How to handle CDNs?
-
Due to contractual requirements, we block outbound connections except to recognized destinations. We block most TLDs except .com, creating exception rules for a few software updates that use some oddball TLDs.
In the "good old days" (and a much more primitive firewall) we could simply allow Amazon, Google, Apple, Microsoft, and Adobe, blocking everything else until someone complained. CDNs changed all that.
The biggest issue with content delivery networks is that DNS lookups return varying IP addresses, presumably for load balancing purposes. Additionally, CDNs are continuously adding capacity and major corporations, e.g., Microsoft, are continuously adding new CDNs to support their telemetry, teams, skype, and software update processes.
Aliases don't work for this purpose, i.e., aliases don't work with wildcards, so *.akamaitechnologies.com is a non-starter. Worse is something like *.microsoft.com, because attempts to link to a specific Microsoft subnet frequently result in DNS replies that point to an address on a non-Microsoft domain (which is basically the purpose of CDNs), resulting in the connection response being rejected because the IP address isn't in an allowed range.
We are trying to maintain an ever growing ruleset of specific IP addresses we allow, sometimes being fortunate to be able to specify an entire block of IP addresses. This is, however, a clearly non-scalable solution!
We tried using some of the "emerging threat" rulesets, but, too often, they result in blocking an IP address that really isn't a threat.
I realize there's no perfect approach to dealing with CDNs, but I'd appreciate learning of any approaches that have proved even partially effective.
Thanks,
Rog
-
@rloeb said in How to handle CDNs?:
We block most TLDs except .com
So your saying you block all .org or .net for example? Really? What about say .gov..
I ran filtering for large global enterprise for a few years. And this just seems a bit over the top to me.. We used filtering rules for known bad domains, and categories.. Shopping, dating, etc.. But I don't see how blocking out major tlds seems effective to letting people actually hit sites they need for work.. I would think you would spend most of your time opening up exceptions..
Maybe you should address who set such a policy - to what is more realistic for a filtering policy vs trying to be the "internet" police.. I get it.. you don't want users surfing when they are suppose to be working, etc.. But there is also just unrealistic expectations from the powers that be.. It might be better policy to just try and stop the bad stuff, and not be so restrictive on normally what is normally highly paid and skilled salary people doing a bit of surfing - that quite often is actually work related. And when they get blocked from maybe hitting a not so major site for some thread in forum for example, it causes nothing but frustration and they waste more time dealing with that than if they could of just hit the site and in 30 seconds it either was what they were looking for or not, etc.
Most of the time spent was either submitting a good site to filtering company because it was in the wrong category, or not in a category. Or telling the users - sorry that is blocked by policy, etc. We finally got policy to be less restrictive, productivity went up, number of tickets went down.. And less complaints, users were happier - and guess what no major incidents with infections or the like.
Filtering should really be used to way to help protect the user from bad stuff - and sure keep the user from surfing porn, sports, shopping, etc. when they are suppose to be working.. But guess what many of those sorts of sites are in .com ;) While many valid work related stuff is on other tlds as well.
I wish I had an answer for you - but yeah CDN's are difficult to try and filter. You have to allow the bad with the good when all of it is hosted off the same IPs and domain names..
edit: I always thought it was funny looking over the reports. Really dude - you thought it was appropriate to surf dating sites while at work, or black midget porn ;) hehehe
I would look over the top hit sites/domains and filter on those.. Most of the time the sites were not listed in any category - so I would have to submit them to be in an appropriate category, etc. Yes you could manually block anything - but the internet is a LARGE place.. Its really just impossible for everything to be categories - especially correctly.. So manual intervention is required to keep the userbase happy and on target for what is appropriate.. So I do feel your pain..
And while pfsense can do many many things.. Its not always going to be the best tool for everything.. If what your after is content filtering at such scale - you might want to look into company that does just that for their bread and butter. Where they spend nothing but time on placing sites/domains/urls in the proper category for filtering. Which is really almost impossible for even a team to do locally at specific company level. These companies have many many customers feeding them huge amount of data that they place in categories, etc..
edit2: somewhat related - just to show you I understand your pain. We have a customer currently wanting to block specific countries. Which I understand, and they have contracts with their customers that say such wording where their network can not talk to IPs if in specific countries. (Not exactly sure who was involved in thinking such wording was even a doable thing) And while its quite easy to pull a list of such IPs and filter there. Its another thing from a responsibility and contracts point of view to take on that responsibility.. If I provide you such a list and its not 100% correct and you do contact a "blacklist" IP in country xyz.. Who is responsible - my company, your company.. etc.. So while I want to help this customer and just provide the list and filter on it - my higher ups are saying we can't do that, etc. So it comes down to the powers that be figuring it out - prob going to come down to that customer having to provide the list that we then filter on. So if there is any mistake in the filtering - its on them, etc.
Filtering can get complicated for sure.. Especially when you take global CDNs into consideration.. I wish I had a better answer, but such things don't always come down to click this button, filter this list, etc. sorry.
Maybe you could push back to them to provide this list you filter on.. So that any mistakes or issues in the filtering list is on them, and not you, etc.
-
No disagreement.
Unfortunately, we have a contract commitment that is apparently non-negotiable. It may be stupid and based on ignorance, but we are bound to it. (It's also very lucrative! Pay us enough and we will do conform to whatever lunacy you request, as long as it's not illegal.)
We do allow access to some .gov domains and .mil domains, but only for email, and a few .edu domains. I don't believe there are any .net or .org domains in the exception list. (We also have a totally separate network for "personal" use, and it's completely unfiltered.)
I finally found a list of all Akamai IP addresses, although I'm sure it's obsolete or soon will be. Of course, we have no way of knowing if Akamai is unknowingly hosting malicious content. but they seem to have processes to assure that they don't. I also have a list of Microsoft IP's, but that list doesn't include Azure. It is useful for blocking the telemetry though!
In the next contract negotiation I am going to insist that the client provide us with the list of OK addresses :-) I suspect that will make clear the idiocy of this policy.
Incidentally, it's my expectation that we will, eventually, end up with two Internets, one of which requires authentication (digital cert plus token) of both the connection and the user before allowing access. That the only effective way of stopping phishing attacks, money laundering, etc. because it makes everything traceable.
-- Rog