Educause Security Discussion mailing list archives
Re: firewall holes for particular machines
From: "Di Fabio, Andrea" <adifabio () NSU EDU>
Date: Wed, 13 May 2009 10:38:48 -0400
Here are my 2 cents. 1. Most firewalls I know of well, which is CISCO and Checkpoint, use the DNS name only the first time you add a host to resolve the IP address. Once the IP address is resolved, the rule uses the IP and not the DNS name, which brings to #2 2. If the firewall were to check the DNS name for each and every request, besides slowing your network to a crawl, how easy would it be to spoof and change the DNS response to the Firewall and therefore manipulate the rules or even poison the cache of your DNS servers? I personally would stick with IP addresses. We had a change of one of our /20 networks a while ago, and manually went through the FW rules. Such changes are not frequent enough to consider DNS. Andrea Di Fabio Information Security Officer High Performance Computing Technology Coordinator Norfolk State University Office of Information Technology Marie V. McDemmond Center for Applied Research, Rm 401F 555 Park Avenue, Suite 401 Norfolk, Virginia 23504 757-823-2896 Office 757-823-2128 Fax -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla Sent: Wednesday, May 13, 2009 10:28 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] firewall holes for particular machines I've been working with some people to set up firewall rules to allow particular IP addresses. We're going to be changing many IP addresses soon, but keeping the same hostnames for them, so I suggested setting the firewall rules to use hostnames instead, so that there would be no downtime, and less maintenance the next time IP addresses change. My thinking is that there isn't much security that's added by using IPs instead of hostnames, and using hostnames would slightly increase the processing needed, but hostnames are more convenient. Am I missing something?
Attachment:
smime.p7s
Description:
Current thread:
- firewall holes for particular machines Kevin Shalla (May 13)
- <Possible follow-ups>
- Re: firewall holes for particular machines Chris Schenk (May 13)
- Re: firewall holes for particular machines Brian Kaye (May 13)
- Re: firewall holes for particular machines Di Fabio, Andrea (May 13)
- Re: firewall holes for particular machines F.M. Taylor (May 13)
- Re: firewall holes for particular machines Kevin Wilcox (May 13)
- Re: firewall holes for particular machines Chris Green (May 13)
- Re: firewall holes for particular machines David Gillett (May 13)
- Re: firewall holes for particular machines Gary Flynn (May 13)
- Re: firewall holes for particular machines Megan Carney (May 13)
- Re: firewall holes for particular machines leo song (May 14)
- Re: firewall holes for particular machines Zach Jansen (May 14)
- Re: firewall holes for particular machines Kevin Wilcox (May 14)
- Re: firewall holes for particular machines Megan Carney (May 14)
(Thread continues...)