In the quest to get up to speed on latest trends, I was very surprised to find an organization asking for a well developed (assumed maintainable and scalable) IP whitelisting process, when just a little while ago, when I took my sabbatical, we were way into either:<p>- WAF/UTM to protect everything public facing (who could possibly certify consistency and maintainability of source IPs?)<p>and/or<p>- JSON produced sets of IPs, from large service provider, "installed" on edge devices (FWs)<p>and/or<p>- FQDNs, with verifiable name résolution, where no other solution was possible, to still narrow down sources,<p>and no longer IPs.<p>Is anyone still using IP whitelisting? Why? And how do you lifecycle such (MACDs)?