SRX Services Gateway
Reply
Contributor
OKCubsFan
Posts: 12
Registered: ‎08-19-2008
0

Block all traffic from countries outside the US?

As a network admin for a local government agency, there is really no reason for us to be receiving any traffic from China, Russia, Brazil, etc. In light of all the common problems every organization has with viruses, spam, and hackers originating from these countries, what drawback would there be to create a firewall filter on our ingress interface to discard all traffic originating from these countries? Or would it be more efficient to create a filter to allow all traffic from the US and then discard the rest? Is this sort of approach becoming more common now? What kind of performance impact could I possibly see on our SRX650 with a filter like this? Any feedback on this would greatly be appreciated. Thanks.
Recognized Expert
Dominik
Posts: 392
Registered: ‎01-05-2008
0

Re: Block all traffic from countries outside the US?

Hi,

imho you have to deal with the database of ARIN, RIPE, APNIC, etc. You can bulk download these databases and compile a prefix list indexed by AS. Every AS is registered to a specific country and can be used as drop or allow criteria. If you receive a full feed BGP feed, you could directly on AS, otherwise you have to go over the associated prefixes through the route object.

Drawbacks of that method are ISPs with multinational presence like AOL and that you have to update the list on a regular base.

Regards,
Dominik
JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
Contributor
OKCubsFan
Posts: 12
Registered: ‎08-19-2008
0

Re: Block all traffic from countries outside the US?

Thanks for that idea.  The problem we have is that we use our state government as our primary ISP, so we have no control over our ISP in that sense.  We do have our own class C IP range that we manage, and it routes though the state as well.  

Recognized Expert
Dominik
Posts: 392
Registered: ‎01-05-2008
0

Re: Block all traffic from countries outside the US?

But you could comiple a prefix list, based on the RIR databases and apply a firewall filter (aka ACL) with action discard provided that the associated AS is not in the US. Then apply this ACL on the ingresss interface pointing to your upstream ISP. It just means some parsing job to periodically download the DBs and parse them, build the prefix list and update your config.
JNCIE et al.

--
The Axiom of Choice is obviously true, the well-ordering principle obviously false, and who can tell about Zorn's lemma?
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.