this post was submitted on 07 Jul 2023
9 points (90.9% liked)

Sysadmin

7716 readers
1 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
[email protected]
[email protected]
[email protected]
[email protected]

founded 1 year ago
MODERATORS
 

We're installing a new app on a secure network. The vendor has requested we allow access to gstatic.com. That seems overly broad to me and unsafe. Thoughts?

top 6 comments
sorted by: hot top controversial new old
[–] [email protected] 6 points 1 year ago

Depends on how secure your seecure network is, but generally speaking I wouldn't allow it. As you said, it's way to broad and gives away control of what is loading and what comes on your network.

[–] [email protected] 6 points 1 year ago

Based on this quick article, https://softwarekeep.com/help-center/what-is-gstatic-com#:~:text=Gstatic%20is%20a%20special%20website,%2C%20pictures%2C%20and%20style%20sheets. It feels like just allowing all of gstatic is a bit of a security nightmare. I'd push back and have them identify the parts of gstatic they actually need for their website to work and allow those.

Alternatively, if this application needs a cdn but is only intended for local hosting in the secure network, perhaps a locally hosted cdn could be a good idea.

Without knowing the security in place it's hard to do much beyond give general maybe this or that.

[–] SheeEttin 3 points 1 year ago

It depends entirely on your own risk analysis. We can't make this decision for you without knowing the details (and if you want to give details, let me know where I should submit the consulting invoice).

[–] sylver_dragon 1 points 1 year ago

It comes down to the risk appetite of the business. You mention a "secure" network, but you already have internet access. So, it seems that some access to resources on the internet is already an accepted risk. Beyond the possibility that a random attacker might leverage the gstatic CDN to attack your network, do you have any other specific threats which make you hesitant to whitelist it? Are those threats large enough that the business would consider them to great a risk to that network? Do you have other mitigating controls in place? Would something like traffic inspection or endpoint protection be a sufficient mitigating control? Can the systems with the offending app be firewalled off from the rest of the network? Could the specific assets needed by cached internally and requests for gstatic redirected? What other compensating controls can be put in place to mitigate the risk?

All that said, have you brought the issued to your management and gotten their input on the risk? In the end, it's a business decision and should be decided on by the business leaders. If they want to take the risk of allowing that network to access gstatic, that's on them.