Educause Security Discussion mailing list archives
Re: firewall holes for particular machines
From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Wed, 13 May 2009 10:41:15 -0400
2009/5/13 Kevin Shalla <kshalla () uic edu>:
I've been working with some people to set up firewall rules to allow particular IP addresses. We're going to be changing many IP addresses soon, but keeping the same hostnames for them, so I suggested setting the firewall rules to use hostnames instead, so that there would be no downtime, and less maintenance the next time IP addresses change. My thinking is that there isn't much security that's added by using IPs instead of hostnames, and using hostnames would slightly increase the processing needed, but hostnames are more convenient. Am I missing something?
Yes. DNS servers can get poisoned. DNS can get hijacked (look at the spectacle late last year). Think about the amount of traffic that your firewall would generate just looking up IP addresses for the associated sessions, probably per packet. Ever had a machine on the inside of your network become infected with something like torpig/dnschanger? Any machine in that VLAN that gets an IP/DNS information via DHCP can have its DNS settings changed. Look at when the hostnames are looked up on the firewall software. Is it at load or is it on the fly/per session? Do you have change management procedures where firewall modifications are noted/logged? If so, using hostname instead of IP will break that model because you don't know when (or even if...) the IP address for a hostname has changed. In a static environment where you *know* that the only rules using hostnames are for *your* machines, and you can *always* guarantee that the DNS information will be correct and you can *always* guarantee that your DNS servers will *never* be compromised and a few other "ands", it's a fine idea. In practice, though, it comes down to risk management. In your scenario, or at UIC, it may be worthwhile to use hostnames. I can't, in good conscience, say it's anything other than a bad idea for *our* campus. If this comes off as a bit jumpy, my apologies. We just had a huge discussion about this this morning when a vendor recommended we do this because they don't know the IP pool of their own application servers so it's a sort of touchy topic at the moment. kmw -- Kevin Wilcox Network Infrastructure and Control Systems Appalachian State University Email: wilcoxkm () appstate edu Office: 828.262.6259
Current thread:
- firewall holes for particular machines Kevin Shalla (May 13)
- <Possible follow-ups>
- Re: firewall holes for particular machines Chris Schenk (May 13)
- Re: firewall holes for particular machines Brian Kaye (May 13)
- Re: firewall holes for particular machines Di Fabio, Andrea (May 13)
- Re: firewall holes for particular machines F.M. Taylor (May 13)
- Re: firewall holes for particular machines Kevin Wilcox (May 13)
- Re: firewall holes for particular machines Chris Green (May 13)
- Re: firewall holes for particular machines David Gillett (May 13)
- Re: firewall holes for particular machines Gary Flynn (May 13)
- Re: firewall holes for particular machines Megan Carney (May 13)
- Re: firewall holes for particular machines leo song (May 14)
- Re: firewall holes for particular machines Zach Jansen (May 14)
- Re: firewall holes for particular machines Kevin Wilcox (May 14)
- Re: firewall holes for particular machines Megan Carney (May 14)
- Re: firewall holes for particular machines Jason Frisvold (May 15)