Am I paranoid, or are corporate firewalls censoring entire countries? [closed]
Recently, in the last year or so, I have noticed that it seems more and more difficult to reach certain kinds of sites, especially those in non-favored nations like Iran or Russia.
For example, just now I tried to reach the web site of the Russian Ministry of Defense (http://eng.mil.ru/en/index.htm), a site that I have legitimate business-related reasons for visiting, and it timed out. I tried the same site via a European proxy and had no problem connecting. I then tried a tracert and this was the result:
My interpretation of this is that the IP is being blocked by the company firewall. I asked our IT department what is the IP blocking policy for the network and was told that the policy is not determined by our company, but by the firewall service provider and that it is "secret and proprietary" to the provider and that they (meaning IT) had no control over that policy.
What is the story here? Are firewall product vendors just blanket blocking entire countries?
Just for giggles I decided to try different countries to see what would happen:
Finland ok
Poland ok
Russia blocked
Ukraine blocked
Estonia blocked
Turkey blocked
Saudi Arabia blocked
Afghanistan ok
Iraq blocked
Georgia ok
Armenia blocked
Uzbekistan ok
Alright, so I can visit web sites in Uzbekistan and Georgia, but not those in Armenia or the Ukraine? Who is making up this logic?
I've seen a variety of vendors doing content filtering based on country of origin. China and Russia are usually the ones with filtering turned on by default, or at least have some kind of alerting set up. This is because those are often sources of malware attacks. I don't buy line that your IT department has no control over it. Any vendor worth its salt would let you modify the default settings on its products.
This is likely not done at the level of the IDS/IPS, but rather at the firewall level (Via IP list blocking, sort of less effective) or the routing level with a method known as selective blackholing (Strongly effective and blocks the route from even coming through to your router at all).
The rationale behind this is unclear - probably because the countries you listed are often sources of attacks, though really not more than the US, and determined attackers would just go ahead and circumvent anyways in that case... Could be that if you're working in a large enough organization that -they're paranoid- somehow themselves about threats from IPs originating from there. Either way it's kind of a stopgap security measure for many intents and purposes, and you have nothing to be noid about yourself. Tunnel or proxy out!
It's perfectly possible to use IP geo-location to block IP address ranges associated with certain countries. There's a lot of debate about how effective it is and I certainly wouldn't suggest blindly turning it on to anyone, but it's up to a business to determine for itself whether or not it has legitimate business with companies originating from a particular area and therefore what the risks are of blocking address ranges associated with that area are vs. the risks of not blocking those addresses.
While geo-blocking won't stop determined attackers, it does increase the complexity of attacking your network from this location (and keep in mind this might mean botnet members from that location) and this might also reduce the amount of "background noise" from casual attackers & script kiddies, making it easier to see the more determined attacks.
This example is from a Sonicwall Knowledge Base article on how to set these kinds of filters up.
In any case, if you have a business need to connect to a business in a blocked country, I don't suggest trying to sneak around the firewall as suggested in other answers, but rather to make this a management issue: talk to your manager, get them to speak to the IT department manager and make it clear that there's a business requirement to allow such access. It's highly unlikely that there's no way to configure these kinds of blocks, and on the off-chance that there is some kind of security incident and your attempts to work around blocks that are part of the corporate IT policy are detected, you're highly likely to be left holding the blame for the security breach.