Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 85
  • Last Modified:

Firewall rules to permit Playstore & Appstore push notifications & apps install

Our firewalls are not sync'ed to public DNS so we can't create rules by URL of playstore or appstore.

Our corporate mobile devices need to have push notifications & apps install :
what's the range of IP for appstore & playstore required & the ports to permit?

I heard appstore is a Class A subnet while playstore is probably a Class B:
is it a good practice to permit firewall rules to such big subnet ranges ?
0
sunhux
Asked:
sunhux
  • 6
  • 4
  • 2
4 Solutions
 
Jackie ManCommented:
It is a very tough question.

I heard appstore is a Class A subnet while playstore is probably a Class B:
is it a good practice to permit firewall rules to such big subnet ranges ?

Yes..  it will be a very big subnet ranges just for Android devices and the purpose of a firewall will diminish for sure.

A zone based firewall rules might be applicable for filtering the mobile devices ; whitelisting the MAC address of such devices and make a user bass policy for allowing or disallowing the bypass of the firewall.
0
 
serialbandCommented:
Apple owns an entire class A subnet, so, everything in it is Apple's infrastructure.  17.0.0.0/8
Several early companies have entire Class A  (IBM 9.0.0.0/8)

Akamai is more complex http://tools.tracemyip.org/search--isp/akamai+technologies

I suggest using DNS names for the whitelist instead.
0
 
sunhuxAuthor Commented:
> I suggest using DNS names for the whitelist instead.
But our firewalls do not reference external DNSes thus we ca only use IP.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
Jackie ManCommented:
But our firewalls do not reference external DNSes thus we can only use IP.

For Google Play Store, it is not technical possible to whitelist by IP addresses as their server pools are just too big and their IP addresses are changing from time to time.
0
 
serialbandCommented:
It's time to get a better firewall.
0
 
sunhuxAuthor Commented:
Even if we permit by URL (which our firewall resolves via external DNS), isn't still too big a range of
IP to permit for incoming traffic (the risk of hackers spoofing those Appstore & Play Store IPs) ?
0
 
sunhuxAuthor Commented:
> make a user bass policy for allowing or disallowing the bypass of the firewall
What's the above?   So if we bypass the firewall, won't need firewall rules??
0
 
sunhuxAuthor Commented:
Juniper is zone-based, so is it good enough ?
0
 
Jackie ManCommented:
Actually, a good firewall is only part of the solution and you need a good MDM to enforce policies for all mobile devices.

It is really a big topic and you need to think from the users' perspective also.
0
 
sunhuxAuthor Commented:
Ok, nobody can provide the range of Play Store IP addrs while I've got it for Appstore.

Now, if we permit at our Bluecoat proxy (which could resolve appstore & playstore
URLs), would this be good enough?
0
 
sunhuxAuthor Commented:
>it is not technical possible to whitelist by IP addresses as their server pools are just too big and their
>IP addresses are changing from time to time.
So using a proxy will solve the above issue (as our proxy resolves to public DNS)?
0
 
Jackie ManCommented:
I cannot find any information in relation to your bluecoat proxy.. but maybe the information below will help you.

How to get the play store working for me.
Note that I do not have an Any->Any firewall rule for outbound traffic.
Note Also that my device is not in the Transparent Proxy Skiplist

1. Allow outbound traffic to Google Play Ports
Create Service Definitions for Google Play with TCP ports 5222, 5223, and 5228 (5222 may be for Talk/Chat)
I added them to a Service Group called Google Services and set up a firewall rule:
Internal Network -> Google Services -> Any -> Allow

2. Allow those Google Play Ports in transparent proxy Target Services.
Add those services individually to the Allowed Target Services on the Web Protection -> Filtering Options -> Misc page.
Note that Sophos did not allow me to add the service group I created above, I could only add the individual services.

3. Lower the file size for virus scanning to 20mb.
Web Filtering -> Policies -> Default Content Filter Action - Antivirus -> Do not scan files larger than 20mb
Note that you would need to make this adjustment in your whatever policy makes sense for you, if you have custom policies.

The first two alone didn't help with Google Chrome at 28mb. Lowering the A/V scan size was the final step.
Smaller Apps from the Play Store install fine.

Source: https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/46079/google-play-store-issues
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

  • 6
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now