Eric Rostetter put forth on 3/5/2010 2:20 PM:
It can, in some cases, indeed. But not in all cases...
I think I was pretty clear in stating each sysadmin needs to evaluate what countries do/don't need to access his/her IMAP ports.
I think you did a great service by pointing this out on the list, and that many will find this a useful tip. However, I'm not sure I agree with your opening statement that "It's good policy" since that statement is very broad, whereas policies are so site/application specific...
Security policy needs to be very broad, does it not? It's good policy to preemptively block service access from netblocks in those parts of the world that a sysop deems will never need legitimate access to systems under his supervision. Is it not?
The key here Eric is the identification and classification process. The U.S. government, large multinationals, and some higher ed institutions will probably identify the fact that they probably can't use a default deny policy for most systems because there are users in potentially every country. For many other organizations, of all sizes, they may never have a legit user in Bhutan, China, Paraguay, or Zaire needing to access their systems. In these orgs, it makes no sense not to ban such IP space. Good security must be proactive, not reactive. Be proactive everywhere you can.
Good security practice is broad by nature, and is applicable to all sites and applications.
-- Stan