[Dshield] Blocking Country Access

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Feb 21 16:44:06 GMT 2007


On Wed, 21 Feb 2007 08:52:20 MST, Andrew Willy said:
> I have a web application that only our employees need access to.  Because
> these employees should never access the application from outside the US,  it
> makes sense to me to only permit networks from the US.
> 
> Is there any reason not to go ahead with this filtering?

Take it a step further.  Turn off access to the web application from outside
*entirely*.  Then *enable* access from only those address ranges that actually
have employees in them.  I've done that for several systems for SSH - I only
allow access from our 2 campus /16s, and then I added iptables rules to allow
the /16 that my DSL was always in, and the /16 that my boss's cablemodem
was in, and so on.  Amazing how rare those systems get hit by SSH brute
forcers. :)

This will work for even amazingly large setups - you *should* know up front
what IP address ranges all your branch offices have.  Then the only problem
is keeping track of what /16s the 9 guys in the Chicago office land in when
they work from home.  And there's a solution for that too...

If I was doing it today, I'd probably be even more fascist, and only allow
ssh from on campus and make the people involved fire up a VPN connection
so they appear to be inside our /16.

Unless you're a *really* big company with enough employees that statistically,
you have people in large parts of *every* state, you probably don't care
about 95% of the *US* address space any more than you care about China or
Zimbabwe.  And keep in mind that there is *NO*, (as in zip, zero, zilch, nada,
goose-egg) evidence that US computers are significantly more secure that
those in other countries.  People complain about attacks from China, but
I see an *awful* lot of attacks from countries called comcast.net. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/list/attachments/20070221/a9a6ad6c/attachment.bin 


More information about the list mailing list