RE: Country by Country ISA Computer Sets

["Thor (Hammer of God)" <thor () hammerofgod com>]

> Not at all, if you have the ability to integrate DNS lookups into
> your filtering process (coupled with a DNS cache running locally on
> the firewall, this should not be particularly demanding on your
> resources). This problem has already been solved by people wanting
> to weight scores for incoming E-mail from mailservers in different
> geographic regions. One of the more popular free geographic DNS
> lookup services is described at http://countries.nerd.dk/ (and
> Jacobsen makes updated versions of his DNS zone data available for
> download in case you want to host your own copy instead of relying
> on someone else's nameservers).

Sure - but that just adds more cycles to your firewall, and does nothing
for back end reporting.  These sets directly integrate that
functionality, both filtering and reporting, directly on the box, and is
far more efficient in my opinion... But, it's a great point and I'm glad
you shared that. 

> > Sure, if I wanted to block all of China I could block APNIC, but
> > that would block WAY more than I would want.
> [...]
>
> In my professional life, I see frequent requests of this nature from
> customers in western/English-speaking countries. My immediate
> response is, "you *are* aware that Australia and New Zealand are
> part of APNIC, right?"

Yep- which is why I said "but that would block WAY more than I want." ;)

t