nanog mailing list archives

Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS

From: "Christopher A. Woodfield" <rekoil () semihuman com>
Date: Mon, 14 May 2001 17:27:09 -0400


I didn't intend to imply that matching forward/reverse DNS was a security 
measure I'd trust by itself, but it certainly doesn't hurt to implement as 
a "outer perimeter" measure in conjunction with IP-based rules and 
secure authentication...

-C

On Mon, May 14, 2001 at 10:24:54AM -0700, Adam McKenna wrote:


On Mon, May 14, 2001 at 11:46:05AM -0400, Christopher A. Woodfield wrote:

Reverse DNS by itself is insufficient for authentication, but 
enforcing matching forward and reverse DNS entries is much more reliable 
(no substitute for secret-based or cert-based authentication, but a good 
"front door" for something like tcp wrappers). at last check, tcpd and sshd 
can both be configured to block connections without matching forward/reverse 
records.


No.  This is joke security, as is any security that relies on hostnames.  TCP
wrappers is basically worthless as a security measure unless you are using
IP-based rules.  And even then, it's deprecated in favor of kernel
firewalling (In Linux) or ipfilter (on BSD's and other platforms that support 
it).

--Adam


-- 
---------------------------
Christopher A. Woodfield                rekoil () semihuman com

PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B

Current thread:

Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS, (continued)
- - - Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Alex Rubenstein (May 15)
    - Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Stephen Griffin (May 17)
    - Re: Swipping /29's /30's and singles.. mike harrison (May 15)
    - Re: Swipping /29's /30's and singles.. Hunter Pine (May 15)
  - DSL providers and reverse DNS [was Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS] Ulf Zimmermann (May 17)
- RE: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Roeland Meyer (May 14)
  - Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Adam McKenna (May 14)
  - RE: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS John Fraizer (May 14)
  - Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Christopher A. Woodfield (May 14)
    - Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Adam McKenna (May 14)
    - Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Christopher A. Woodfield (May 14)
    - Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Adam McKenna (May 15)
    - Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Valdis . Kletnieks (May 15)
    - Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Pyda Srisuresh (May 15)
    - RE: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Vivien M. (May 15)
    - Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Shawn McMahon (May 15)
    - Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Brett Frankenberger (May 17)
    - Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Shawn McMahon (May 17)
    - Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS David Charlap (May 17)
    - RE: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Pyda Srisuresh (May 15)
    - Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS Eric A. Hall (May 15)

(Thread continues...)