Consider implementing security in the server applications that they would be accessing.

Stuart

>
Reply to
Stuart Miller

"Stuart Miller" schreef in bericht news:mU52i.183846$6m4.133894@pd7urf1no...

Wanna add something, most of the shit originates in the US. I know some people won´t like this statement but the truth aint nice.

arja

Reply to
arja

Stuart, thanks for the info. Apologies if I have repeated a question which was already discussed. My search of the groups didn't bear fruit so I decided to post the question. It appears that it's not a runner if the ip addresses are so disparate. Thanks again, FWS

Reply to
firewallstarter

Simple answer - no. Country data in the registration information refers to the location where the company/individual making the registration is located. It has NO connection with where the hosts might be physically located. Example - the company I work for is registered in New York, yet a traceroute to my computer disappears into a black hole with the last location being a router near San Francisco. But I'm located near Phoenix (350 miles/600 KM East of Los Angeles), and because we're a large company with facilities in forty countries, the next subnet above the one my computer uses is in France. This is not unusual.

There _are_ lists available that suggest that they list address (ranges) by region or country. There is/was a windoze toy tool called "Visual Traceroute" that entertained the feeble-minded droolers by displaying a map that purported to show the path packets were taking from their location to the "remote" host. A lot of the data is guesses, and a lot is simply wrong.

One month ago, the five Regional Internet Registries (AfriNIC, APNIC, ARIN, LACNIC and RIPE) had 79862 assignments or allocations (the later being available for sub-assignment to customers) world wide. The US was designated as the country of registry for 33087 of those, and the other 46775 were scattered over 209 other "countries". Note that this is just for IPv4, and ignores 1760 similar assignment and allocations for IPv6. Both IPv4 and IPv6 are assigned with only the vaguest form of order. For example, 129.x.y.z addresses are _registered_ in the following countries:

[compton ~]$ zgrep -h ' 129\\.' IP.ADDR/stats/[ALR]* | cut -d' ' -f1 | sort | uniq -c | column 5 AU 1 DK 3 JP 172 US 4 CA 42 EU 1 KR 1 VE [compton ~]$

(many of those are universities) while 192.x.y.z is even worse:

[compton ~]$ zgrep -h ' 192\\.' IP.ADDR/stats/[ALR]* | cut -d' ' -f1 | sort | uniq -c | column 1 AT 4 CN 1 GH 16 MX 3 SE 429 AU 1 CR 2 GT 80 MY 49 SG 1 BE 5 DE 13 HK 1 MZ 16 TH 3 BF 1 DK 4 ID 2 NI 1 TN 1 BM 1 DZ 4 IL 1 NL 85 TW 1 BN 29 EC 4 IN 93 NZ 7995 US 1 BO 1 EG 2 IT 1 PE 1 UY 38 BR 2530 EU 531 JP 1 PF 1 VE 912 CA 3 FI 24 KR 1 PG 201 ZA 2 CH 6 FR 1 LK 14 PH 8 CL 2 GA 1 MO 10 PR [compton ~]$

Wondering what country "EU" is? Why that's the European Union of course. To confuse things further, there are also blocks listed as "AP" which means multiple countries in the Asia Pacific region (Afghanistan to Pitcairn Island more or less, excluding the former Soviet Union). The other codes are directly from the ISO-3166 standard.

What about blocking by "country code" in the hostname? This definitely will NOT work, for a number of reasons - such as the fact that there are a large number of network administrators who don't feel the rules regarding rDNS (PTR records, or IP-to-hostname) apply to them, or are so brain-dead they can not know or ask how to configure their DNS servers to provide this data, or because (anti-US phobias to the contrary) domains ending in .com, .net, .edu (and most others) are not restricted to 'US only'.

Your best bet is strong authentication and encryption methods - probably not very easy to implement given that you are talking about sales-monkeys. I'm sure you can already hear them whining that a four letter password is to difficult to remember. Good Luck.

Old guy

Reply to
Moe Trin

...good post... very good....

Reply to
RedForeman

| 2- Some companies operate internationally, so for example an access site in | Canada may have a 'US' listed source.

Some DHCP pools span countries. An IP used one day in one country may be used in another country another day.

Reply to
phil-news-nospam

| Wanna add something, most of the shit originates in the US. | I know some people won?t like this statement but the truth aint | nice.

It's probably true. US is usually edging out China for being the biggest source of spam. China may eventually win because it is growing while the US has become stagnant. But growth does not mean all the users will be running a safe OS.

Reply to
phil-news-nospam

| What about blocking by "country code" in the hostname? This definitely | will NOT work, for a number of reasons - such as the fact that there are | a large number of network administrators who don't feel the rules | regarding rDNS (PTR records, or IP-to-hostname) apply to them, or are so | brain-dead they can not know or ask how to configure their DNS servers | to provide this data, or because (anti-US phobias to the contrary) | domains ending in .com, .net, .edu (and most others) are not restricted | to 'US only'.

OTOH, blocking by lack of rDNS will definitely isolate you a bit more from the most brain-dead administrator/managers. But that's not something easy to do at the IP layer.

| Your best bet is strong authentication and encryption methods - probably | not very easy to implement given that you are talking about sales-monkeys. | I'm sure you can already hear them whining that a four letter password is | to difficult to remember. Good Luck.

Especially combined with a knock-knock protocol to open the doors or just don't respond at all if initial authentication fails.

Sales monkeys should have their computers installed and configured by geeks. Those that screw them up afterwards need to take them back and have them reinstalled and configured all over again, with a fresh new empty contacts list :-)

Reply to
phil-news-nospam

Cite, or example?

Old guy

Reply to
Moe Trin

_Allowing_ by IP range is often a lot simpler. Given that the five RIRs currently have 81642 IP blocks assigned/allocated, totalling some 2.509e9 IPv4 addresses in 210 countries (plus a mere 1863 enormous blocks of IPv6 - 1780 allocations and 83 direct assignments - in 111 countries), you really do have to think your access control scheme through carefully.

Given brane-ded sales-monkeys, you've probably automated that if you are going to avoid a lot of whining. Of course, they'll still wind up putting passwords, usernames, hostnames and port numbers on sticky-notes (which they will loose/mis-place anyway)

be shot along with the f*cking IDIOT that gave them privileged access to be able to do this. Contrary to the whining of the average user, you do not need 'administrator' or 'root' access. PERIOD. Fix your installs, or get the job you are qualified for at McBurger-in-a-box.

Actually, we routinely wipe and reinstall ANY box that's been off premises that re-enters the building. We don't have outside sales monkeys here, and we RARELY allow hardware to go walkies, so it's a bit less traumatic.

First two times only. Third time, the computer goes out with a replacement sales-monkey.

Old guy

Reply to
Moe Trin

I am in Canada. When I log in to Yahoo from from one computer it recognizes me as Canadian, from another it thinks I am Australian. Netscape and AOL dialup are also good examples of 'international' IP numbers.

Stuart

Reply to
Stuart Miller

Not knowing what address you are talking about, I can't say. While Oz and Canada have IP addreses spread all over (this shows the first octet):

[compton ~]$ zgrep -h CA A* | cut -d' ' -f2 | cut -d'.' -f1 | sort -un | column 24 67 75 132 140 154 161 170 207 41 68 76 134 141 155 162 192 208 47 69 99 135 142 156 163 198 209 63 70 128 136 144 157 164 199 216 64 71 129 137 146 158 165 204 65 72 130 138 148 159 167 205 66 74 131 139 149 160 168 206 [compton ~]$ ^CA^AU zgrep -h AU A* | cut -d' ' -f2 | cut -d'.' -f1 | sort -un | column 58 121 130 139 148 156 163 170 211 59 122 131 140 149 157 164 192 216 60 123 132 141 150 158 165 198 218 61 124 134 143 151 159 166 202 219 64 125 136 144 152 160 167 203 220 116 128 137 146 153 161 168 204 221 117 129 138 147 155 162 169 210 [compton ~]$

and both share areas in the former "Class B" and "Class C" space (and one lone block in 64/8 for Oz), none overlap, and it's ONLY in 192/8 and

198/8 that there are even a few assignments that are adjacent.

Yes, and there are others, and about the only time I can think of them handing out the same address in two countries is when you are talking about situations like the PoP at Detroit, Michigan or Windsor, Onterio or similar cross/border situations. I think that's uncommon enough, and we block both Netscape and AOL anyway.

Old guy

Reply to
Moe Trin

The " 44.x.y.z " - Range is international (although not much connected :-(

Already mentioned was AOL, but Compuserve-Users were (are?) another example.

Yours, Holger ( dg3lp.ampr.org :-)

Reply to
Holger Petersen

Hi,

Holger Petersen schrieb:

Got another one: Roadwarriors using 00800 to dial in to their home VPNs.

Cheers, Jens

Reply to
Jens Hoffmann

Re-read Phil's statement above - "An IP used one day in one country may be used in another country another day". While 44.0.0.0/8 (and others) may be located in many countries, I don't believe that the _same_ address (such as XX.22.11.88) is going to be handed out to different countries (excepting a cross-border PoP such as the previously cited Detroit, Michigan, USA / Windsor, Ontario, Canada or similar). DHCP is supposed on a "local" segment, although RFC1542 allows for BOOTP Relay Agents, but I've never seen anything like a DHCP server located in one country serving DHCP clients in another, and assigning addresses such that XX.22.11.88 is a host in Germany today, and may be a completely different host in Japan tomorrow. That was what I am inquiring about.

My company is another - as are a number of larger industrial entities such as Ford, HP, or EADS. However, within those entities, the subnet addresses are pretty well fixed - such that 198.18.200.3 (netmask

255.255.252.0) is in the Berlin Office's subnet, while 198.18.204.22 is the web server for the cafeteria in the Tokyo facility. Subnets (and hosts within those subnets) don't move much. We've got seven /22 subnets in the facility I work in, which are scattered through a "large" network assignment. The subnet above the one I'm on (in Arizona, USA) is located in France, while the subnet below is in New York. Not how I'd lay out the networks (as the routers have to know about all, rather than a classless situation such as "this /20" here verses "that /19" in $FOO, or "the other /21" in $BAR and so on) but it's been working for over twenty years. Until you get IPv6 running, the routing issues of dynamic hosts are just to much of a hassle. (Personally, they are even with IPv6, but that's another issue entirely.)

Old guy

Reply to
Moe Trin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.