Educause Security Discussion mailing list archives
Re: Whitelisting chaos
From: Michael Young <Michael.Young () RIT EDU>
Date: Tue, 4 Sep 2018 13:17:49 +0000
Our policy is not to white list. White listing extends a trust to an IP address (range), account base and infrastructure which you have no control over, and opens your institution up to compromise at the other location being able to send spam and/or phishing to your users. We tell them that if they're using a reputable service and managing their email addresses appropriately they shouldn't have any issues. If there are issues, we'll take a look at them. For hosted business applications, we do group sources and apply different levels of controls but nothing is entirely white listed. When there are issues, my first question is can they provide a non-delivery report or error message that includes an error message that includes the generating server name. If not, the problem is on their end. I cannot remember a case where an external sending source was not blocked for a legitimate reason where we wouldn't want email from the source anyway, even if temporarily. We've have this policy for over a decade and it has not caused any issues that we couldn't work through. Michael Young Rochester Institute of Technology From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jason Todd Sent: Friday, August 31, 2018 1:17 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Whitelisting chaos I guess our secret is just documentation and review. Each request is tracked in our ticketing system. We review our configs periodically and having tickets associated with the exceptions and special rules allows us to follow-up with the requestor to see if the services requiring the change is still in use. Email whitelisting is kind of funny. We get requests asking us to whitelist entire marketing platform ranges a few times a year. I personally bring those to our email admin because I like to see the look on his face while he's reading the request. We don't get too many requests per year so we are fortunate in that regard. -Jason Jason Todd Network Security Officer Western University of Health Sciences From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Thomas Carter Sent: Friday, August 31, 2018 9:44 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Whitelisting chaos Everyone everywhere wants everything they ever interact with whitelisted in the firewall or email filters (this may be a bit of hyperbole). How do you handle these requests? How do you keep up with them all, who requested them, etc? Do they have an expiration time or are they reviewed to see if they are still valid? What's your secret to minimizing the mess that this can easily become? Thomas Carter Network & Operations Manager / IT Austin College 900 North Grand Avenue Sherman, TX 75090 Phone: 903-813-2564 www.austincollege.edu<http://www.austincollege.edu/>
Current thread:
- Whitelisting chaos Thomas Carter (Aug 31)
- Re: Whitelisting chaos Jason Todd (Aug 31)
- Re: Whitelisting chaos Michael Young (Sep 04)
- Re: Whitelisting chaos Michael Schalip (Sep 04)
- Re: Whitelisting chaos Jason Todd (Aug 31)