[ugirl]

Hi Folks

First post on this forum, but I have turned to you guys for help in the past.

Does anyone else have a requirement to block DFAIT (Department Foreign Affairs and International Trade) restricted countries from downloading software from your company that includes encryption modules?

We have been told that we must block access to ~200 CIDR blocks that fall within these restricted countries, failure to comply could mean stop shipment of product.

DFAIT recommends that we do a DNS reverse lookup on the addresses coming in and if they match the restricted list drop the connection. However, my company would prefer that they be redirected to a site providing the blocked user with our company contact details.

I have told them I could outright block these addresses from accessing our FTP servers but that would require that I manually enter ~200 CIDR blocks as network objects and adding them to a drop rule. I really do not believe that this should be the job of our Checkpoint NGX firewall and really is the job of the web application layer..However I have been asked how to accomplish this task with our Checkpoint Firewall.

Ideally we would prefer to allow access to all other components of our Web
infrastructure, but should they try to access a site that has software with encryption they be redirected to a page that provides them with our company contact information.

I can think of a number of ways this whole thing can be circumvented, ie - get your buddy in a non-restricted country to download for you... ssh to a system that does not fall within the ranges etc etc etc. However, with that said should we not comply could mean stop shipment of product.

Anyone else have this requirement? and if so how are you managing it?

Thanks
Ugirl