0

I have to set up internet controls for our schools study hall/testing center. The idea is that computers on that network should only be able to access the school's webportal and learning platform that the school uses during class hours, but allow full access outside of class hours. Students may use their own device/laptop or a school issues. I'm using Edgrouter X currently, though we're willing to invest in higher grade equipment/software.

I figured that the easiest thing to do would be to set up a whitelist of allowed IP address and use time based ACLs to apply the whitelist and block all other traffic during the specific times. As I started trying to test that solution, I gathering the required IP addresses that I'd need to whitelist using Chromes's IPvFOO extension (pictured below ), but realized that webpages are pulling from many more sources and IP address then I originally thought. I could just add all the IP addresses that I can find listed in the IPvFOO output, but I'm wondering how many of the address might be dynamic, so if one of the IP addresses changes, I'll end up "breaking" the webpage.

I've tried URL based whitelisting, but that doesn't seem to work with HTTPS. So, is it practical to use an IP based whitelist?

enter image description here

enter image description here

Frank
  • 113
  • 3
  • Obviously, an IP whitelist gets complicated ***in this use case***. I'm not sure if you can expand this to all whitelists. – schroeder Sep 28 '21 at 15:02
  • Are you in control of the sites the students are supposed to access during class (e.g. an internal webserver as opposed to some SaaS)? –  Sep 28 '21 at 15:07
  • @MechMK1 We do have a webserver, but just did a IP lookup on the learning platform and see that it's hosted at an Amazon web service. – Frank Sep 28 '21 at 15:53
  • @MechMK1 I'm thinking I should be looking into openDNS or a proxy server. – Frank Sep 28 '21 at 16:14

1 Answers1

2

In the vast majority of cases, no. Lots of sites will use CDNs and other mechanisms that mean they may have multiple IP addresses, so whitelisting them all will be impractical.

You may also have multiple sites hosted on the same IP address - so if you whitelist that IP then you allow access to all of them (which may not be intended).

Finally, there is no guarantee that IP addresses will remain the same - so if you whitelist based on them then at some point they will change and your system will break.

Gh0stFish
  • 4,664
  • 14
  • 15