Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1506
Views
5
Helpful
6
Replies

Blocking foreign countries

mialbert
Level 1
Level 1

‎12-31-2012 01:51 PM

We want to block foreign countries by ip blocks.  I am wondering if anybody has blocked foreign countries this way.  I went to

http://www.find-ip-address.org/ip-country/ and noticed that china alone has 60 pages of ip blocks.  I would be doing this in both isr's and asa's.  Has anyone done such a thing with these. 

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Leo Laohoo
Hall of Fame
Hall of Fame

‎12-31-2012 03:27 PM

You're not the first I've seen to ask this question in the last three months.  Try this:

https://www.countryipblocks.net/country_selection.php

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-31-2012 03:48 PM

In addition to the method Leo suggests, you can also find this built in as a feature in most IPS's. They use a geolocation database lookup as part of the subscription service to keep the listing up to date. Such a feature adds to the value proposition of installing an IPS (if you haven't already).

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Marvin Rhoads

‎12-31-2012 04:25 PM

Happy New Year Marvin.

Out of curiousity, do you think ISPs can do a country block for a client like, for example, you? 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Leo Laohoo

‎12-31-2012 05:19 PM

Happy New Year to you too, Leo.

I was referring to an Intrusion Prevention System (IPS) not an Internet Service Provider (ISP). I don't think Cisco's exposes this information directly but HP does with the TippingPoint products. Both vendors use the concept of reputation - Cisco via the Global Correlation database and HP with the Reputation Digital Vaccine feature. HP's Rep DV specifically includes origin country as a field in the database.

In any case, either of those vendors will advise you to focus more on observed behavior rather than country of origin. The hacker is as likely to be launching attacks from compromised systems thousands of miles from home as they are from their home base country.

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Marvin Rhoads

‎12-31-2012 05:28 PM

Thanks Marvin.

We haven't gone down this road yet but this topic may pop up some time this year. 

0 Helpful

mialbert
Level 1
Level 1

‎01-07-2013 07:42 AM

Leo's method looks interesting but my concern is the amount of extra inbound packet processing that the isr's/asa's will have to do with an acl to block these countries.  The devices i'd be doing this on would mostly be gen2 isr's(1900's), some 1800's and 5510 asa.  Should this be a concern. 

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card