Firewall Wizards mailing list archives
Re: DNS -vs- the firewall: security thoughts
From: Bennett Todd <bet () rahul net>
Date: Thu, 12 Mar 1998 13:12:52 -0800
On Thu, Mar 12, 1998 at 07:39:58AM -0800, Joe Ippolito wrote:
It sounds like you are doing a protocol conversion which takes a special Winsock.
I see no winwocks here. Windows neither. I Don't Do Windows. What we have is web browsers. When you tell a web browser to use a proxy at such and so port on whatchamacallit machine (visible on the inside net) it passes the URLs, hostname and all, to the proxy and lets it do any lookups and whatnot --- the presumption is that whether the client can or can't look up the host, it can't reach that IP address anyway. We have email clients. They they just toss their traffic at the nearest in-house Mail Transport Agent (MTA). The MTAs are configured so if they can't look up a hostname, they toss it at the firewall and let it take a bash at it. We have a very small handful of users who do telnetting or ftp-ing out --- they have to telnet or ftp to the firewall, authenticate themselves to the proxy there, then tell the proxy the name of the host they want to connect to. -Bennett
Current thread:
- Re: Firewall Audit Programme/checklist, (continued)
- Re: Firewall Audit Programme/checklist Marcus J. Ranum (Mar 16)
- Re: Firewall Audit Programme/checklist Chad Schieken (Mar 16)
- Re: Firewall Audit Programme/checklist Bret Watson (Mar 17)
- Re: Firewall Audit Programme/checklist Marcus J. Ranum (Mar 17)
- Re: Firewall Audit Programme/checklist blast (Mar 17)
- Re: Firewall Audit Programme/checklist tqbf (Mar 16)
- Re: Firewall Audit Programme/checklist kant (Mar 16)
- Re: DNS -vs- the firewall: security thoughts Bennett Todd (Mar 12)