Thread: DFAIT restricted countries
View Single Post
  #3 (permalink)  
Old 2007-12-12
BarryStiefel BarryStiefel is offline
Administrator
  
Join Date: 2005-08-11
Location: San Francisco, CA
Posts: 571
Rep Power: 10
BarryStiefel has disabled reputation
Default Re: DFAIT restricted countries
Quote:
Originally Posted by ugirl View Post
Hi Folks

First post on this forum, but I have turned to you guys for help in the past.

Does anyone else have a requirement to block DFAIT (Department Foreign Affairs and International Trade) restricted countries from downloading software from your company that includes encryption modules?

We have been told that we must block access to ~200 CIDR blocks that fall within these restricted countries, failure to comply could mean stop shipment of product.

DFAIT recommends that we do a DNS reverse lookup on the addresses coming in and if they match the restricted list drop the connection. However, my company would prefer that they be redirected to a site providing the blocked user with our company contact details.

I have told them I could outright block these addresses from accessing our FTP servers but that would require that I manually enter ~200 CIDR blocks as network objects and adding them to a drop rule. I really do not believe that this should be the job of our Checkpoint NGX firewall and really is the job of the web application layer..However I have been asked how to accomplish this task with our Checkpoint Firewall.

Ideally we would prefer to allow access to all other components of our Web
infrastructure, but should they try to access a site that has software with encryption they be redirected to a page that provides them with our company contact information.

I can think of a number of ways this whole thing can be circumvented, ie - get your buddy in a non-restricted country to download for you... ssh to a system that does not fall within the ranges etc etc etc. However, with that said should we not comply could mean stop shipment of product.

Anyone else have this requirement? and if so how are you managing it?

Thanks
Ugirl
But IP addresses don't map neatly to countries and it's really easy to change your IP address anyway. Anyone who lives in a country with blocked CIDR networks already knows how to use TOR or any one of thousands of free web proxies to make it appear they're coming from somewhere else. They saw this coming long ago. This battle is lost before you start.

And the reverse DNS lookup is silly, too. Top Level Domains only tangentially map to countries. What if they just grab a .com domain name and put in a fake address?

You're being asked to perform security theater.

But you probably already know this.
__________________
Barry J. Stiefel ("Stee-ful")
CCSA/CCSE/CCSE+/CCSI
President, CPUG
Reply With Quote