nanog mailing list archives
Re: Whitelist of update servers
From: Jeff Kell <jeff-kell () utc edu>
Date: Mon, 12 Mar 2012 22:10:42 -0400
An "IP-based" whitelist is pretty much doomed from the start. Many vendors use content delivery networks and that is too large and volatile to chase. We have had some success in captive portal environments with DNS manipulation, allowing only certain domains to resolve, and redirecting everything else to the portal. The list is still non-trivial, but manageable. So don't manage it at the router level, you will have better luck at the DNS layer. Jeff On 3/12/2012 8:51 PM, Randy Bush wrote:
i tend to two defenses
o if it is not an urgent update, i wait to hear from peers that
it is safe.
o i generally do not accept pop-up updates. if one looks tasty,
when possible i navigate directly to the site (yes, i know about
dns spoofing) and download.
Current thread:
- Re: Whitelist of update servers, (continued)
- Re: Whitelist of update servers -Hammer- (Mar 12)
- Re: Whitelist of update servers Paul Graydon (Mar 12)
- Re: Whitelist of update servers Keegan Holley (Mar 12)
- Re: Whitelist of update servers Maverick (Mar 12)
- Re: Whitelist of update servers Keegan Holley (Mar 12)
- Re: Whitelist of update servers Peter Kristolaitis (Mar 12)
- Re: Whitelist of update servers William Herrin (Mar 12)
- Re: Whitelist of update servers Peter Kristolaitis (Mar 12)
- Re: Whitelist of update servers Paul Graydon (Mar 12)
- Re: Whitelist of update servers Maverick (Mar 12)
- Re: Whitelist of update servers Randy Bush (Mar 12)
- Re: Whitelist of update servers Jeff Kell (Mar 12)