Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users
Course Of The Month
11 days, 7 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
AVG Updates on DMZ
Posted on 2013-01-01
The environment: Retail locations (PCI-DSS applicable) Point of Sale registers running Windows XP OS segmented onto a DMZ. Each register runs a Kaseya agent with End Point Security (AVG antivirus). Each location has a SonicWall TZ 215 appliance.I am having issues updating the AVG installs on the registers. My DMZ rules allow HTTP access to predestinated websites only (2 commerce processing sites and AVG). I quickly discovered the initial AVG update site was inadequate, so I created an AVGUpdateSites network address object and then grouped various update sites (other network address objects) that the log files were showing AVG was trying to access.
I'm up to 15 different update sites now and have some fourth level domain transport companies (e.g. akamaitechnogies.com, nlayer.net, etc...) that seem to change daily. I need to allow access for all of these AVG update sites and block everything else.
I'm looking for ideas of how to better skin this cat. Still haven't spoken to anyone at AVG that even knew they were using these dynamic sites. Attached is a pic of the sites I've currently identified. It shows a few different attempts at the 3rd and 4th level domain attempts - none work.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4-
3
2- +1
11 Comments
Active 2 days ago
Take a look at these two links. They pertain to the free version, but may help.
http://free.avg.com/faq.num-2416#faq_2416
http://free.avg.com/faq.num-2419#faq_2419
http://free.avg.com/faq.num-2416#faq_2416
http://free.avg.com/faq.num-2419#faq_2419
Thanks, but no. I guess I'm really looking for how I can allow for akamai's and nlayer's dyamic third and fourth level domain name changes. SonicWall doesn't support wildcards at that level - won't resolve.
Active 2 days ago
This link contains a list of what is supposed to be "all" the sites you need to permit a connection to. Have you permitted all of these?
http://free.avg.com/us-en/faq.num-2446#faq_2446
http://free.avg.com/us-en/faq.num-2446#faq_2446
Active today
Just to add on, looks like different AVG version (below are the commercial versions) may have different list to be put into exception for Sonicwall to allow
2013 - http://www.avg.com/ww-en/faq.num-5229
2011 - http://www.avg.com/ww-en/faq.num-3487
2013 - http://www.avg.com/ww-en/faq.num-5229
2011 - http://www.avg.com/ww-en/faq.num-3487
Active today
For the Akamai you have do do each level with a star.
*.akamai.com
*.something.akamai.com
*.5.something.akamai.com
The * will do anything except a subdomain.
*.akamai.com
*.something.akamai.com
*.5.something.akamai.com
The * will do anything except a subdomain.
Thanks for the responses, but the objects have to be IP host addresses, IP range, IP network or a resolvable FQDN, which rules out the wildcards. When you ping the URL's listed on the referenced pages, you end up with a list of IP addresses that represent less than 30% of the total addresses and ranges I've discovered through firewall logs today. Everything I force an update to the AVG agents I get new sites being blocked. I account fo rthose sites, update again, and get new blocks. There has to be a inclusive list somewhere.
Any other ideas? Thanks!
Any other ideas? Thanks!
Active today
See this http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Q_23957383.html
just curious as I saw some sonicwall config guide on address object accepting wildcard, maybe I am missing out something
http://help.sonicwall.com/help/sw/eng/6800/25/8/1/Network_netObjView.html
...If you selected FQDN , enter the domain name for the individual site or range of sites (with a wildcard) in the FQDN field.
....FQDN Address Objects support wildcard entries, such as “*.somedomainname.com”, by first resolving the base domain name to all its defined host IP addresses, and then by constantly actively gleaning DNS responses as they pass through the firewall.
just curious as I saw some sonicwall config guide on address object accepting wildcard, maybe I am missing out something
http://help.sonicwall.com/help/sw/eng/6800/25/8/1/Network_netObjView.html
...If you selected FQDN , enter the domain name for the individual site or range of sites (with a wildcard) in the FQDN field.
....FQDN Address Objects support wildcard entries, such as “*.somedomainname.com”, by first resolving the base domain name to all its defined host IP addresses, and then by constantly actively gleaning DNS responses as they pass through the firewall.
Yeah, I thought the same thing. I opened a ticket with SonicWall and they confirmed that wildcards used in network address objectives won't resolve. For poops and giggles I added it back to a store and forced an update. Attached is a pic from the log showing it won't resolve. Wish I could. I already added the reefernced sites to the matrix and still got the same results.
fqdn.jpg
fqdn.jpg
Active today
Looks like if the firewall cannot perform the DNS lookup the ip cannot be resolved. Suspecting that browsing to that dynamic DNS site is not possible at all as well...most AV uses such so that update server is always available. Minimally the nslookup or dig should return the ip address though it changes subsequently...try robtex or domain dossier on the host to see the possible ip address.
Sigh - http://serverfault.com/questions/376794/i-need-to-create-a-special-rule-on-my-firewall-with-all-the-ip-addresses-from-fa
I did saw some innovative ways but tough
http://michigantelephone.wordpress.com/2011/06/28/using-dyndns-to-solve-the-problem-of-keeping-a-firewall-open-to-remote-users-at-changeable-ip-addresses/
Sigh - http://serverfault.com/questions/376794/i-need-to-create-a-special-rule-on-my-firewall-with-all-the-ip-addresses-from-fa
I did saw some innovative ways but tough
http://michigantelephone.wordpress.com/2011/06/28/using-dyndns-to-solve-the-problem-of-keeping-a-firewall-open-to-remote-users-at-changeable-ip-addresses/
Active today
I personally use * in fqdn fields and. It works just fine. However I do have DNA setup so it can resolve them.
Active today
if you will to see the sonicwall link in my post, it did state SonicOS Enhanced 3.5 stating below [1] and it also added more [2]. You may want to ask them on "Sanctioned DNS server" - see section "Enforcing the use of sanctioned servers on the network". Definition [3]
[1]"...FQDN – Fully Qualified Domain Names, such as ‘www.reallybadWebsite.com’, will be resolved to their IP address (or IP addresses) using the DNS server configured on the SonicWALL. Wildcard entries are supported through the gleaning of responses to queries sent to the sanctioned DNS servers...."
[2]Since most DNS servers do not allow zone transfers, it is typically not possibly to automatically enumerate all the hosts in a domain. Instead, the SonicWALL will look for DNS responses coming from sanctioned DNS servers as they traverse the firewall. So if a host behind the firewall queries an external DNS server which is also a configured/defined DNS server on the SonicWALL, the SonicWALL will parse the response to see if it matches the domain of any wildcard FQDN AOs.
[3] Sanctioned DNS servers are those DNS servers configured for use by the SonicWALL firewall. The reason that responses from only sanctioned DNS servers are used in the wildcard learning process is to protect against the possibility of FQDN AO poisoning through the use of unsanctioned DNS servers with deliberately incorrect host entries.
Overall, minimally FW to allow such DNS resolving to see the traces to Akamai DNS server @ http://en.wikipedia.org/wiki/Akamai_Technologies#Akamai.27s_DNS_servers
That is why, I am puzzled why the sonicwall support say "...confirmed that wildcards used in network address objectives won't resolve..." - may want to drill further assuming the above is valid
Side note
- Sonicwall has the section on "Blocking All Protocol Access to a Domain using FQDN DAOs"
- Some past conjectures of akamai related working
@ http://research.microsoft.com/en-us/um/people/ratul/akamai.html
- Akamai NetworkSession Interface (installed in client machine)
@ http://www.akamai.com/html/solutions/client_faq.html
[1]"...FQDN – Fully Qualified Domain Names, such as ‘www.reallybadWebsite.com’, will be resolved to their IP address (or IP addresses) using the DNS server configured on the SonicWALL. Wildcard entries are supported through the gleaning of responses to queries sent to the sanctioned DNS servers...."
[2]Since most DNS servers do not allow zone transfers, it is typically not possibly to automatically enumerate all the hosts in a domain. Instead, the SonicWALL will look for DNS responses coming from sanctioned DNS servers as they traverse the firewall. So if a host behind the firewall queries an external DNS server which is also a configured/defined DNS server on the SonicWALL, the SonicWALL will parse the response to see if it matches the domain of any wildcard FQDN AOs.
[3] Sanctioned DNS servers are those DNS servers configured for use by the SonicWALL firewall. The reason that responses from only sanctioned DNS servers are used in the wildcard learning process is to protect against the possibility of FQDN AO poisoning through the use of unsanctioned DNS servers with deliberately incorrect host entries.
Overall, minimally FW to allow such DNS resolving to see the traces to Akamai DNS server @ http://en.wikipedia.org/wiki/Akamai_Technologies#Akamai.27s_DNS_servers
That is why, I am puzzled why the sonicwall support say "...confirmed that wildcards used in network address objectives won't resolve..." - may want to drill further assuming the above is valid
Side note
- Sonicwall has the section on "Blocking All Protocol Access to a Domain using FQDN DAOs"
- Some past conjectures of akamai related working
@ http://research.microsoft.com/en-us/um/people/ratul/akamai.html
- Akamai NetworkSession Interface (installed in client machine)
@ http://www.akamai.com/html/solutions/client_faq.html
Featured Post
We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Here's a look at newsworthy articles and community happenings during the last month.
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month11 days, 7 hours left to enroll
623 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.