this post was submitted on 07 Jul 2023
9 points (90.9% liked)
Sysadmin
7719 readers
84 users here now
A community dedicated to the profession of IT Systems Administration
No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
[email protected]
[email protected]
[email protected]
[email protected]
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
It comes down to the risk appetite of the business. You mention a "secure" network, but you already have internet access. So, it seems that some access to resources on the internet is already an accepted risk. Beyond the possibility that a random attacker might leverage the gstatic CDN to attack your network, do you have any other specific threats which make you hesitant to whitelist it? Are those threats large enough that the business would consider them to great a risk to that network? Do you have other mitigating controls in place? Would something like traffic inspection or endpoint protection be a sufficient mitigating control? Can the systems with the offending app be firewalled off from the rest of the network? Could the specific assets needed by cached internally and requests for gstatic redirected? What other compensating controls can be put in place to mitigate the risk?
All that said, have you brought the issued to your management and gotten their input on the risk? In the end, it's a business decision and should be decided on by the business leaders. If they want to take the risk of allowing that network to access gstatic, that's on them.