- Posts: 1700
- Thank you received: 0
Firewall that blocks connections by country?
19 years 5 months ago #8153
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: Firewall that blocks connections by country?
Hmm yknow, perhaps it might be worth your while to consider not using the firewall as a mechanism for access control...
The reason is simple..... the basic concept of a firewall is that it either allows or doesn't allow. This means that you need to
a) Know *precisely* what you're allowing in, or *precisely* what you're denying
b) Have a security policy which decides this beforehand as you cannot decide on the fly
The task you're attempting is very administratively intensive - not to mention I haven't a clue how these personal firewalls will react to huge rule sets.. they were not designed for performance.. this is especially true of the Windows XP SP2 firewall..
I suggest you add some authentication mechanism to the application you're using. Make it something that you can rely on... IP addresses are a bad way to authorize individuals.. and geographic location is even worse.
A quote from 'Firewalls & Internet Security' comes to mind -- If you have more than around 30 rules (even in a large enterprise) you're doing something too complicated.
Just imagine, each of those rules represents a policy decision.. there are very few places where a firewall needs to implement 30 different business decisions....
Think outta the box.
The reason is simple..... the basic concept of a firewall is that it either allows or doesn't allow. This means that you need to
a) Know *precisely* what you're allowing in, or *precisely* what you're denying
b) Have a security policy which decides this beforehand as you cannot decide on the fly
The task you're attempting is very administratively intensive - not to mention I haven't a clue how these personal firewalls will react to huge rule sets.. they were not designed for performance.. this is especially true of the Windows XP SP2 firewall..
I suggest you add some authentication mechanism to the application you're using. Make it something that you can rely on... IP addresses are a bad way to authorize individuals.. and geographic location is even worse.
A quote from 'Firewalls & Internet Security' comes to mind -- If you have more than around 30 rules (even in a large enterprise) you're doing something too complicated.
Just imagine, each of those rules represents a policy decision.. there are very few places where a firewall needs to implement 30 different business decisions....
Think outta the box.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.112 seconds