Re: Whitelisting chaos

[Michael Young <Michael.Young () RIT EDU>]

Our policy is not to white list.

White listing extends a trust to an IP address (range), account base and infrastructure which you have no control over, 
and opens your institution up to compromise at the other location being able to send spam and/or phishing to your users.

We tell them that if they're using a reputable service and managing their email addresses appropriately they shouldn't 
have any issues. If there are issues, we'll take a look at them.

For hosted business applications, we do group sources and apply different levels of controls but nothing is entirely 
white listed. When there are issues, my first question is can they provide a non-delivery report or error message that 
includes an error message that includes the generating server name. If not, the problem is on their end.

I cannot remember a case where an external sending source was not blocked for a legitimate reason where we wouldn't 
want email from the source anyway, even if temporarily.
We've have this policy for over a decade and it has not caused any issues that we couldn't work through.

Michael Young
Rochester Institute of Technology

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jason Todd
Sent: Friday, August 31, 2018 1:17 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Whitelisting chaos

I guess our secret is just documentation and review.

Each request is tracked in our ticketing system. We review our configs periodically and having tickets associated with 
the exceptions and special rules allows us to follow-up with the requestor to see if the services requiring the change 
is still in use.

Email whitelisting is kind of funny. We get requests asking us to whitelist entire marketing platform ranges a few 
times a year. I personally bring those to our email admin because I like to see the look on his face while he's reading 
the request. We don't get too many requests per year so we are fortunate in that regard.


-Jason

Jason Todd
Network Security Officer
Western University of Health Sciences

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Thomas Carter
Sent: Friday, August 31, 2018 9:44 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Whitelisting chaos

Everyone everywhere wants everything they ever interact with whitelisted in the firewall or email filters (this may be 
a bit of hyperbole).  How do you handle these requests? How do you keep up with them all, who requested them, etc? Do 
they have an expiration time or are they reviewed to see if they are still valid?

What's your secret to minimizing the mess that this can easily become?
Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<http://www.austincollege.edu/>