Re: Whitelist of update servers

[Peter Kristolaitis <alter3d () alter3d ca>]

On 12-03-12 04:53 PM, William Herrin wrote:
> On Mon, Mar 12, 2012 at 4:40 PM, Peter Kristolaitis<alter3d () alter3d ca>  wrote:
> > On 12-03-12 04:34 PM, Maverick wrote:
> > > Like list of sites that operating systems or applications installed on
> > > your machines go to update themselves. One way could be to go on each
> > > vendors site and look at their update servers like
> > > microsoft.update.com but it would be good if there is a list of such
> > > servers for all OS and applications so that it could be used as a
> > > whitelist.
> > I'm trying to determine if this is supposed to be an exercise in
> >     "How To Annoy Your Sysadmins"
> > or
> >     "How To Do Network Security The Really, Really Wrong Way"
> > or some combination of the two....
> Pete,
>
> There are scenarios in which it is completely reasonable to provide
> white listed Web access instead of general Internet access. Consider:
> PCs in a prison with access to legal library and off-site education
> web sites. It would be helpful if they could also access automatic
> updates so they don't get malware but God help the sysadmin if one of
> the prisoners figures out how to get to child porn.
>
> That having been said, this is almost certainly the wrong mailing list
> to ask. It just isn't the kind of work we do here.
>
> Regards,
> Bill Herrin
In my experience, if you're dealing with a locked down environment like 
that, one or both of the following will be true:
    - The users won't have sufficient privileges on the workstation to 
apply updates anyways
    - Software updates and configuration changes are managed centrally

I agree that there are situations where whitelisted Web access might be 
suitable, but I expect the number of situations where you'd want 
whitelisted Web access AND ad-hoc software updates AND users to have 
local admin access on their workstations would be... very low.

- Pete