Firewall Wizards mailing list archives
Re: Proxy advantage
From: Dave Piscitello <dave () corecom com>
Date: Tue, 16 Apr 2013 12:34:25 -0400
DNS is one service where you can actually do some mitigation at scale. Not certain why people overlook the fact that name resolution is among the earliest interventions an admin can take. Not certain, too, whether anyone has tried Response Policy Zone (RPZ, see http://www.isc.org/community/blog/201007/taking-back-dns-0), but there's a lot to gain by filtering response of malicious domains. I think this may scale better than host files. On Tue, Apr 16, 2013 at 10:48 AM, Paul D. Robertson <paul () compuwar net> wrote:
Transparent proxy clients don't have a way to connect without DNS. Fewer non-aware applications exist today than even 5 years ago. Hosts files can be maintained where that's an issue. Good security requires work- it's hard isn't a good excuse in my book. Engineer well and handle the exceptions, don't throw away your security by engineering for the poor exceptions. As far as management- if you're going to whitelist some DNS servers, how difficult is it to log and investigate recursive resolution requests? Rate of change is low, even in large environments. For broken crappy software, either file bug reports or just set up a wildcard resolver for the clients- it doesn't really matter what you resolve it to since the proxy makes the connections anyway. DNS tunneling is becoming vogue again- how else do you stop it? Paul -- President and Chairman, FluidIT Group Moderator, Firewall-Wizards http://pauldrobertson.net http://pauldrobertson.com @compuwar On Apr 16, 2013, at 10:13, Kevin Kadow <kkadow () gmail com> wrote:Does this only apply to an explicit proxy server? Does anybody deploy a transparent proxy server and not pass DNS down to the client? Can you call it a "best practice" when it is impossible to maintain in a large diverse network? Aside from applications which are just not proxy aware, even when the application correctly uses OS proxy settings for HTTP/HTTPS/FTP/etc, it may still rely on being able to resolve external names; result is an unmanageably large whitelist for DNS lookups. Same goes with "not advertising a default route" or restricting default route HTTP/HTTPS with ACLs. Great idea, but one which quickly becomes difficult to manage on a large scale network. Once you have any unproxyable applications needing connectivity to Akamai or a similar CDN, these controls are usually abandoned as unmaintainable. Kevin Kadow_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Proxy advantage Paul D. Robertson (Apr 15)
- Re: Proxy advantage Marcus J. Ranum (Apr 16)
- Re: Proxy advantage Kevin Kadow (Apr 16)
- Re: Proxy advantage Marcus J. Ranum (Apr 16)
- Re: Proxy advantage Paul D. Robertson (Apr 16)
- Re: Proxy advantage Dave Piscitello (Apr 16)
- Re: Proxy advantage Kevin Kadow (Apr 16)
- Re: Proxy advantage Paul Robertson (Apr 16)
- Re: Proxy advantage Marcus J. Ranum (Apr 16)
- Re: Proxy advantage Magosányi Árpád (Apr 16)
- Re: Proxy advantage David Lang (Apr 30)