Educause Security Discussion mailing list archives
Re: SECURITY Digest - 12 May 2009 to 13 May 2009 (#2009-110)
From: Erwin Carrow <Erwin.Carrow () USG EDU>
Date: Thu, 14 May 2009 06:05:17 -0400
Don't go hostnames security becomes a serious problem of which many have already commented! --Chris CISSP, INFOSEC, CCSP CCNP, CCAI, LCP LCI, MSCE, OCM USG Board of Regents On 5/14/09 12:00 AM, "SECURITY automatic digest system" <LISTSERV () LISTSERV EDUCAUSE EDU> wrote: There are 12 messages totalling 716 lines in this issue. Topics of the day: 1. firewall holes for particular machines (10) 2. Websense alternatives? (2) ---------------------------------------------------------------------- Date: Wed, 13 May 2009 09:27:53 -0500 From: Kevin Shalla <kshalla () UIC EDU> Subject: firewall holes for particular machines I've been working with some people to set up firewall rules to allow particular IP addresses. We're going to be changing many IP addresses soon, but keeping the same hostnames for them, so I suggested setting the firewall rules to use hostnames instead, so that there would be no downtime, and less maintenance the next time IP addresses change. My thinking is that there isn't much security that's added by using IPs instead of hostnames, and using hostnames would slightly increase the processing needed, but hostnames are more convenient. Am I missing something? ------------------------------ Date: Wed, 13 May 2009 11:38:04 -0300 From: Brian Kaye <bdk () UNB CA> Subject: Re: firewall holes for particular machines Are you talking about an institutional firewall or host based firewalls? Would you be doing a DNS query for every packet that arrives? Even if an intelligent scheme is used this would be a big load on the hosts, the firewall and the DNS. ......Brian Kaye ......UNB On Wed, 13 May 2009, Kevin Shalla wrote:
Date: Wed, 13 May 2009 09:27:53 -0500 From: Kevin Shalla <kshalla () UIC EDU> Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] firewall holes for particular machines I've been working with some people to set up firewall rules to allow particular IP addresses. We're going to be changing many IP addresses soon, but keeping the same hostnames for them, so I suggested setting the firewall rules to use hostnames instead, so that there would be no downtime, and less maintenance the next time IP addresses change. My thinking is that there isn't much security that's added by using IPs instead of hostnames, and using hostnames would slightly increase the processing needed, but hostnames are more convenient. Am I missing something?
------------------------------ Date: Wed, 13 May 2009 10:38:48 -0400 From: "Di Fabio, Andrea" <adifabio () NSU EDU> Subject: Re: firewall holes for particular machines ------=_NextPart_000_0E7C_01C9D3B7.00036C30 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Here are my 2 cents. 1. Most firewalls I know of well, which is CISCO and Checkpoint, use the DNS name only the first time you add a host to resolve the IP address. Once the IP address is resolved, the rule uses the IP and not the DNS name, which brings to #2 2. If the firewall were to check the DNS name for each and every request, besides slowing your network to a crawl, how easy would it be to spoof and change the DNS response to the Firewall and therefore manipulate the rules or even poison the cache of your DNS servers? I personally would stick with IP addresses. We had a change of one of our /20 networks a while ago, and manually went through the FW rules. Such changes are not frequent enough to consider DNS. Andrea Di Fabio Information Security Officer High Performance Computing Technology Coordinator Norfolk State University Office of Information Technology Marie V. McDemmond Center for Applied Research, Rm 401F 555 Park Avenue, Suite 401 Norfolk, Virginia 23504 757-823-2896 Office 757-823-2128 Fax -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin Shalla Sent: Wednesday, May 13, 2009 10:28 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] firewall holes for particular machines I've been working with some people to set up firewall rules to allow particular IP addresses. We're going to be changing many IP addresses soon, but keeping the same hostnames for them, so I suggested setting the firewall rules to use hostnames instead, so that there would be no downtime, and less maintenance the next time IP addresses change. My thinking is that there isn't much security that's added by using IPs instead of hostnames, and using hostnames would slightly increase the processing needed, but hostnames are more convenient. Am I missing something? ------=_NextPart_000_0E7C_01C9D3B7.00036C30 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII6zCCAnMw ggHcoAMCAQICEBvn/RaUMNId7mtHdqLPqBMwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDEyNzE2NTk1OVoXDTEwMDEyNzE2NTk1 OVowXzERMA8GA1UEBBMIRGkgRmFiaW8xDzANBgNVBCoTBkFuZHJlYTEYMBYGA1UEAxMPQW5kcmVh IERpIEZhYmlvMR8wHQYJKoZIhvcNAQkBFhBhZGlmYWJpb0Buc3UuZWR1MIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQDJP8dSA+Lhbkc4uDZkRkpY3cSS5219ATtN4BHa94iJTT0fW4ishv1fjlEy 0zyulyoTA/t/9vvLRd0RRKR9MdrsWS4o+fXd75/FkxYKT5ZLbTXP1T2rU+3y0l+YeoAmPsT9L0uv WKTfg0CpFJRBJKqNKmhOejBaePxjKgtkkIF5KwIDAQABoy0wKzAbBgNVHREEFDASgRBhZGlmYWJp b0Buc3UuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAESWdOCWxjPF+3J7UiiWY 2+PDHFJksa386wZBWjZz8HHGww4XEUeLWkb+815JzQvmjvXfbWYVPBm39eyFrtrLugpALDWf+hYq utiQdJlaNquRBvl+uhbV0p6X/RZvQKzlcROygAwMEfT11dZaXHt1hgWBU7BvMfQkDC/w6UbgITAw ggMtMIIClqADAgECAgEAMA0GCSqGSIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM V2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0 aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVt YWlsQHRoYXd0ZS5jb20wHhcNOTYwMTAxMDAwMDAwWhcNMjAxMjMxMjM1OTU5WjCB0TELMAkGA1UE BhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQK ExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZp c2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkB FhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQDUadfUsJRkW3HpR9gMUbbqcpGwhF59LQ2PexLfhSV1KHQ6QixjJ5+Ve0vvfhmHHYbqo925zpZk GsIUbkSsfOaP6E0PcR9AOKYAo4d49vmUhl6t6sBeduvZFKNdbnp8DKVLVX8GGSl/npom1Wq7OCQI apjHsdqjmJH9edvlWsQcuQIDAQABoxMwETAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBBAUA A4GBAMfskn5O+PWWpWdiKqTwTRFg0G+NYFhhrCa7UjVcCM8w+6hKloofYkIjjBcP9LpknBesRynf nZhe0mxgcVyirNx54+duAEcftQ0o6AKd5Jr9E/Sm2Xyx+NxfIyYJkYBz0BQb3kOpgyXy5pwvFcr+ pquKB3WLDN1RhGvk+NHOd6KBMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkG A1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYD VQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBE aXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcN AQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcx NjIzNTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkp IEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0G CSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/ DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67 GD4Hv0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB /wQIMAYBAf8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0 ZVBlcnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYD VQQDExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/ r6y+whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfb J3FXJY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGC A0kwggNFAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQ dHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhAb 5/0WlDDSHe5rR3aiz6gTMAkGBSsOAwIaBQCgggIpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEw HAYJKoZIhvcNAQkFMQ8XDTA5MDUxMzE0Mzg0OFowIwYJKoZIhvcNAQkEMRYEFLOcTBV8yXkQkx5Q v9mXT78V62AVMIGFBgkrBgEEAYI3EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3 dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1h aWwgSXNzdWluZyBDQQIQG+f9FpQw0h3ua0d2os+oEzCBhwYLKoZIhvcNAQkQAgsxeKB2MGIxCzAJ BgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQD EyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQG+f9FpQw0h3ua0d2os+oEzCB twYJKoZIhvcNAQkPMYGpMIGmMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCgYIKoZIhvcNAwcw CwYJYIZIAWUDBAECMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggq hkiG9w0DAgIBKDAHBgUrDgMCGjALBglghkgBZQMEAgMwCwYJYIZIAWUDBAICMAsGCWCGSAFlAwQC ATAKBggqhkiG9w0CBTANBgkqhkiG9w0BAQEFAASBgMimdxY5LJUVw43/0DUr8cqzhOql+fm3EYhu Kp4surnKQ/SuDMk5llznn1KcokNWE204aGwzMjYtC5yHE4sMoGExo5xBjMlHU6Y01osCeSY633Ry fECDpvUc1tTTBRnItKPXpW60vN7ZIqVLfURsDypHgFDnAbBOzDx5KfL5HFswAAAAAAAA ------=_NextPart_000_0E7C_01C9D3B7.00036C30-- ------------------------------ Date: Wed, 13 May 2009 10:39:58 -0400 From: "F.M. Taylor" <fmtaylor () PURDUE EDU> Subject: Re: firewall holes for particular machines Yes, one DNS hack and "all your base are belong to us". On Wednesday 13 May 2009, Kevin Shalla formed electrons in this pattern:
I've been working with some people to set up firewall rules to allow particular IP addresses. We're going to be changing many IP addresses soon, but keeping the same hostnames for them, so I suggested setting the firewall rules to use hostnames instead, so that there would be no downtime, and less maintenance the next time IP addresses change. My thinking is that there isn't much security that's added by using IPs instead of hostnames, and using hostnames would slightly increase the processing needed, but hostnames are more convenient. Am I missing something?
=2D-=20 =2E.....\\|//........^^^^^........)))((........%%%%%........,,,,,...... =2E.....(- -)........(o o)........(- o)........(0-0)........(* *)...... =A0= =A0=20 +--ooO-(_)-Ooo--oo0-(_)-0oo--ooO-(_)-Ooo--oo0-(_)-0oo--ooO-(_)-Ooo--+ | F.M. (Mike) Taylor........'Recedite, plebes! Gero rem imperialem!'| | 'Ecce potestas casei'..............GIAC GSEC & GCFW Certified.....| | Desk: 765-494-1872.....................C: 765-409-8140............| +-------------------------------------------------------------------+ ------------------------------ Date: Wed, 13 May 2009 10:41:15 -0400 From: Kevin Wilcox <wilcoxkm () APPSTATE EDU> Subject: Re: firewall holes for particular machines 2009/5/13 Kevin Shalla <kshalla () uic edu>:
I've been working with some people to set up firewall rules to allow particular IP addresses. =C2=A0We're going to be changing many IP address=
es soon,
but keeping the same hostnames for them, so I suggested setting the firew=
all
rules to use hostnames instead, so that there would be no downtime, and l=
ess
maintenance the next time IP addresses change. =C2=A0My thinking is that =
there
isn't much security that's added by using IPs instead of hostnames, and using hostnames would slightly increase the processing needed, but hostna=
mes
are more convenient. =C2=A0Am I missing something?
Yes. DNS servers can get poisoned. DNS can get hijacked (look at the spectacle late last year). Think about the amount of traffic that your firewall would generate just looking up IP addresses for the associated sessions, probably per packet. Ever had a machine on the inside of your network become infected with something like torpig/dnschanger? Any machine in that VLAN that gets an IP/DNS information via DHCP can have its DNS settings changed. Look at when the hostnames are looked up on the firewall software. Is it at load or is it on the fly/per session? Do you have change management procedures where firewall modifications are noted/logged? If so, using hostname instead of IP will break that model because you don't know when (or even if...) the IP address for a hostname has changed. In a static environment where you *know* that the only rules using hostnames are for *your* machines, and you can *always* guarantee that the DNS information will be correct and you can *always* guarantee that your DNS servers will *never* be compromised and a few other "ands", it's a fine idea. In practice, though, it comes down to risk management. In your scenario, or at UIC, it may be worthwhile to use hostnames. I can't, in good conscience, say it's anything other than a bad idea for *our* campus. If this comes off as a bit jumpy, my apologies. We just had a huge discussion about this this morning when a vendor recommended we do this because they don't know the IP pool of their own application servers so it's a sort of touchy topic at the moment. kmw --=20 Kevin Wilcox Network Infrastructure and Control Systems Appalachian State University Email: wilcoxkm () appstate edu Office: 828.262.6259 ------------------------------ Date: Wed, 13 May 2009 08:38:03 -0600 From: Chris Schenk <Christopher.Schenk () COLORADO EDU> Subject: Re: firewall holes for particular machines Typically I avoid and recommend to others to avoid using any hostnames in a firewall configuration unless they are in some sort of hosts file (/etc/hosts, c:\windows\system32\drivers\etc\hosts). The issue with using hostnames is that if your firewall is ever misconfigured and doesn't allow DNS queries, your hostnames won't resolve and your firewall will be broken. This does depend on your network configuration, however, whether or not the DNS server is inside the firewall, etc. Chris On 05/13/2009 08:27 AM, Kevin Shalla wrote:
I've been working with some people to set up firewall rules to allow particular IP addresses. We're going to be changing many IP addresses soon, but keeping the same hostnames for them, so I suggested setting the firewall rules to use hostnames instead, so that there would be no downtime, and less maintenance the next time IP addresses change. My thinking is that there isn't much security that's added by using IPs instead of hostnames, and using hostnames would slightly increase the processing needed, but hostnames are more convenient. Am I missing something?
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chris Schenk Director of Computing Operations Department of Computer Science University of Colorado, Boulder P:(303)492-5720 F:(303)492-2844 Christopher.Schenk () Colorado EDU ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ------------------------------ Date: Wed, 13 May 2009 10:55:37 -0500 From: Chris Green <cmgreen () UAB EDU> Subject: Re: firewall holes for particular machines There's also the old issue where DNS PTR records are controlled by the owne= r of the IP Block and not the owner of the domain. 2 actually requires a re= verse lookup and then another forward lookup to validate that the domain is= legit. This issue crops up commonly now days with webapps that reinvent AC= Ls.
-----Original Message----- =20 2. If the firewall were to check the DNS name for each and every request, besides slowing your network to a crawl, how easy would it be to spoof an=
d
change the DNS response to the Firewall and therefore manipulate the rule=
s
or even poison the cache of your DNS servers?
------------------------------ Date: Wed, 13 May 2009 09:31:30 -0700 From: David Gillett <gillettdavid () FHDA EDU> Subject: Re: firewall holes for particular machines Several people have suggested (with understandable horror) that this might require a DNS lookup for every packet. It doesn't -- DNS responses carry a TTL (time to live) for which period the resolution may be kept in cache. BUT this makes changing IP addresses of hosts a less deterministic process than one might wish. For some period after the host's IP changes, up to (worst case) the TTL on the record, the old address may remain cached. So every time you change a host IP, the host will become unreachable for some random period of time, during which you don't know if the problem is going to suddenly fix itself or not -- it will *appear* that the firewall simply isn't applying its rules correctly. A nice firewall, such as Checkpoint or Juniper, will let you give names to entities such as hosts and networks, and compose/read the firewall rules in terms of those names, which I believe is what you want. But those names are strictly local definitions and are not connected to DNS or any other outside resolution mechanism, and I think the consensus is that such a connection is not the Great Idea it at first appears. David Gillett
-----Original Message----- From: Kevin Shalla [mailto:kshalla () UIC EDU] Sent: Wednesday, May 13, 2009 7:28 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] firewall holes for particular machines I've been working with some people to set up firewall rules to allow particular IP addresses. We're going to be changing many IP addresses soon, but keeping the same hostnames for them, so I suggested setting the firewall rules to use hostnames instead, so that there would be no downtime, and less maintenance the next time IP addresses change. My thinking is that there isn't much security that's added by using IPs instead of hostnames, and using hostnames would slightly increase the processing needed, but hostnames are more convenient. Am I missing something?
------------------------------ Date: Wed, 13 May 2009 13:20:17 -0400 From: Gary Flynn <flynngn () JMU EDU> Subject: Re: firewall holes for particular machines This is a cryptographically signed message in MIME format. --------------ms050907060009080107090506 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit According to the documentation, the Juniper firewall will let you create rules based on names and it will refresh the resolution at predefined intervals but not more frequently than four hours. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security --------------ms050907060009080107090506 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII+zCC AtgwggJBoAMCAQICEE2xH9nHTtCq0wC+Mpr89Q4wDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDQyMjE3MjUwMloX DTEwMDQyMjE3MjUwMlowQTEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEeMBwG CSqGSIb3DQEJARYPZmx5bm5nbkBqbXUuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAwih8bnkhj7snP3rTZUzO+j5bWBozRwgR46oITcLL9B3D0pXWoibQYDmu3fghk+kl 8gC4uTSdWh8Nyd4z4YZwM8znBlmCbECylRmwrENI2BpBYPq9UW79d7JkxG55SQ3cNA4eyETC lbUapvQ+E2k4FDcajH8Jk3pkuJUKcseg/oRj0+kZq7UFv1EIdeNy5Y3AZDeWsmjUdwnFYVZc GfyONuvXH/mLxcAS0H9nrXxAn7HeQKg9gMKNTjgZ2kS3YToPMF3pU9BLH8BtCm6AdbkSXfUL 1kxSMjTcvBWS7f5u/UdMUPadkLNkfqHJFKQrM9Lg6faHv4YnZbLp3DOdujGeuwIDAQABoyww KjAaBgNVHREEEzARgQ9mbHlubmduQGptdS5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0B AQUFAAOBgQAQijTY3JoezmuJM7R5cqwuHyZ367ILpjfGaWabLS5/FcxsmIWOJfaDMLx4g7hb 2Mp2kTaq4pKUYNXM8OnJ7l9aNmCUk/P7BhfwbH9x4fsJiV+tYKxItpDG9RrZ7pOSwERBji+I sy+wagsfg8iPHg72Ss0fqFrPoeuY0jyLhxOLuzCCAtgwggJBoAMCAQICEE2xH9nHTtCq0wC+ Mpr89Q4wDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBD b25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp bCBJc3N1aW5nIENBMB4XDTA5MDQyMjE3MjUwMloXDTEwMDQyMjE3MjUwMlowQTEfMB0GA1UE AxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEeMBwGCSqGSIb3DQEJARYPZmx5bm5nbkBqbXUu ZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwih8bnkhj7snP3rTZUzO+j5b WBozRwgR46oITcLL9B3D0pXWoibQYDmu3fghk+kl8gC4uTSdWh8Nyd4z4YZwM8znBlmCbECy lRmwrENI2BpBYPq9UW79d7JkxG55SQ3cNA4eyETClbUapvQ+E2k4FDcajH8Jk3pkuJUKcseg /oRj0+kZq7UFv1EIdeNy5Y3AZDeWsmjUdwnFYVZcGfyONuvXH/mLxcAS0H9nrXxAn7HeQKg9 gMKNTjgZ2kS3YToPMF3pU9BLH8BtCm6AdbkSXfUL1kxSMjTcvBWS7f5u/UdMUPadkLNkfqHJ FKQrM9Lg6faHv4YnZbLp3DOdujGeuwIDAQABoywwKjAaBgNVHREEEzARgQ9mbHlubmduQGpt dS5lZHUwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOBgQAQijTY3JoezmuJM7R5cqwu HyZ367ILpjfGaWabLS5/FcxsmIWOJfaDMLx4g7hb2Mp2kTaq4pKUYNXM8OnJ7l9aNmCUk/P7 BhfwbH9x4fsJiV+tYKxItpDG9RrZ7pOSwERBji+Isy+wagsfg8iPHg72Ss0fqFrPoeuY0jyL hxOLuzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhh d3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNp b24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJ ARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3 MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me 7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQq E88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEA AaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9j cmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIB BjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcN AQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNw PP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq72 6jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIIDYAIBATB2MGIxCzAJBgNVBAYT AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQTbEf2cdO0KrTAL4ymvz1DjAJ BgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEP Fw0wOTA1MTMxNzIwMTdaMCMGCSqGSIb3DQEJBDEWBBRdoG+2Z7AWnXzNBO0J9zAgxMG2BzBS BgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYBBAGCNxAEMXgwdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEE2xH9nHTtCq0wC+Mpr8 9Q4wgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3Rl IENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0ECEE2xH9nHTtCq0wC+Mpr89Q4wDQYJKoZIhvcNAQEBBQAEggEAWUmh Q/S0eDQDNCrM/EwDQ+6i5ltajKh+PHHRvkceHq9zXDyiEQw9pIlEv9ENO3NAlB374FJLXvtP 3hkOwrkVroqyluJ6WI35PCsLLrZQNYhGihR1jikMK95go10bhczDSGCcC6oSyzcTMjyxI5tA xOzt/JlS0gDyMZD9fHyllskbXv/kJGoyvLUUJvn73ATsgSQdpnLCPN0kzEH+8u1tYx4/ZB14 dc11IGFBFYGjxp92wxjr56b3i3YeGQzFjsFnlq3MC+Ia6x0lrQ9PHC7sbJKP+M1Cii0kUzgx kd1KJzx7H48uIbXsPiUBg6zZ/q5GcajUAbX3AOfC0bYwdwxTagAAAAAAAA== --------------ms050907060009080107090506-- ------------------------------ Date: Wed, 13 May 2009 12:24:13 -0500 From: Megan Carney <carn0048 () UMN EDU> Subject: Re: firewall holes for particular machines --Boundary-00=_9IwCKzLAZ7O7d/i Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit I echo all the concerns already mentioned, but there are cases where your hands are tied. Windows updates as well as some other software are akamaized, meaning IP-based restrictions aren't possible without opening a very wide hole. In those cases, DNS seems to be the better choice. On Wednesday 13 May 2009 11:31:30 David Gillett wrote:
Several people have suggested (with understandable horror) that this might require a DNS lookup for every packet. It doesn't -- DNS responses carry a TTL (time to live) for which period the resolution may be kept in cache. BUT this makes changing IP addresses of hosts a less deterministic process than one might wish. For some period after the host's IP changes, up to (worst case) the TTL on the record, the old address may remain cached. So every time you change a host IP, the host will become unreachable for some random period of time, during which you don't know if the problem is going to suddenly fix itself or not -- it will *appear* that the firewall simply isn't applying its rules correctly. A nice firewall, such as Checkpoint or Juniper, will let you give names to entities such as hosts and networks, and compose/read the firewall rules in terms of those names, which I believe is what you want. But those names are strictly local definitions and are not connected to DNS or any other outside resolution mechanism, and I think the consensus is that such a connection is not the Great Idea it at first appears. David Gillett-----Original Message----- From: Kevin Shalla [mailto:kshalla () UIC EDU] Sent: Wednesday, May 13, 2009 7:28 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] firewall holes for particular machines I've been working with some people to set up firewall rules to allow particular IP addresses. We're going to be changing many IP addresses soon, but keeping the same hostnames for them, so I suggested setting the firewall rules to use hostnames instead, so that there would be no downtime, and less maintenance the next time IP addresses change. My thinking is that there isn't much security that's added by using IPs instead of hostnames, and using hostnames would slightly increase the processing needed, but hostnames are more convenient. Am I missing something?
-- Megan Carney Security Coordinator OIT Security and Assurance 612-625-3858 carn0048 () umn edu Merlin Mann's rules for sensible email: 1. Know why you're writing and what result you would like to see. 2. Make clear whether you are providing information, requesting information, or requesting action. 3. Write a great subject line. 4. Brevity is the soul. . .of getting a response. 5. Make clear what the next action is. 6. Keep messages and threads limited to one topic or project. www.43folders.com/2005/09/19/writing-sensible-email-messages --Boundary-00=_9IwCKzLAZ7O7d/i Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 7bit <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" content="1" /><style type="text/css">p, li { white-space: pre-wrap; }</style></head><body style=" font-family:'Sans Serif'; font-size:10pt; font-weight:400; font-style:normal;">I echo all the concerns already mentioned, but there are cases where your hands are tied. Windows updates as well as some other software are akamaized, meaning IP-based restrictions aren't possible without opening a very wide hole.<br> <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>In those cases, DNS seems to be the better choice.<br> <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>On Wednesday 13 May 2009 11:31:30 David Gillett wrote:<br> > Several people have suggested (with understandable horror)<br> > that this might require a DNS lookup for every packet. It<br> > doesn't -- DNS responses carry a TTL (time to live) for which<br> > period the resolution may be kept in cache.<br> > BUT this makes changing IP addresses of hosts a less deterministic<br> > process than one might wish. For some period after the host's IP<br> > changes, up to (worst case) the TTL on the record, the old address<br> > may remain cached. So every time you change a host IP, the host<br> > will become unreachable for some random period of time, during which<br> > you don't know if the problem is going to suddenly fix itself or not<br> > -- it will *appear* that the firewall simply isn't applying its<br> > rules correctly.<br> ><br> > A nice firewall, such as Checkpoint or Juniper, will let you give<br> > names to entities such as hosts and networks, and compose/read the<br> > firewall rules in terms of those names, which I believe is what you<br> > want. But those names are strictly local definitions and are not<br> > connected to DNS or any other outside resolution mechanism, and I<br> > think the consensus is that such a connection is not the Great Idea<br> > it at first appears.<br> ><br> > David Gillett<br> ><br> > > -----Original Message-----<br> > > From: Kevin Shalla [mailto:kshalla () UIC EDU]<br> > > Sent: Wednesday, May 13, 2009 7:28 AM<br> > > To: SECURITY () LISTSERV EDUCAUSE EDU<br> > > Subject: [SECURITY] firewall holes for particular machines<br> > ><br> > > I've been working with some people to set up firewall rules<br> > > to allow particular IP addresses. We're going to be changing<br> > > many IP addresses soon, but keeping the same hostnames for<br> > > them, so I suggested setting the firewall rules to use<br> > > hostnames instead, so that there would be no downtime, and<br> > > less maintenance the next time IP addresses change. My<br> > > thinking is that there isn't much security that's added by<br> > > using IPs instead of hostnames, and using hostnames would<br> > > slightly increase the processing needed, but hostnames are<br> > > more convenient. Am I missing something?<br> <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>--<br> Megan Carney<br> Security Coordinator<br> OIT Security and Assurance<br> 612-625-3858<br> carn0048 () umn edu<br> <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Merlin Mann's rules for sensible email:<br> 1. Know why you're writing and what result you would like to see.<br> 2. Make clear whether you are providing information, requesting information, or requesting action.<br> 3. Write a great subject line.<br> 4. Brevity is the soul. . .of getting a response.<br> 5. Make clear what the next action is.<br> 6. Keep messages and threads limited to one topic or project.<br> <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>www.43folders.com/2005/09/19/writing-sensible-email-messages<br> <p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p></body></html> --Boundary-00=_9IwCKzLAZ7O7d/i-- ------------------------------ Date: Wed, 13 May 2009 15:03:58 -0400 From: Ben Williams <Ben.Williams () DAVENPORT EDU> Subject: Websense alternatives? This is a MIME message. If you are reading this text, you may want to consider changing to a mail reader or gateway that understands how to properly handle MIME multipart messages. --=__PartBE95F28E.0__= Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable We utilize Websense web security for URL filtering. For the categories we = filter we display a warning about the content and allow the user to = continue, the only exception being dangerous malware which is simply = blocked. =20 What alternatives to Websense are you using? =20 Thank you! Ben Williams --=__PartBE95F28E.0__= Content-Type: text/html; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Content-Description: HTML <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"> <META content=3D"MSHTML 6.00.6000.16825" name=3DGENERATOR></HEAD> <BODY style=3D"MARGIN: 4px 4px 1px; FONT: 10pt Tahoma"> <DIV>We utilize Websense web security for URL filtering. For the categories= we filter we display a warning about the content and allow the user to = continue, the only exception being dangerous malware which is simply = blocked.</DIV> <DIV> </DIV> <DIV>What alternatives to Websense are you using?</DIV> <DIV> </DIV> <DIV>Thank you!</DIV> <DIV>Ben Williams</DIV></BODY></HTML> --=__PartBE95F28E.0__=-- ------------------------------ Date: Wed, 13 May 2009 14:27:15 -0500 From: Ken De Cruyenaere <kdc () CC UMANITOBA CA> Subject: Re: Websense alternatives? On Wed, May 13, 2009 at 03:03:58PM -0400, Ben Williams wrote:
We utilize Websense web security for URL filtering. For the categories we filter we display a warning about the content and allow the user to continue, the only exception being dangerous malware which is simply blocked. What alternatives to Websense are you using? Thank you! Ben Williams
I guess its not exactly an alternative, but we recently enabled the Web Reputation feature on Trendmicro's Officescan. (When it came out a few years ago we tried it but left it off after too many false positives. Recently assured that it was improved we tried it again.) I'm quite happy with it, no false positives and it helped identify a number of machines that had malware on board, when the logs showe regular attempts to connect to malicious web site(s). Ken --- Ken De Cruyenaere Computer Security Coordinator kdc () cc umanitoba ca Information Services & Technology (204) 474-8340 University of Manitoba ------------------------------ End of SECURITY Digest - 12 May 2009 to 13 May 2009 (#2009-110) ***************************************************************
Current thread:
- Re: SECURITY Digest - 12 May 2009 to 13 May 2009 (#2009-110) Erwin Carrow (May 14)