Educause Security Discussion mailing list archives
Re: firewall holes for particular machines
From: Jason Frisvold <frisvolj () LAFAYETTE EDU>
Date: Fri, 15 May 2009 11:49:17 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin Shalla wrote:
I've been working with some people to set up firewall rules to allow particular IP addresses. We're going to be changing many IP addresses soon, but keeping the same hostnames for them, so I suggested setting the firewall rules to use hostnames instead, so that there would be no downtime, and less maintenance the next time IP addresses change. My thinking is that there isn't much security that's added by using IPs instead of hostnames, and using hostnames would slightly increase the processing needed, but hostnames are more convenient. Am I missing something?
You run into two issues here, both pretty serious. First, if you lose DNS resolution, you effectively lock everything out of the server. Second, DNS is pretty easy to spoof and poison. It wouldn't take much to sneak through the firewall my poisoning DNS. Other issues include increased load on the server, and probably the DNS server as well as each incoming packet needs to be reversed. Caching might help a little, but there will still be additional resources needed. I highly recommend you avoid using hostnames and use IPs instead. It's a bit more maintenance, but IPs don't generally change. I'm not sure what you're using for a firewall, but some firewalls (iptables, Cisco firewalls) allow you to use variables or groups. You can create the necessary rules using those instead of hard-coded IPs and then update/add/remove IPs to the groups as necessary. Makes management a tad easier. - -- - --------------------------- Jason Frisvold Network Engineer frisvolj () lafayette edu - --------------------------- "What I cannot create, I do not understand" - Richard Feynman -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkoNjv0ACgkQO80o6DJ8UvlyuwCfXnm56Gome2jAP9SphIPWv50X yFUAn3ESO/BFJIM2e5xeB12L0EO3ypVV =s9Om -----END PGP SIGNATURE-----
Current thread:
- Re: firewall holes for particular machines, (continued)
- Re: firewall holes for particular machines F.M. Taylor (May 13)
- Re: firewall holes for particular machines Kevin Wilcox (May 13)
- Re: firewall holes for particular machines Chris Green (May 13)
- Re: firewall holes for particular machines David Gillett (May 13)
- Re: firewall holes for particular machines Gary Flynn (May 13)
- Re: firewall holes for particular machines Megan Carney (May 13)
- Re: firewall holes for particular machines leo song (May 14)
- Re: firewall holes for particular machines Zach Jansen (May 14)
- Re: firewall holes for particular machines Kevin Wilcox (May 14)
- Re: firewall holes for particular machines Megan Carney (May 14)
- Re: firewall holes for particular machines Jason Frisvold (May 15)