Apple and the 23.0.0.0/8 block

jarradyuhas
Contributor

We have a JSS in the DMZ, but our DMZ is extremely locked down. I had the 17.0.0.0/8 address block opened up for ports 80 and 443, but we still can't do App lookups in the JSS. After doing some checking in the firewall logs, there are requests to addresses in the 23.0.0.0/8 block and looking at our bandwidth use logs for our networks to *.apple.com, there are hundreds of hostnames that reference back to the 23.0.0.0/8 block...has anyone else seen this or heard feedback from Apple regarding it?

4 REPLIES 4

guidotti
Contributor II

23.0.0.0/8 is owned by Akamai, and I believe Apple uses it for Push notification range in addition to 17.0.0.0/8...

franton
Valued Contributor III

Yes that's one of Akamai's many many CDN's around the world. You'll hit a different one depending on geographic location, and sometimes ones purely at random.

For reference look at @bradtchapman 's JNUC 2017 talk on APNS.

bradtchapman
Valued Contributor II

Thanks @franton !

This is one of those times where you need to tell your network / firewall admin that whitelisting by IP address is sooooo 1990s. In my talk I mentioned “next generation firewalls” that can deny or allow apps by their traffic signature.

I’d suggest asking the team in charge of the firewall whether they will accept a request to whitelist DOMAINS rather than address ranges. If they say they can’t, point out that a lot of cloud based apps use CDNs and Global Traffic Management (GTM) to shuffle through a huge range of ever-changing IP addresses. If they still can’t do this, appeal directly to the CIO (or through your director/VP) and inform them that you are alarmed because the network stack appears to be incapable of supporting modern security practices, and the institution is at risk of attacks due to outdated infrastructure.

IP addresses and ports do NOT tell the whole picture. A health care organization such as yours should care about being able to accurately monitor traffic going in and out of the network.

TreviñoL
Contributor

23.0.0.0/8 is owned by Akamai, and don't do SSL data decryption at the firewall when reaching anything at Apple.com or Akamai. You will find MDM profiles disappearing on your macOS devices.