We have a JSS in the DMZ, but our DMZ is extremely locked down. I had the 188.8.131.52/8 address block opened up for ports 80 and 443, but we still can't do App lookups in the JSS. After doing some checking in the firewall logs, there are requests to addresses in the 184.108.40.206/8 block and looking at our bandwidth use logs for our networks to *.apple.com, there are hundreds of hostnames that reference back to the 220.127.116.11/8 block...has anyone else seen this or heard feedback from Apple regarding it?
Thanks @franton !
This is one of those times where you need to tell your network / firewall admin that whitelisting by IP address is sooooo 1990s. In my talk I mentioned “next generation firewalls” that can deny or allow apps by their traffic signature.
I’d suggest asking the team in charge of the firewall whether they will accept a request to whitelist DOMAINS rather than address ranges. If they say they can’t, point out that a lot of cloud based apps use CDNs and Global Traffic Management (GTM) to shuffle through a huge range of ever-changing IP addresses. If they still can’t do this, appeal directly to the CIO (or through your director/VP) and inform them that you are alarmed because the network stack appears to be incapable of supporting modern security practices, and the institution is at risk of attacks due to outdated infrastructure.
IP addresses and ports do NOT tell the whole picture. A health care organization such as yours should care about being able to accurately monitor traffic going in and out of the network.