Re: firewall holes for particular machines

["Di Fabio, Andrea" <adifabio () NSU EDU>]

Here are my 2 cents.

1. Most firewalls I know of well, which is CISCO and Checkpoint, use the DNS
name only the first time you add a host to resolve the IP address.  Once the
IP address is resolved, the rule uses the IP and not the DNS name, which
brings to #2

2. If the firewall were to check the DNS name for each and every request,
besides slowing your network to a crawl, how easy would it be to spoof and
change the DNS response to the Firewall and therefore manipulate the rules
or even poison the cache of your DNS servers?

I personally would stick with IP addresses.  We had a change of one of our
/20 networks a while ago, and manually went through the FW rules.  Such
changes are not frequent enough to consider DNS.

Andrea Di Fabio
Information Security Officer
High Performance Computing Technology Coordinator
Norfolk State University
Office of Information Technology
Marie V. McDemmond Center for Applied Research, Rm 401F
555 Park Avenue, Suite 401
Norfolk, Virginia 23504
757-823-2896 Office
757-823-2128 Fax


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla
Sent: Wednesday, May 13, 2009 10:28 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] firewall holes for particular machines

I've been working with some people to set up firewall rules to allow
particular IP addresses.  We're going to be changing many IP
addresses soon, but keeping the same hostnames for them, so I
suggested setting the firewall rules to use hostnames instead, so
that there would be no downtime, and less maintenance the next time
IP addresses change.  My thinking is that there isn't much security
that's added by using IPs instead of hostnames, and using hostnames
would slightly increase the processing needed, but hostnames are more
convenient.  Am I missing something?

Attachment: smime.p7s
Description: