DFAIT restricted countries

[ugirl]

Hi Folks

First post on this forum, but I have turned to you guys for help in the past.

Does anyone else have a requirement to block DFAIT (Department Foreign Affairs and International Trade) restricted countries from downloading software from your company that includes encryption modules?

We have been told that we must block access to ~200 CIDR blocks that fall within these restricted countries, failure to comply could mean stop shipment of product.

DFAIT recommends that we do a DNS reverse lookup on the addresses coming in and if they match the restricted list drop the connection. However, my company would prefer that they be redirected to a site providing the blocked user with our company contact details.

I have told them I could outright block these addresses from accessing our FTP servers but that would require that I manually enter ~200 CIDR blocks as network objects and adding them to a drop rule. I really do not believe that this should be the job of our Checkpoint NGX firewall and really is the job of the web application layer..However I have been asked how to accomplish this task with our Checkpoint Firewall.

Ideally we would prefer to allow access to all other components of our Web
infrastructure, but should they try to access a site that has software with encryption they be redirected to a page that provides them with our company contact information.

I can think of a number of ways this whole thing can be circumvented, ie - get your buddy in a non-restricted country to download for you... ssh to a system that does not fall within the ranges etc etc etc. However, with that said should we not comply could mean stop shipment of product.

Anyone else have this requirement? and if so how are you managing it?

Thanks
Ugirl

[dsb.nepo]

I think you can do this with the FTP-Security server

A rule like this shoud do this.

Code:

Source    Destination  Service        Action  Comment  
!Net_200  My.DMZ.ftp   ftp->download  Accept  'restricted download'

With an open proxy's or other tools this rule cannot see the source IP.

I agree with you that this is better handled at the application, maybe you can restrict the access directly at the ftp/http server.

Some other suggestion if the software is not *free* is to change the download process (only approved downloads) ...

[BarryStiefel]

Quote:

Originally Posted by ugirl

Hi Folks

First post on this forum, but I have turned to you guys for help in the past.

Does anyone else have a requirement to block DFAIT (Department Foreign Affairs and International Trade) restricted countries from downloading software from your company that includes encryption modules?

We have been told that we must block access to ~200 CIDR blocks that fall within these restricted countries, failure to comply could mean stop shipment of product.

DFAIT recommends that we do a DNS reverse lookup on the addresses coming in and if they match the restricted list drop the connection. However, my company would prefer that they be redirected to a site providing the blocked user with our company contact details.

I have told them I could outright block these addresses from accessing our FTP servers but that would require that I manually enter ~200 CIDR blocks as network objects and adding them to a drop rule. I really do not believe that this should be the job of our Checkpoint NGX firewall and really is the job of the web application layer..However I have been asked how to accomplish this task with our Checkpoint Firewall.

Ideally we would prefer to allow access to all other components of our Web
infrastructure, but should they try to access a site that has software with encryption they be redirected to a page that provides them with our company contact information.

I can think of a number of ways this whole thing can be circumvented, ie - get your buddy in a non-restricted country to download for you... ssh to a system that does not fall within the ranges etc etc etc. However, with that said should we not comply could mean stop shipment of product.

Anyone else have this requirement? and if so how are you managing it?

Thanks
Ugirl

But IP addresses don't map neatly to countries and it's really easy to change your IP address anyway. Anyone who lives in a country with blocked CIDR networks already knows how to use TOR or any one of thousands of free web proxies to make it appear they're coming from somewhere else. They saw this coming long ago. This battle is lost before you start.

And the reverse DNS lookup is silly, too. Top Level Domains only tangentially map to countries. What if they just grab a .com domain name and put in a fake address?

You're being asked to perform security theater.

But you probably already know this.