What are your thoughts on whether CDNs should be whitelisted on a FW? There is a certain web application that has various other site dependencies, [amazonaws.com](https://amazonaws.com) and [cloudfront.net](https://cloudfront.net) for example. The concern is that whitelisting the CDN domain entirely will make the network vulnerable to all that is hosted/cached on the CDNs and not just the specific content the web app depends on. Can’t seem to find a definitive answer.

Share This Discussion

1 Comment

  • avrins

    November 9, 2021

    Yes it’s a risk. But security must be balanced with usability.

    Presuming that you are going to go full block by default. If you whitelist common CDNS, you still also need to whitelist the domains themselves. So you will still have some protection as unless the domain and the CDN are both whitelisted the website will be blocked with all content.

    CDNS also hopefully are doing their part to scan their own content.

    And the usability problem is that most edge devices that do filtering are only filtering the domain and won’t allow you to only allow specific subdomains and CDNS. And many CDNS have revolving domains for high availability. So you’ll have to whitelist some CDNS for functionality on many major websites.

    Reply

Leave a Comment

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.