I don't understand why anyone allows a server or network appliances to access the web by default. If you need to update it, or if as part of its functionality it must dynamically access some specific remote content, either populate your own update server and do it from there, or enable a firewall rule or a route to only the approved remote address.
@pieist @kravietz
It's worse when the thing you download and run could be anything!