[151154] in North American Network Operators' Group
Re: Whitelist of update servers
daemon@ATHENA.MIT.EDU (Paul Graydon)
Mon Mar 12 17:04:32 2012
Date: Mon, 12 Mar 2012 11:03:22 -1000
From: Paul Graydon <paul@paulgraydon.co.uk>
To: nanog@nanog.org
In-Reply-To: <CAP-guGWDbYJEiAAjH6BCSqtEity-V+3Ez2hqY=qwcLGgJL4cBQ@mail.gmail.com>
X-SA-Exim-Mail-From: paul@paulgraydon.co.uk
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 03/12/2012 10:53 AM, William Herrin wrote:
> On Mon, Mar 12, 2012 at 4:40 PM, Peter Kristolaitis<alter3d@alter3d.ca> wrote:
>> On 12-03-12 04:34 PM, Maverick wrote:
>>> Like list of sites that operating systems or applications installed on
>>> your machines go to update themselves. One way could be to go on each
>>> vendors site and look at their update servers like
>>> microsoft.update.com but it would be good if there is a list of such
>>> servers for all OS and applications so that it could be used as a
>>> whitelist.
>> I'm trying to determine if this is supposed to be an exercise in
>> "How To Annoy Your Sysadmins"
>> or
>> "How To Do Network Security The Really, Really Wrong Way"
>> or some combination of the two....
> Pete,
>
> There are scenarios in which it is completely reasonable to provide
> white listed Web access instead of general Internet access. Consider:
> PCs in a prison with access to legal library and off-site education
> web sites. It would be helpful if they could also access automatic
> updates so they don't get malware but God help the sysadmin if one of
> the prisoners figures out how to get to child porn.
But there are ways of doing that, such as Windows Software Update
Services, and a little bit of policy enforcement from a centralised
place. That gives you a centralised, controlled place to push updates
out from without risking the machines going off to the internet to get
them themselves (and an opportunity to try limited roll-out just in case.)
For that matter if it's necessary to be talking about
blacklisting/whitelisting sites under such conditions as PCs in a prison
you're really better off just paying for something like a Websense to
take care of it.
Paul
