Firewall Wizards mailing list archives
Re: SCADA
From: ArkanoiD <ark () eltex net>
Date: Tue, 28 Apr 2009 00:14:27 +0400
We are speaking application proxy, not a DNS proxy, so there is no good reason (well, none that come to mind immediately) to have outside domain and address space to be resolvable from client machine. If we implement a DNS proxy, well-behaving one *should* check if the answer at least seems to be valid. On Mon, Apr 27, 2009 at 02:05:33PM -0400, Dotzero wrote:
On Mon, Apr 27, 2009 at 1:09 PM, Jim Seymour <jseymour () linxnet com> wrote:Dotzero <dotzero () gmail com> wrote: [snip]or DNSSo-called "Janus DNS" solves this. First described in print in Cheswick & Bellovin's "Firewalls and Internet Security: Repelling the Wily Hacker," I believe.It's not just executable code. I do a DNS lookup to find out where to connect to. The proxy passes the answer. It does not guarantee the answer is correct. And for those who would point to DNSSEC, how many domains currently sign? When will the root sign? When will .com sign? _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: SCADA, (continued)