How to block non-U.S. IP ranges

[Icepick]

I'm tasked with configuring my company's firewall. Our business model is such that there should be nobody accessing our website from outside of the U.S. To lock down the firewall as much as possible I'd like to configure it to block all IP address ranges that originate from outside of North America. Is there a way to find out what these are so that I can create a policy that would implicitly deny traffic originating from outside North America?

 

[cpals]

http://www.countryipblocks.net/ ?

 

[Emulex]

you sure that is wise? We have alot of US based customers that route everything back to the motherland including email?

 

[Railgun]

Perhaps start here...

http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml

...and block non -ARIN assigned/managed numbers (anything assigned to RIPE, APNIC, etc)

The likes of netflix, hulu and others do similar things to block non-us users from seeing content. Perhaps you can get in touch with a technical contact there.

 

[Icepick]

I revisited this a couple of weeks ago and found this list:
http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml

This is exactly what I had in mind. Now I'll place an "allow source ANY to <web VIP> on TCP80/443" and place a policy to deny all of the non-North America IP addresses above it.

 

[Emulex]

why don't you just load a reputation list into the IPS? heck most IPS vendors sell/give you a rep list since it's quite easy to have rogue usa ip's too. too dynamic.

 

[Icepick]

why don't you just load a reputation list into the IPS? heck most IPS vendors sell/give you a rep list since it's quite easy to have rogue usa ip's too. too dynamic.

I'm putting a pair of IPS's in front of the firewalls and they'll be managed by the vendor. I don't have much experience with those. I'll have to look up the reputation list - never heard of it.