Re: request for help w/ ATT and terminology

["Brandon Galbraith" <brandon.galbraith () gmail com>]

On 1/17/08, Joe Greco <jgreco () ns sol net> wrote:
> Wow, as far as I can tell, you've pretty much condemned most firewall
> software and devices then, because I'm really not aware of any serious
> ones that will successfully implement rules such as "allow from
> 123.45.67.0/24" via DNS.  Besides, if you've gone to the trouble of
> acquiring your own address space, it is a reasonable assumption that
> you'll be able to rely on being able to tack down services in that
> space.  Being expected to walk through every bit of equipment and
> reconfigure potentially multiple subsystems within it is unreasonable.
>
> Taking, as one simple example, an older managed ethernet switch, I see
> the IP configuration itself, the SNMP configuration (both filters and
> traps), the ACL's for management, the time server IP, etc.  I guess if
> you feel that Bay Networks equipment was a bad buy, you're welcome to
> that opinion.  I can probably dig up some similar Cisco gear.
>
> ... JG

Agreed. I'd see a huge security hole in letting someone put
host.somewhere.net in a firewall rule in a PIX/ASA/etc. as opposed to an IP,
especially since it's rare to see DNSSEC in production.

-brandon