Restrict access to US ip addresses only

Hi all,
I have a firewall in the USA used for remote access by a small
group of sales people. These users roam all over the USA and access
this firewall from different locations, hotels/local dial up ISP
numbers, hot spots etc. Is there an access list which I can apply to
my firewall which will restrict access to the firewall to IP addresses
sourced from the USA only? It would be too much to hope that this is
a contiguous block of address but how unwieldy is it?
As always your help is appreciated.
Regards,
FWS

Re: Restrict access to US ip addresses only

wrote in message
news:1179167285.893314.247330@o5g2000hsb.googlegroups.com...
> Hi all,
> I have a firewall in the USA used for remote access by a small
> group of sales people. These users roam all over the USA and access
> this firewall from different locations, hotels/local dial up ISP
> numbers, hot spots etc. Is there an access list which I can apply to
> my firewall which will restrict access to the firewall to IP addresses
> sourced from the USA only? It would be too much to hope that this is
> a contiguous block of address but how unwieldy is it?
> As always your help is appreciated.
> Regards,
> FWS

This item was discussed at length in the html group a month or two ago. The
consensus there was
1 - There is no single range for the US, or any other country. Blocks are
assigned as needed, somewhat at random.
I would suspect that there would be several hundred, perhaps thousand, list
segments in which you would find US service providers.
2- Some companies operate internationally, so for example an access site in
Canada may have a 'US' listed source.
3 - You can get around this using proxy servers, so you can appear to be
anywhere that there is an open proxy.

There are other forms of security which will work much better. Consider
implementing security in the server applications that they would be
accessing.

Stuart
>

Re: Restrict access to US ip addresses only

"Stuart Miller" schreef in bericht
news:mU52i.183846$6m4.133894@pd7urf1no...
>
> wrote in message
> news:1179167285.893314.247330@o5g2000hsb.googlegroups.com...
>> Hi all,
>> I have a firewall in the USA used for remote access by a
>> small
>> group of sales people. These users roam all over the USA and
>> access
>> this firewall from different locations, hotels/local dial up
>> ISP
>> numbers, hot spots etc. Is there an access list which I can
>> apply to
>> my firewall which will restrict access to the firewall to IP
>> addresses
>> sourced from the USA only? It would be too much to hope that
>> this is
>> a contiguous block of address but how unwieldy is it?
>> As always your help is appreciated.
>> Regards,
>> FWS
>
> This item was discussed at length in the html group a month or
> two ago. The consensus there was
> 1 - There is no single range for the US, or any other country.
> Blocks are
> assigned as needed, somewhat at random.
> I would suspect that there would be several hundred, perhaps
> thousand, list segments in which you would find US service
> providers.
> 2- Some companies operate internationally, so for example an
> access site in Canada may have a 'US' listed source.
> 3 - You can get around this using proxy servers, so you can
> appear to be anywhere that there is an open proxy.
>
> There are other forms of security which will work much better.
> Consider implementing security in the server applications that
> they would be accessing.

Wanna add something, most of the shit originates in the US.
I know some people won´t like this statement but the truth aint
nice.

arja

Re: Restrict access to US ip addresses only

Stuart,
thanks for the info. Apologies if I have repeated a question which
was already discussed. My search of the groups didn't bear fruit so I
decided to post the question. It appears that it's not a runner if
the ip addresses are so disparate.
Thanks again,
FWS


On May 15, 12:02 am, "Stuart Miller" wrote:
> wrote in message
>
> news:1179167285.893314.247330@o5g2000hsb.googlegroups.com...
>
> > Hi all,
> > I have a firewall in the USA used for remote access by a small
> > group of sales people. These users roam all over the USA and access
> > this firewall from different locations, hotels/local dial up ISP
> > numbers, hot spots etc. Is there an access list which I can apply to
> > my firewall which will restrict access to the firewall to IP addresses
> > sourced from the USA only? It would be too much to hope that this is
> > a contiguous block of address but how unwieldy is it?
> > As always your help is appreciated.
> > Regards,
> > FWS
>
> This item was discussed at length in the html group a month or two ago. The
> consensus there was
> 1 - There is no single range for the US, or any other country. Blocks are
> assigned as needed, somewhat at random.
> I would suspect that there would be several hundred, perhaps thousand, list
> segments in which you would find US service providers.
> 2- Some companies operate internationally, so for example an access site in
> Canada may have a 'US' listed source.
> 3 - You can get around this using proxy servers, so you can appear to be
> anywhere that there is an open proxy.
>
> There are other forms of security which will work much better. Consider
> implementing security in the server applications that they would be
> accessing.
>
> Stuart
>
>
>
> - Hide quoted text -
>
> - Show quoted text -

Re: Restrict access to US ip addresses only

On 14 May 2007, in the Usenet newsgroup comp.security.firewalls, in article
<1179167285.893314.247330@o5g2000hsb.googlegroups.com>,
firewallstarter@hotmail.com wrote:

>Is there an access list which I can apply to my firewall which will
>restrict access to the firewall to IP addresses sourced from the USA
>only?

Simple answer - no. Country data in the registration information refers
to the location where the company/individual making the registration is
located. It has NO connection with where the hosts might be physically
located. Example - the company I work for is registered in New York,
yet a traceroute to my computer disappears into a black hole with the
last location being a router near San Francisco. But I'm located near
Phoenix (350 miles/600 KM East of Los Angeles), and because we're a
large company with facilities in forty countries, the next subnet above
the one my computer uses is in France. This is not unusual.

There _are_ lists available that suggest that they list address (ranges)
by region or country. There is/was a windoze toy tool called "Visual
Traceroute" that entertained the feeble-minded droolers by displaying
a map that purported to show the path packets were taking from their
location to the "remote" host. A lot of the data is guesses, and a lot
is simply wrong.

>It would be too much to hope that this is a contiguous block of address
>but how unwieldy is it?

One month ago, the five Regional Internet Registries (AfriNIC, APNIC,
ARIN, LACNIC and RIPE) had 79862 assignments or allocations (the later
being available for sub-assignment to customers) world wide. The US
was designated as the country of registry for 33087 of those, and the
other 46775 were scattered over 209 other "countries". Note that this
is just for IPv4, and ignores 1760 similar assignment and allocations
for IPv6. Both IPv4 and IPv6 are assigned with only the vaguest form of
order. For example, 129.x.y.z addresses are _registered_ in the following
countries:

[compton ~]$ zgrep -h ' 129\.' IP.ADDR/stats/[ALR]* | cut -d' ' -f1 |
sort | uniq -c | column
5 AU 1 DK 3 JP 172 US
4 CA 42 EU 1 KR 1 VE
[compton ~]$

(many of those are universities) while 192.x.y.z is even worse:

[compton ~]$ zgrep -h ' 192\.' IP.ADDR/stats/[ALR]* | cut -d' ' -f1 |
sort | uniq -c | column
1 AT 4 CN 1 GH 16 MX 3 SE
429 AU 1 CR 2 GT 80 MY 49 SG
1 BE 5 DE 13 HK 1 MZ 16 TH
3 BF 1 DK 4 ID 2 NI 1 TN
1 BM 1 DZ 4 IL 1 NL 85 TW
1 BN 29 EC 4 IN 93 NZ 7995 US
1 BO 1 EG 2 IT 1 PE 1 UY
38 BR 2530 EU 531 JP 1 PF 1 VE
912 CA 3 FI 24 KR 1 PG 201 ZA
2 CH 6 FR 1 LK 14 PH
8 CL 2 GA 1 MO 10 PR
[compton ~]$

Wondering what country "EU" is? Why that's the European Union of course.
To confuse things further, there are also blocks listed as "AP" which
means multiple countries in the Asia Pacific region (Afghanistan to
Pitcairn Island more or less, excluding the former Soviet Union). The
other codes are directly from the ISO-3166 standard.

What about blocking by "country code" in the hostname? This definitely
will NOT work, for a number of reasons - such as the fact that there are
a large number of network administrators who don't feel the rules
regarding rDNS (PTR records, or IP-to-hostname) apply to them, or are so
brain-dead they can not know or ask how to configure their DNS servers
to provide this data, or because (anti-US phobias to the contrary)
domains ending in .com, .net, .edu (and most others) are not restricted
to 'US only'.

>As always your help is appreciated.

Your best bet is strong authentication and encryption methods - probably
not very easy to implement given that you are talking about sales-monkeys.
I'm sure you can already hear them whining that a four letter password is
to difficult to remember. Good Luck.

Old guy

Re: Restrict access to US ip addresses only

On May 15, 3:54 pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:
> On 14 May 2007, in the Usenet newsgroup comp.security.firewalls, in article
> <1179167285.893314.247...@o5g2000hsb.googlegroups.com>,
>
> firewallstar...@hotmail.com wrote:
> >Is there an access list which I can apply to my firewall which will
> >restrict access to the firewall to IP addresses sourced from the USA
> >only?
>
> Simple answer - no. Country data in the registration information refers
> to the location where the company/individual making the registration is
> located. It has NO connection with where the hosts might be physically
> located. Example - the company I work for is registered in New York,
> yet a traceroute to my computer disappears into a black hole with the
> last location being a router near San Francisco. But I'm located near
> Phoenix (350 miles/600 KM East of Los Angeles), and because we're a
> large company with facilities in forty countries, the next subnet above
> the one my computer uses is in France. This is not unusual.
>
> There _are_ lists available that suggest that they list address (ranges)
> by region or country. There is/was a windoze toy tool called "Visual
> Traceroute" that entertained the feeble-minded droolers by displaying
> a map that purported to show the path packets were taking from their
> location to the "remote" host. A lot of the data is guesses, and a lot
> is simply wrong.
>
> >It would be too much to hope that this is a contiguous block of address
> >but how unwieldy is it?
>
> One month ago, the five Regional Internet Registries (AfriNIC, APNIC,
> ARIN, LACNIC and RIPE) had 79862 assignments or allocations (the later
> being available for sub-assignment to customers) world wide. The US
> was designated as the country of registry for 33087 of those, and the
> other 46775 were scattered over 209 other "countries". Note that this
> is just for IPv4, and ignores 1760 similar assignment and allocations
> for IPv6. Both IPv4 and IPv6 are assigned with only the vaguest form of
> order. For example, 129.x.y.z addresses are _registered_ in the following
> countries:
>
> [compton ~]$ zgrep -h ' 129\.' IP.ADDR/stats/[ALR]* | cut -d' ' -f1 |
> sort | uniq -c | column
> 5 AU 1 DK 3 JP 172 US
> 4 CA 42 EU 1 KR 1 VE
> [compton ~]$
>
> (many of those are universities) while 192.x.y.z is even worse:
>
> [compton ~]$ zgrep -h ' 192\.' IP.ADDR/stats/[ALR]* | cut -d' ' -f1 |
> sort | uniq -c | column
> 1 AT 4 CN 1 GH 16 MX 3 SE
> 429 AU 1 CR 2 GT 80 MY 49 SG
> 1 BE 5 DE 13 HK 1 MZ 16 TH
> 3 BF 1 DK 4 ID 2 NI 1 TN
> 1 BM 1 DZ 4 IL 1 NL 85 TW
> 1 BN 29 EC 4 IN 93 NZ 7995 US
> 1 BO 1 EG 2 IT 1 PE 1 UY
> 38 BR 2530 EU 531 JP 1 PF 1 VE
> 912 CA 3 FI 24 KR 1 PG 201 ZA
> 2 CH 6 FR 1 LK 14 PH
> 8 CL 2 GA 1 MO 10 PR
> [compton ~]$
>
> Wondering what country "EU" is? Why that's the European Union of course.
> To confuse things further, there are also blocks listed as "AP" which
> means multiple countries in the Asia Pacific region (Afghanistan to
> Pitcairn Island more or less, excluding the former Soviet Union). The
> other codes are directly from the ISO-3166 standard.
>
> What about blocking by "country code" in the hostname? This definitely
> will NOT work, for a number of reasons - such as the fact that there are
> a large number of network administrators who don't feel the rules
> regarding rDNS (PTR records, or IP-to-hostname) apply to them, or are so
> brain-dead they can not know or ask how to configure their DNS servers
> to provide this data, or because (anti-US phobias to the contrary)
> domains ending in .com, .net, .edu (and most others) are not restricted
> to 'US only'.
>
> >As always your help is appreciated.
>
> Your best bet is strong authentication and encryption methods - probably
> not very easy to implement given that you are talking about sales-monkeys.
> I'm sure you can already hear them whining that a four letter password is
> to difficult to remember. Good Luck.
>
> Old guy

....good post... very good....

Re: Restrict access to US ip addresses only

On Mon, 14 May 2007 23:02:42 GMT Stuart Miller wrote:

| 2- Some companies operate internationally, so for example an access site in
| Canada may have a 'US' listed source.

Some DHCP pools span countries. An IP used one day in one country may be
used in another country another day.

--
|---------------------------------------/------------------- ---------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2007-07-27-1137@ipal.net |
|------------------------------------/---------------------- ---------------|

Re: Restrict access to US ip addresses only

On Tue, 15 May 2007 01:26:13 +0200 arja wrote:

| Wanna add something, most of the shit originates in the US.
| I know some people won?t like this statement but the truth aint
| nice.

It's probably true. US is usually edging out China for being the biggest
source of spam. China may eventually win because it is growing while the
US has become stagnant. But growth does not mean all the users will be
running a safe OS.

--
|---------------------------------------/------------------- ---------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2007-07-27-1138@ipal.net |
|------------------------------------/---------------------- ---------------|

Re: Restrict access to US ip addresses only

On Tue, 15 May 2007 14:54:09 -0500 Moe Trin wrote:

| What about blocking by "country code" in the hostname? This definitely
| will NOT work, for a number of reasons - such as the fact that there are
| a large number of network administrators who don't feel the rules
| regarding rDNS (PTR records, or IP-to-hostname) apply to them, or are so
| brain-dead they can not know or ask how to configure their DNS servers
| to provide this data, or because (anti-US phobias to the contrary)
| domains ending in .com, .net, .edu (and most others) are not restricted
| to 'US only'.

OTOH, blocking by lack of rDNS will definitely isolate you a bit more from
the most brain-dead administrator/managers. But that's not something easy
to do at the IP layer.

| Your best bet is strong authentication and encryption methods - probably
| not very easy to implement given that you are talking about sales-monkeys.
| I'm sure you can already hear them whining that a four letter password is
| to difficult to remember. Good Luck.

Especially combined with a knock-knock protocol to open the doors or just
don't respond at all if initial authentication fails.

Sales monkeys should have their computers installed and configured by geeks.
Those that screw them up afterwards need to take them back and have them
reinstalled and configured all over again, with a fresh new empty contacts
list :-)

--
|---------------------------------------/------------------- ---------------|
| Phil Howard KA9WGN (ka9wgn.ham.org) / Do not send to the address below |
| first name lower case at ipal.net / spamtrap-2007-07-27-1141@ipal.net |
|------------------------------------/---------------------- ---------------|

Re: Restrict access to US ip addresses only

On 27 Jul 2007, in the Usenet newsgroup comp.security.firewalls, in article
, phil-news-nospam@ipal.net wrote:

>On Mon, 14 May 2007 23:02:42 GMT Stuart Miller wrote:
>
>| 2- Some companies operate internationally, so for example an access site
>| in Canada may have a 'US' listed source.
>
>Some DHCP pools span countries. An IP used one day in one country may be
>used in another country another day.

Cite, or example?

Old guy

Re: Restrict access to US ip addresses only

On 27 Jul 2007, in the Usenet newsgroup comp.security.firewalls, in article
, phil-news-nospam@ipal.net wrote:

>On Tue, 15 May 2007 14:54:09 -0500 Moe Trin
> wrote:
>
>| What about blocking by "country code" in the hostname? This definitely
>| will NOT work, for a number of reasons - such as the fact that there are
>| a large number of network administrators who don't feel the rules
>| regarding rDNS (PTR records, or IP-to-hostname) apply to them, or are so
>| brain-dead they can not know or ask how to configure their DNS servers
>| to provide this data

>OTOH, blocking by lack of rDNS will definitely isolate you a bit more from
>the most brain-dead administrator/managers. But that's not something easy
>to do at the IP layer.

_Allowing_ by IP range is often a lot simpler. Given that the five RIRs
currently have 81642 IP blocks assigned/allocated, totalling some 2.509e9
IPv4 addresses in 210 countries (plus a mere 1863 enormous blocks of IPv6
- 1780 allocations and 83 direct assignments - in 111 countries), you
really do have to think your access control scheme through carefully.

>| Your best bet is strong authentication and encryption methods - probably
>| not very easy to implement given that you are talking about sales-monkeys.
>| I'm sure you can already hear them whining that a four letter password is
>| to difficult to remember. Good Luck.
>
>Especially combined with a knock-knock protocol to open the doors or just
>don't respond at all if initial authentication fails.

Given brane-ded sales-monkeys, you've probably automated that if you are
going to avoid a lot of whining. Of course, they'll still wind up putting
passwords, usernames, hostnames and port numbers on sticky-notes (which
they will loose/mis-place anyway)

>Sales monkeys should have their computers installed and configured by
>geeks. Those that screw them up afterwards need to

be shot along with the f*cking IDIOT that gave them privileged access to
be able to do this. Contrary to the whining of the average user, you do
not need 'administrator' or 'root' access. PERIOD. Fix your installs, or
get the job you are qualified for at McBurger-in-a-box.

>take them back and have them reinstalled and configured all over again,

Actually, we routinely wipe and reinstall ANY box that's been off
premises that re-enters the building. We don't have outside sales
monkeys here, and we RARELY allow hardware to go walkies, so it's a bit
less traumatic.

>with a fresh new empty contacts

First two times only. Third time, the computer goes out with a
replacement sales-monkey.

Old guy

Re: Restrict access to US ip addresses only

"Moe Trin" wrote in message
news:slrnfan5c4.jq4.ibuprofin@compton.phx.az.us...
> On 27 Jul 2007, in the Usenet newsgroup comp.security.firewalls, in
> article
> , phil-news-nospam@ipal.net wrote:
>
>>On Mon, 14 May 2007 23:02:42 GMT Stuart Miller
>>wrote:
>>
>>| 2- Some companies operate internationally, so for example an access site
>>| in Canada may have a 'US' listed source.
>>
>>Some DHCP pools span countries. An IP used one day in one country may be
>>used in another country another day.
>
> Cite, or example?
>
> Old guy

I am in Canada. When I log in to Yahoo from from one computer it recognizes
me as Canadian, from another it thinks I am Australian.
Netscape and AOL dialup are also good examples of 'international' IP
numbers.

Stuart

Re: Restrict access to US ip addresses only

On Sat, 28 Jul 2007, in the Usenet newsgroup comp.security.firewalls, in
article , Stuart Miller wrote:

>"Moe Trin" wrote

>> phil-news-nospam@ipal.net wrote:

>>>Some DHCP pools span countries. An IP used one day in one country may be
>>>used in another country another day.
>>
>> Cite, or example?

>I am in Canada. When I log in to Yahoo from from one computer it
>recognizes me as Canadian, from another it thinks I am Australian.

Not knowing what address you are talking about, I can't say. While
Oz and Canada have IP addreses spread all over (this shows the first
octet):

[compton ~]$ zgrep -h CA A* | cut -d' ' -f2 | cut -d'.' -f1 | sort -un |
column
24 67 75 132 140 154 161 170 207
41 68 76 134 141 155 162 192 208
47 69 99 135 142 156 163 198 209
63 70 128 136 144 157 164 199 216
64 71 129 137 146 158 165 204
65 72 130 138 148 159 167 205
66 74 131 139 149 160 168 206
[compton ~]$ ^CA^AU
zgrep -h AU A* | cut -d' ' -f2 | cut -d'.' -f1 | sort -un | column
58 121 130 139 148 156 163 170 211
59 122 131 140 149 157 164 192 216
60 123 132 141 150 158 165 198 218
61 124 134 143 151 159 166 202 219
64 125 136 144 152 160 167 203 220
116 128 137 146 153 161 168 204 221
117 129 138 147 155 162 169 210
[compton ~]$

and both share areas in the former "Class B" and "Class C" space (and
one lone block in 64/8 for Oz), none overlap, and it's ONLY in 192/8 and
198/8 that there are even a few assignments that are adjacent.

>Netscape and AOL dialup are also good examples of 'international' IP
>numbers.

Yes, and there are others, and about the only time I can think of them
handing out the same address in two countries is when you are talking
about situations like the PoP at Detroit, Michigan or Windsor, Onterio
or similar cross/border situations. I think that's uncommon enough, and
we block both Netscape and AOL anyway.

Old guy

Re: Restrict access to US ip addresses only

ibuprofin@painkiller.example.tld (Moe Trin) writes:

>>Some DHCP pools span countries. An IP used one day in one country may be
>>used in another country another day.

>Cite, or example?

The " 44.x.y.z " - Range is international (although not much connected :-(

Already mentioned was AOL, but Compuserve-Users were (are?) another
example.

Yours, Holger ( dg3lp.ampr.org :-)

Re: Restrict access to US ip addresses only

Hi,

Holger Petersen schrieb:
> Already mentioned was AOL, but Compuserve-Users were (are?) another
> example.

Got another one: Roadwarriors using 00800 to dial in to their home VPNs.

Cheers,
Jens

Re: Restrict access to US ip addresses only

On Fri, 3 Aug 2007, in the Usenet newsgroup comp.security.firewalls, in article
, Holger Petersen wrote:

>ibuprofin@painkiller.example.tld (Moe Trin) writes:
>
>>> Some DHCP pools span countries. An IP used one day in one country
>>> may be used in another country another day.
>
>>Cite, or example?
>
>The " 44.x.y.z " - Range is international (although not much connected :-(

Re-read Phil's statement above - "An IP used one day in one country may
be used in another country another day". While 44.0.0.0/8 (and others)
may be located in many countries, I don't believe that the _same_ address
(such as XX.22.11.88) is going to be handed out to different countries
(excepting a cross-border PoP such as the previously cited Detroit,
Michigan, USA / Windsor, Ontario, Canada or similar). DHCP is supposed
on a "local" segment, although RFC1542 allows for BOOTP Relay Agents,
but I've never seen anything like a DHCP server located in one country
serving DHCP clients in another, and assigning addresses such that
XX.22.11.88 is a host in Germany today, and may be a completely different
host in Japan tomorrow. That was what I am inquiring about.

>Already mentioned was AOL, but Compuserve-Users were (are?) another
>example.

My company is another - as are a number of larger industrial entities
such as Ford, HP, or EADS. However, within those entities, the subnet
addresses are pretty well fixed - such that 198.18.200.3 (netmask
255.255.252.0) is in the Berlin Office's subnet, while 198.18.204.22 is
the web server for the cafeteria in the Tokyo facility. Subnets (and
hosts within those subnets) don't move much. We've got seven /22 subnets
in the facility I work in, which are scattered through a "large" network
assignment. The subnet above the one I'm on (in Arizona, USA) is located
in France, while the subnet below is in New York. Not how I'd lay out
the networks (as the routers have to know about all, rather than a
classless situation such as "this /20" here verses "that /19" in $FOO, or
"the other /21" in $BAR and so on) but it's been working for over twenty
years. Until you get IPv6 running, the routing issues of dynamic hosts
are just to much of a hassle. (Personally, they are even with IPv6, but
that's another issue entirely.)

Old guy