Whitelist of update servers

• Previous message (by thread): Whitelist of update servers
• Next message (by thread): Whitelist of update servers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

An "IP-based" whitelist is pretty much doomed  from the start.  Many
vendors use content delivery networks and that is too large and volatile
to chase.

We have had some success in captive portal environments with DNS
manipulation, allowing only certain domains to resolve, and redirecting
everything else to the portal.  The list is still non-trivial, but
manageable.

So don't manage it at the router level, you will have better luck at the
DNS layer.

Jeff

On 3/12/2012 8:51 PM, Randy Bush wrote:
> i tend to two defenses
>
>   o if it is not an urgent update, i wait to hear from peers that
>     it is safe.
>
>   o i generally do not accept pop-up updates.  if one looks tasty,
>     when possible i navigate directly to the site (yes, i know about
>     dns spoofing) and download.

• Previous message (by thread): Whitelist of update servers
• Next message (by thread): Whitelist of update servers
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]