Educause Security Discussion mailing list archives
Re: firewall holes for particular machines
From: David Gillett <gillettdavid () FHDA EDU>
Date: Wed, 13 May 2009 09:31:30 -0700
Several people have suggested (with understandable horror) that this might require a DNS lookup for every packet. It doesn't -- DNS responses carry a TTL (time to live) for which period the resolution may be kept in cache. BUT this makes changing IP addresses of hosts a less deterministic process than one might wish. For some period after the host's IP changes, up to (worst case) the TTL on the record, the old address may remain cached. So every time you change a host IP, the host will become unreachable for some random period of time, during which you don't know if the problem is going to suddenly fix itself or not -- it will *appear* that the firewall simply isn't applying its rules correctly. A nice firewall, such as Checkpoint or Juniper, will let you give names to entities such as hosts and networks, and compose/read the firewall rules in terms of those names, which I believe is what you want. But those names are strictly local definitions and are not connected to DNS or any other outside resolution mechanism, and I think the consensus is that such a connection is not the Great Idea it at first appears. David Gillett
-----Original Message----- From: Kevin Shalla [mailto:kshalla () UIC EDU] Sent: Wednesday, May 13, 2009 7:28 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] firewall holes for particular machines I've been working with some people to set up firewall rules to allow particular IP addresses. We're going to be changing many IP addresses soon, but keeping the same hostnames for them, so I suggested setting the firewall rules to use hostnames instead, so that there would be no downtime, and less maintenance the next time IP addresses change. My thinking is that there isn't much security that's added by using IPs instead of hostnames, and using hostnames would slightly increase the processing needed, but hostnames are more convenient. Am I missing something?
Current thread:
- firewall holes for particular machines Kevin Shalla (May 13)
- <Possible follow-ups>
- Re: firewall holes for particular machines Chris Schenk (May 13)
- Re: firewall holes for particular machines Brian Kaye (May 13)
- Re: firewall holes for particular machines Di Fabio, Andrea (May 13)
- Re: firewall holes for particular machines F.M. Taylor (May 13)
- Re: firewall holes for particular machines Kevin Wilcox (May 13)
- Re: firewall holes for particular machines Chris Green (May 13)
- Re: firewall holes for particular machines David Gillett (May 13)
- Re: firewall holes for particular machines Gary Flynn (May 13)
- Re: firewall holes for particular machines Megan Carney (May 13)
- Re: firewall holes for particular machines leo song (May 14)
- Re: firewall holes for particular machines Zach Jansen (May 14)
- Re: firewall holes for particular machines Kevin Wilcox (May 14)
- Re: firewall holes for particular machines Megan Carney (May 14)
- Re: firewall holes for particular machines Jason Frisvold (May 15)