Am I paranoid, or are corporate firewalls censoring entire countries? [closed]

security networking firewall

Recently, in the last year or so, I have noticed that it seems more and more difficult to reach certain kinds of sites, especially those in non-favored nations like Iran or Russia.

For example, just now I tried to reach the web site of the Russian Ministry of Defense (http://eng.mil.ru/en/index.htm), a site that I have legitimate business-related reasons for visiting, and it timed out. I tried the same site via a European proxy and had no problem connecting. I then tried a tracert and this was the result:

enter image description here

My interpretation of this is that the IP is being blocked by the company firewall. I asked our IT department what is the IP blocking policy for the network and was told that the policy is not determined by our company, but by the firewall service provider and that it is "secret and proprietary" to the provider and that they (meaning IT) had no control over that policy.

What is the story here? Are firewall product vendors just blanket blocking entire countries?

Just for giggles I decided to try different countries to see what would happen:

Finland       ok
Poland        ok
Russia        blocked
Ukraine       blocked
Estonia       blocked
Turkey        blocked
Saudi Arabia  blocked
Afghanistan   ok
Iraq          blocked
Georgia       ok
Armenia       blocked
Uzbekistan    ok

Alright, so I can visit web sites in Uzbekistan and Georgia, but not those in Armenia or the Ukraine? Who is making up this logic?


I've seen a variety of vendors doing content filtering based on country of origin. China and Russia are usually the ones with filtering turned on by default, or at least have some kind of alerting set up. This is because those are often sources of malware attacks. I don't buy line that your IT department has no control over it. Any vendor worth its salt would let you modify the default settings on its products.


This is likely not done at the level of the IDS/IPS, but rather at the firewall level (Via IP list blocking, sort of less effective) or the routing level with a method known as selective blackholing (Strongly effective and blocks the route from even coming through to your router at all).

The rationale behind this is unclear - probably because the countries you listed are often sources of attacks, though really not more than the US, and determined attackers would just go ahead and circumvent anyways in that case... Could be that if you're working in a large enough organization that -they're paranoid- somehow themselves about threats from IPs originating from there. Either way it's kind of a stopgap security measure for many intents and purposes, and you have nothing to be noid about yourself. Tunnel or proxy out!


It's perfectly possible to use IP geo-location to block IP address ranges associated with certain countries. There's a lot of debate about how effective it is and I certainly wouldn't suggest blindly turning it on to anyone, but it's up to a business to determine for itself whether or not it has legitimate business with companies originating from a particular area and therefore what the risks are of blocking address ranges associated with that area are vs. the risks of not blocking those addresses.

While geo-blocking won't stop determined attackers, it does increase the complexity of attacking your network from this location (and keep in mind this might mean botnet members from that location) and this might also reduce the amount of "background noise" from casual attackers & script kiddies, making it easier to see the more determined attacks.

enter image description here This example is from a Sonicwall Knowledge Base article on how to set these kinds of filters up.

In any case, if you have a business need to connect to a business in a blocked country, I don't suggest trying to sneak around the firewall as suggested in other answers, but rather to make this a management issue: talk to your manager, get them to speak to the IT department manager and make it clear that there's a business requirement to allow such access. It's highly unlikely that there's no way to configure these kinds of blocks, and on the off-chance that there is some kind of security incident and your attempts to work around blocks that are part of the corporate IT policy are detected, you're highly likely to be left holding the blame for the security breach.

Related

Why is VIM starting in replace mode?
Rule "Restart computer" failed when installing SQL Server 2008
How much swap is a given Mac application using?
Starting Ubuntu without the GUI
Do you have to install DOS 6.22 before installing Windows 3.0?
SSH Basics on Vagrant VMs
Equivalent of bash's Ctrl-r in PowerShell
I've disabled both my keyboard and mouse drivers, any way to enable them back via bmr?
Xcode 8 - Missing Files warnings
reStructuredText tool support
Jackson databind enum case insensitive
How to exclude certain messages by TAG name using Android adb logcat?