Re: Whitelisting chaos

[Jason Todd <jtodd () WESTERNU EDU>]

I guess our secret is just documentation and review.

Each request is tracked in our ticketing system. We review our configs periodically and having tickets associated with 
the exceptions and special rules allows us to follow-up with the requestor to see if the services requiring the change 
is still in use.

Email whitelisting is kind of funny. We get requests asking us to whitelist entire marketing platform ranges a few 
times a year. I personally bring those to our email admin because I like to see the look on his face while he's reading 
the request. We don't get too many requests per year so we are fortunate in that regard.


-Jason

Jason Todd
Network Security Officer
Western University of Health Sciences

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Thomas Carter
Sent: Friday, August 31, 2018 9:44 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Whitelisting chaos

Everyone everywhere wants everything they ever interact with whitelisted in the firewall or email filters (this may be 
a bit of hyperbole).  How do you handle these requests? How do you keep up with them all, who requested them, etc? Do 
they have an expiration time or are they reviewed to see if they are still valid?

What's your secret to minimizing the mess that this can easily become?
Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<http://www.austincollege.edu/>