Re: firewall holes for particular machines

[Megan Carney <carn0048 () UMN EDU>]

I echo all the concerns already mentioned, but there are cases where your
hands are tied.  Windows updates as well as some other software are akamaized,
meaning IP-based restrictions aren't possible without opening a very wide
hole.

In those cases, DNS seems to be the better choice.

On Wednesday 13 May 2009 11:31:30 David Gillett wrote:
>   Several people have suggested (with understandable horror)
> that this might require a DNS lookup for every packet.  It
> doesn't -- DNS responses carry a TTL (time to live) for which
> period the resolution may be kept in cache.
>   BUT this makes changing IP addresses of hosts a less deterministic
> process than one might wish.  For some period after the host's IP
> changes, up to (worst case) the TTL on the record, the old address
> may remain cached.  So every time you change a host IP, the host
> will become unreachable for some random period of time, during which
> you don't know if the problem is going to suddenly fix itself or not
> -- it will *appear* that the firewall simply isn't applying its
> rules correctly.
>
>   A nice firewall, such as Checkpoint or Juniper, will let you give
> names to entities such as hosts and networks, and compose/read the
> firewall rules in terms of those names, which I believe is what you
> want.  But those names are strictly local definitions and are not
> connected to DNS or any other outside resolution mechanism, and I
> think the consensus is that such a connection is not the Great Idea
> it at first appears.
>
> David Gillett
>
> > -----Original Message-----
> > From: Kevin Shalla [mailto:kshalla () UIC EDU]
> > Sent: Wednesday, May 13, 2009 7:28 AM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] firewall holes for particular machines
> >
> > I've been working with some people to set up firewall rules
> > to allow particular IP addresses.  We're going to be changing
> > many IP addresses soon, but keeping the same hostnames for
> > them, so I suggested setting the firewall rules to use
> > hostnames instead, so that there would be no downtime, and
> > less maintenance the next time IP addresses change.  My
> > thinking is that there isn't much security that's added by
> > using IPs instead of hostnames, and using hostnames would
> > slightly increase the processing needed, but hostnames are
> > more convenient.  Am I missing something?

--
Megan Carney
Security Coordinator
OIT Security and Assurance
612-625-3858
carn0048 () umn edu

Merlin Mann's rules for sensible email:
1. Know why you're writing and what result you would like to see.
2. Make clear whether you are providing information, requesting information,
or requesting action.
3. Write a great subject line.
4. Brevity is the soul. . .of getting a response.
5. Make clear what the next action is.
6. Keep messages and threads limited to one topic or project.

www.43folders.com/2005/09/19/writing-sensible-email-messages