Whitelist of update servers
Is there a whitelist that applications have to talk to in order to update themselves?
Can you be a little more specific? Otherwise I think your answer would be.... "The Internet" -Hammer- "I was a normal American nerd" -Jack Herer On 3/12/2012 3:05 PM, Maverick wrote:
Is there a whitelist that applications have to talk to in order to update themselves?
Like list of sites that operating systems or applications installed on your machines go to update themselves. One way could be to go on each vendors site and look at their update servers like microsoft.update.com but it would be good if there is a list of such servers for all OS and applications so that it could be used as a whitelist. On Mon, Mar 12, 2012 at 4:30 PM, Keegan Holley <keegan.holley@sungard.com> wrote:
2012/3/12 Maverick <myeaddress@gmail.com>
Is there a whitelist that applications have to talk to in order to update themselves?
sometimes
2012/3/12 Maverick <myeaddress@gmail.com>
Like list of sites that operating systems or applications installed on your machines go to update themselves. One way could be to go on each vendors site and look at their update servers like microsoft.update.com but it would be good if there is a list of such servers for all OS and applications so that it could be used as a whitelist.
I stick with my original answer... sometimes. I'm not sure if this is different now, but I remember MS update being spoofed with bogus DNS entries because the process is died to that dns name. I think this is the most popular method combined with some sort of encryption and/or signing to verify the updates themselves. I'm sure there are applications that use a white list though. There are alot of shops that update via some kind of CDN, so the whitelist method is a bit combersome at scale and is not immune to spoofing or other attacks. The most secure thing is probably to protect the updates themselves.
I'm trying to determine if this is supposed to be an exercise in "How To Annoy Your Sysadmins" or "How To Do Network Security The Really, Really Wrong Way" or some combination of the two.... - Pete On 12-03-12 04:34 PM, Maverick wrote:
Like list of sites that operating systems or applications installed on your machines go to update themselves. One way could be to go on each vendors site and look at their update servers like microsoft.update.com but it would be good if there is a list of such servers for all OS and applications so that it could be used as a whitelist.
On Mon, Mar 12, 2012 at 4:30 PM, Keegan Holley <keegan.holley@sungard.com> wrote:
2012/3/12 Maverick<myeaddress@gmail.com>
Is there a whitelist that applications have to talk to in order to update themselves?
sometimes
On Mon, Mar 12, 2012 at 4:40 PM, Peter Kristolaitis <alter3d@alter3d.ca> wrote:
On 12-03-12 04:34 PM, Maverick wrote:
Like list of sites that operating systems or applications installed on your machines go to update themselves. One way could be to go on each vendors site and look at their update servers like microsoft.update.com but it would be good if there is a list of such servers for all OS and applications so that it could be used as a whitelist.
I'm trying to determine if this is supposed to be an exercise in "How To Annoy Your Sysadmins" or "How To Do Network Security The Really, Really Wrong Way" or some combination of the two....
Pete, There are scenarios in which it is completely reasonable to provide white listed Web access instead of general Internet access. Consider: PCs in a prison with access to legal library and off-site education web sites. It would be helpful if they could also access automatic updates so they don't get malware but God help the sysadmin if one of the prisoners figures out how to get to child porn. That having been said, this is almost certainly the wrong mailing list to ask. It just isn't the kind of work we do here. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
On 12-03-12 04:53 PM, William Herrin wrote:
On Mon, Mar 12, 2012 at 4:40 PM, Peter Kristolaitis<alter3d@alter3d.ca> wrote:
On 12-03-12 04:34 PM, Maverick wrote:
Like list of sites that operating systems or applications installed on your machines go to update themselves. One way could be to go on each vendors site and look at their update servers like microsoft.update.com but it would be good if there is a list of such servers for all OS and applications so that it could be used as a whitelist. I'm trying to determine if this is supposed to be an exercise in "How To Annoy Your Sysadmins" or "How To Do Network Security The Really, Really Wrong Way" or some combination of the two.... Pete,
There are scenarios in which it is completely reasonable to provide white listed Web access instead of general Internet access. Consider: PCs in a prison with access to legal library and off-site education web sites. It would be helpful if they could also access automatic updates so they don't get malware but God help the sysadmin if one of the prisoners figures out how to get to child porn.
That having been said, this is almost certainly the wrong mailing list to ask. It just isn't the kind of work we do here.
Regards, Bill Herrin
In my experience, if you're dealing with a locked down environment like that, one or both of the following will be true: - The users won't have sufficient privileges on the workstation to apply updates anyways - Software updates and configuration changes are managed centrally I agree that there are situations where whitelisted Web access might be suitable, but I expect the number of situations where you'd want whitelisted Web access AND ad-hoc software updates AND users to have local admin access on their workstations would be... very low. - Pete
On Mon, Mar 12, 2012 at 4:40 PM, Peter Kristolaitis<alter3d@alter3d.ca> wrote:
On 12-03-12 04:34 PM, Maverick wrote:
Like list of sites that operating systems or applications installed on your machines go to update themselves. One way could be to go on each vendors site and look at their update servers like microsoft.update.com but it would be good if there is a list of such servers for all OS and applications so that it could be used as a whitelist. I'm trying to determine if this is supposed to be an exercise in "How To Annoy Your Sysadmins" or "How To Do Network Security The Really, Really Wrong Way" or some combination of the two.... Pete,
There are scenarios in which it is completely reasonable to provide white listed Web access instead of general Internet access. Consider: PCs in a prison with access to legal library and off-site education web sites. It would be helpful if they could also access automatic updates so they don't get malware but God help the sysadmin if one of the prisoners figures out how to get to child porn. But there are ways of doing that, such as Windows Software Update Services, and a little bit of policy enforcement from a centralised
On 03/12/2012 10:53 AM, William Herrin wrote: place. That gives you a centralised, controlled place to push updates out from without risking the machines going off to the internet to get them themselves (and an opportunity to try limited roll-out just in case.) For that matter if it's necessary to be talking about blacklisting/whitelisting sites under such conditions as PCs in a prison you're really better off just paying for something like a Websense to take care of it. Paul
i tend to two defenses o if it is not an urgent update, i wait to hear from peers that it is safe. o i generally do not accept pop-up updates. if one looks tasty, when possible i navigate directly to the site (yes, i know about dns spoofing) and download. randy
An "IP-based" whitelist is pretty much doomed from the start. Many vendors use content delivery networks and that is too large and volatile to chase. We have had some success in captive portal environments with DNS manipulation, allowing only certain domains to resolve, and redirecting everything else to the portal. The list is still non-trivial, but manageable. So don't manage it at the router level, you will have better luck at the DNS layer. Jeff On 3/12/2012 8:51 PM, Randy Bush wrote:
i tend to two defenses
o if it is not an urgent update, i wait to hear from peers that it is safe.
o i generally do not accept pop-up updates. if one looks tasty, when possible i navigate directly to the site (yes, i know about dns spoofing) and download.
participants (9)
-
-Hammer-
-
goemon@anime.net
-
Jeff Kell
-
Keegan Holley
-
Maverick
-
Paul Graydon
-
Peter Kristolaitis
-
Randy Bush
-
William Herrin