Firewall Wizards mailing list archives

RE: DNS -vs- the firewall: security thoughts

From: Joe Ippolito <joe () joesnet com>
Date: Thu, 12 Mar 1998 23:10:01 -0800

I do about the same but, everyone gets access by NT Domain group 
membership, Web, ftp, and a few telnet.  Only the proxy gets access through 
the Firewall.  The only bad part is that they must use IE since Netscape is 
missing the NTLM piece.  We really do owe Bill a few complaints about that 
one.  The only way Netscape will work is if you let anyone use the proxy 
and that just isn't going to happen.  The really good part is that every 
stinking URI gets logged to SQL server by username.  There is no way of 
getting away with violating the acceptable use policy.  The other great 
part is that we really don't care what address they get from the DHCP 
server.  It is almost as easy as IPX without the noise.

-----Original Message-----
From:   Bennett Todd [SMTP:bet () rahul net]
Sent:   Thursday, March 12, 1998 1:13 PM
To:     joe () joesnet com
Cc:     firewall-wizards () nfr net
Subject:        Re: DNS -vs- the firewall: security thoughts

On Thu, Mar 12, 1998 at 07:39:58AM -0800, Joe Ippolito wrote:

It sounds like you are doing a protocol conversion which takes a special
Winsock.


I see no winwocks here. Windows neither. I Don't Do Windows.

What we have is web browsers. When you tell a web browser to use a proxy
at such and so port on whatchamacallit machine (visible on the inside
net) it passes the URLs, hostname and all, to the proxy and lets it do
any lookups and whatnot --- the presumption is that whether the client
can or can't look up the host, it can't reach that IP address anyway.

We have email clients. They they just toss their traffic at the nearest
in-house Mail Transport Agent (MTA). The MTAs are configured so if they
can't look up a hostname, they toss it at the firewall and let it take a
bash at it.

We have a very small handful of users who do telnetting or ftp-ing out
--- they have to telnet or ftp to the firewall, authenticate themselves
to the proxy there, then tell the proxy the name of the host they want
to connect to.

-Bennett

Current thread:

Re: Firewall Audit Programme/checklist, (continued)
- - - Re: Firewall Audit Programme/checklist Bret Watson (Mar 17)
    - Re: Firewall Audit Programme/checklist Marcus J. Ranum (Mar 17)
    - Re: Firewall Audit Programme/checklist blast (Mar 17)
    - Re: Firewall Audit Programme/checklist tqbf (Mar 16)
    - Re: Firewall Audit Programme/checklist kant (Mar 16)
- Re: DNS -vs- the firewall: security thoughts Bennett Todd (Mar 12)
- RE: DNS -vs- the firewall: security thoughts Itai Dor-on (Mar 12)
- RE: DNS -vs- the firewall: security thoughts Joe Ippolito (Mar 12)
  - Re: DNS -vs- the firewall: security thoughts Bennett Todd (Mar 12)
- RE: DNS -vs- the firewall: security thoughts Joe Ippolito - President SVNPA (Mar 12)
- RE: DNS -vs- the firewall: security thoughts Joe Ippolito (Mar 13)