|
Posted by Flash Gordon on March 24, 2008, 3:51 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>> Am Sun, 23 Mar 2008 00:33:12 -0700 schrieb Will:
>>
>>> I'm having some problems with firewall authorizations for Windows Update
>>> access in a DMZ. In general, I have had good luck getting access to
>>> Windows Update when you authorize passage of HTTP, HTTPS, and FTP to
> these
>>> networks:
>>>
>>> 131.107.0.0 / 16
>>> 207.46.0.0 / 16
>>> 64.4.0.0 / 18
>>> 65.52.0.0 / 14
>>>
>>> In addition, I normally authorize these URLs for both http: and https:
>>>
>>> *.microsoft.com
>>> windowsupdate.microsoft.com
>>> *.windowsupdate.microsoft.com
>>> download.windowsupdate.com
>>>
>>> The problem I am having is that occasionally the DNS name
>>> "download.windowsupdate.com" resolves to some IPs on a huge network from
> the
>> Why don't you use a proxy?
>
> We use NAT on the firewall for all outgoing connections, and a proxy isn't
> going to improve much on that. The thing we are trying to prevent is the
> ability to reach unauthorized IPs by any means. If Windows Update has
> download.windowsupdate.com resolving to half the Internet, you end up having
> to open up through the firewall outgoing connections to a lot of hosts that
> could be used to control a compromised host or to further the compromise.
Set up rules so that only the proxy can access anything on ports 80 and
443 then the proxy can be set to only allow access to specific URLs.
Then the only way they can access anything the proxy does not allow is
by poisoning your DNS or accessing through some other port you have left
open on the firewall.
--
Flash Gordon
| 
XML site map