topic Re: RedHat (+Akamai) IP ranges in General Topics

RedHat (+Akamai) IP ranges

mserrano_uned — Wed, 24 Aug 2016 09:36:34 GMT

Would it be possible to add a miner for the Red Hat Subscription Manager (RHSM)?

They do advice to use domains name as filter rather than IP addresess [1] (mainly because they use Akamai's CDN), but we prefer to have that kind of traffic under control. There is a public CIDR list [2], but as you need an account in the RedHat portal, they provide a JSON file [3] that could be downloaded without logging in.

[1] https://access.redhat.com/solutions/65300

[2] https://access.redhat.com/articles/1525183

[3] https://access.redhat.com/sites/default/files/attachments/cdn-ranges-2015-07-14.zip

Thanks in advance.

Re: RedHat (+Akamai) IP ranges

NasirBilal-Mars — Wed, 24 Aug 2016 17:38:36 GMT

That's an interesting idea. It seems like CDN IP ranges on their own would be a little too ambiguous though right? How much other content is hosted on the same IPs...seems like URL's would be a must.

What are your thoughts?

Re: RedHat (+Akamai) IP ranges

lmori — Mon, 29 Aug 2016 08:39:44 GMT

Hi Nasir,

you are right, but even the URLs would whitelist akamai CDN URLs:

*.akamaiedge.net:443 [https] OR *.akamaitechnologies.com:443 [https]

If this is the only way, I would suggest to create a policy as strict as possible using specific source fields and App-ID.

Re: RedHat (+Akamai) IP ranges

mserrano_uned — Mon, 29 Aug 2016 09:19:10 GMT

Sorry for the delay, we were giving it a thought and doing some tests using the list provided by RedHat but we didn't have much success. We found ourselves accessing IPs that weren't in the list. We'll open a case with RedHat support to see if the list isn't updated.

Nevertheless, regarding the original question, the way we have set the policy up now it's allowing only specifics types of traffic (yum, ssl and web-browsing), so the fact that those IPs host any other content shouldn't be a concern, that's way we thought the IP range might work for us, and thus the miner request. Before that we tried creating an URL filter, but it didn't work, we assumed it was because being SSL traffic you only could see the header and that probably use IPs instead of URLs or something along the line.

Thanks for the response.

Re: RedHat (+Akamai) IP ranges

mserrano_uned — Wed, 07 Sep 2016 10:42:37 GMT

Well, in RedHat they insisted in giving access to every akamai server

*.akamaiedge.net and *.akamaitechnologies.com

both with port 443. Problem is that this is way to open for us (because using SSL you don't really know whats going on there).

At the end we found two ways to narrow down the access. Setting up the up2date so it doesn't use the Akamai CDN or specifing one DNS record (a redhat one) that resolves always the same IP thanks to the geolocalization and when Akamai changes it, the PaloAlto firewall will update the new IP minutes later.

Thanks for the response (I didn't want to be offtopic so I didn't explain myself too much, if anyone wants more detailed information just let me know).

Re: RedHat (+Akamai) IP ranges

lmori — Thu, 08 Sep 2016 21:45:43 GMT

@mserrano_uned thanks for the update !