An "IP-based" whitelist is pretty much doomed from the start. Many vendors use content delivery networks and that is too large and volatile to chase. We have had some success in captive portal environments with DNS manipulation, allowing only certain domains to resolve, and redirecting everything else to the portal. The list is still non-trivial, but manageable. So don't manage it at the router level, you will have better luck at the DNS layer. Jeff On 3/12/2012 8:51 PM, Randy Bush wrote:
i tend to two defenses
o if it is not an urgent update, i wait to hear from peers that it is safe.
o i generally do not accept pop-up updates. if one looks tasty, when possible i navigate directly to the site (yes, i know about dns spoofing) and download.