11

We have a customer with a very locked-down network. Any outbound connections require whitelisting of the port and IP address.

However, we are running our system behind an Amazon Elastic Load Balancer (ELB). That means that the IP address of the ELB can change and it is beyond our control.

Is it possible to whitelist a domain name rather than a particular IP address?

I realize this will depend on the customer's IT infrastructure. They are a Windows-only shop, so if there are specific approaches we could take in the Microsoft world, that'd be good. If there are router-specific setups for Cisco, etc, that would also be of interest (in case the customer uses that setup).

Do you have any other suggestions as to how to address this problem?

Use of whitelisting of IP addresses appears to be very brittle... though opening up a particular domain name opens you up to DNS poisoning attacks.

Peter K.
  • 283
  • 1
  • 4
  • 8
  • This may not directly answer your question, but it might be helpful. Amazon keeps a [frequently-updated list of their public IP addresses](https://forums.aws.amazon.com/ann.jspa?annID=1701). – Adi Apr 02 '13 at 15:27
  • @Adnan : Thanks! Good information to have, but I doubt they'll let us whitelist that lot of addresses. – Peter K. Apr 02 '13 at 15:39
  • Well, ELB's address range is inside the EC2 address range. If you want to allow outbound traffic to go there, you'll **have** to whitelist them. There's no way around it. Even if you found some reliable way to whitelist the domain names, you'll be effectively doing the same. – Adi Apr 02 '13 at 15:50
  • [Some Cisco devices seem to allow whitelisting of a domain name, without specifying the IP address.](http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.3/user/guide/fwbotnet.html#wp115122) Whitelisting based on Amazon's DNS info is more likely to get through our customer's IT rules. – Peter K. Apr 02 '13 at 16:12
  • @PeterK. - It is however less secure as DNS records can be easily spoofed to return any arbitrary domain name through rDNS lookup. Should be used together with a FCrDNS (Forward-check reverse DNS lookup), and only tagged as whitelisted if this request IP matches FCrDNS. Problem with the latter is, that it introduces an additional _handshake lag_ and might not be feasible to implement because of it. If the device is capable of caching these FCrDNS lookups as well, then yes it could work, but the Cisco document you link to only mentions rDNS lookup caching. – TildalWave Apr 05 '13 at 14:53
  • @TildalWave: Thanks for the input! Agreed that it's susceptible to spoofing the DNS. – Peter K. Apr 05 '13 at 16:41
  • 1
    Did you research on the possibility of using Websense ? I remember reading somewhere that websense can do this.So the firewall will redirect all http requests to the websense server which will accept or deny based on the url – aRun Apr 29 '13 at 09:25

1 Answers1

7

If the customer is as security aware as the question imply's then they will understand that the only reliable way to perform the task would be to whitelist traffic to the IP address range for Amazon ELB service.

If the worry is that this would allow other websites using the same service external access then a proxy server or secondary firewall would be required to ensure that the traffic to these IP's was only for the website(s) allowed.

It is a little hard to be more specific without a greater knowledge of your customers layout.

However in one of the services I support it would be done by using a Bluecoat proxy to control access to the external website.

It would also be preferable to also only allow authorised clients using AD controls, the traffic is then sent to the firewall via a VIP address on the Bluecoats external interface that is only for traffic for this service.

The firewall can then limit the access to the IP destination range from the source VIP only.

Any proxy server should be able to do this and if your customer isn't using one then a second firewall could be used with SNAT to do the same thing. First firewall allows access to the website then forwards the traffic to the second firewall on a SNAT, SNAT is used as the source address for a source/destination match to the external IP address range.

This would avoid the issue of DNS poisoning as any response would still have to match the allowed IP address range on the firewall.

Gawainuk
  • 316
  • 1
  • 4