We access an external vendor's site who provided us some sort of service.
However, about 300 of our staff, mostly contract staff needs to access this
service but they currently are not granted Internet access on their PCs, so
we permit by firewall rules for entire organization to access that vendor's
site as going by proxy, we'll need to grant 300 proxy entries (ie by their
AD Id) to 3 URLs as that site will call/redirect to 2 other URLs.
By permitting at firewall rules & letting these contract staff bypass the
proxy, the contract staff can only access these 3 URLs & not any other
links/sites on Internet so this is still "secure" in my view as these 3
URLs are "trusted" sites. This method of bypassing proxy is also to
facilitate that should new contract staff joins, the staff could access
as the 3 URLs while if we go by proxy, each time a new staff joins,
have to request for it & each time a staff leaves, have to remove that
staff's AD Id from proxy: quite an enormous admin task (for the
proxy admin as well as supervisors of these staff).
Now, we just found that this vendor has coded another module to call
Google's "Captcha" service (which is www.google.com/
..... ) : what's
the entire subnet range of google.com ? Is it a Class A, B or C or a
mix of many Class C ranges ?
Our firewalls can't resolve via public DNS currently so if permit to
access a large range of public IP, what's the security/risk implications?
Any other safe way of working around this?