Educause Security Discussion mailing list archives
Re: firewall holes for particular machines
From: Megan Carney <carn0048 () UMN EDU>
Date: Wed, 13 May 2009 12:24:13 -0500
I echo all the concerns already mentioned, but there are cases where your hands are tied. Windows updates as well as some other software are akamaized, meaning IP-based restrictions aren't possible without opening a very wide hole. In those cases, DNS seems to be the better choice. On Wednesday 13 May 2009 11:31:30 David Gillett wrote:
Several people have suggested (with understandable horror) that this might require a DNS lookup for every packet. It doesn't -- DNS responses carry a TTL (time to live) for which period the resolution may be kept in cache. BUT this makes changing IP addresses of hosts a less deterministic process than one might wish. For some period after the host's IP changes, up to (worst case) the TTL on the record, the old address may remain cached. So every time you change a host IP, the host will become unreachable for some random period of time, during which you don't know if the problem is going to suddenly fix itself or not -- it will *appear* that the firewall simply isn't applying its rules correctly. A nice firewall, such as Checkpoint or Juniper, will let you give names to entities such as hosts and networks, and compose/read the firewall rules in terms of those names, which I believe is what you want. But those names are strictly local definitions and are not connected to DNS or any other outside resolution mechanism, and I think the consensus is that such a connection is not the Great Idea it at first appears. David Gillett-----Original Message----- From: Kevin Shalla [mailto:kshalla () UIC EDU] Sent: Wednesday, May 13, 2009 7:28 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] firewall holes for particular machines I've been working with some people to set up firewall rules to allow particular IP addresses. We're going to be changing many IP addresses soon, but keeping the same hostnames for them, so I suggested setting the firewall rules to use hostnames instead, so that there would be no downtime, and less maintenance the next time IP addresses change. My thinking is that there isn't much security that's added by using IPs instead of hostnames, and using hostnames would slightly increase the processing needed, but hostnames are more convenient. Am I missing something?
-- Megan Carney Security Coordinator OIT Security and Assurance 612-625-3858 carn0048 () umn edu Merlin Mann's rules for sensible email: 1. Know why you're writing and what result you would like to see. 2. Make clear whether you are providing information, requesting information, or requesting action. 3. Write a great subject line. 4. Brevity is the soul. . .of getting a response. 5. Make clear what the next action is. 6. Keep messages and threads limited to one topic or project. www.43folders.com/2005/09/19/writing-sensible-email-messages
Current thread:
- firewall holes for particular machines Kevin Shalla (May 13)
- <Possible follow-ups>
- Re: firewall holes for particular machines Chris Schenk (May 13)
- Re: firewall holes for particular machines Brian Kaye (May 13)
- Re: firewall holes for particular machines Di Fabio, Andrea (May 13)
- Re: firewall holes for particular machines F.M. Taylor (May 13)
- Re: firewall holes for particular machines Kevin Wilcox (May 13)
- Re: firewall holes for particular machines Chris Green (May 13)
- Re: firewall holes for particular machines David Gillett (May 13)
- Re: firewall holes for particular machines Gary Flynn (May 13)
- Re: firewall holes for particular machines Megan Carney (May 13)
- Re: firewall holes for particular machines leo song (May 14)
- Re: firewall holes for particular machines Zach Jansen (May 14)
- Re: firewall holes for particular machines Kevin Wilcox (May 14)
- Re: firewall holes for particular machines Megan Carney (May 14)
- Re: firewall holes for particular machines Jason Frisvold (May 15)