Educause Security Discussion mailing list archives

Re: firewall holes for particular machines

From: Jason Frisvold <frisvolj () LAFAYETTE EDU>
Date: Fri, 15 May 2009 11:49:17 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kevin Shalla wrote:

I've been working with some people to set up firewall rules to allow
particular IP addresses.  We're going to be changing many IP addresses
soon, but keeping the same hostnames for them, so I suggested setting
the firewall rules to use hostnames instead, so that there would be no
downtime, and less maintenance the next time IP addresses change.  My
thinking is that there isn't much security that's added by using IPs
instead of hostnames, and using hostnames would slightly increase the
processing needed, but hostnames are more convenient.  Am I missing
something?


You run into two issues here, both pretty serious.

First, if you lose DNS resolution, you effectively lock everything out
of the server.

Second, DNS is pretty easy to spoof and poison.  It wouldn't take much
to sneak through the firewall my poisoning DNS.

Other issues include increased load on the server, and probably the DNS
server as well as each incoming packet needs to be reversed.  Caching
might help a little, but there will still be additional resources needed.

I highly recommend you avoid using hostnames and use IPs instead.  It's
a bit more maintenance, but IPs don't generally change.

I'm not sure what you're using for a firewall, but some firewalls
(iptables, Cisco firewalls) allow you to use variables or groups.  You
can create the necessary rules using those instead of hard-coded IPs and
then update/add/remove IPs to the groups as necessary.  Makes management
a tad easier.

- --
- ---------------------------
Jason Frisvold
Network Engineer
frisvolj () lafayette edu
- ---------------------------
"What I cannot create, I do not understand"
   - Richard Feynman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkoNjv0ACgkQO80o6DJ8UvlyuwCfXnm56Gome2jAP9SphIPWv50X
yFUAn3ESO/BFJIM2e5xeB12L0EO3ypVV
=s9Om
-----END PGP SIGNATURE-----

Current thread:

Re: firewall holes for particular machines, (continued)
- Re: firewall holes for particular machines F.M. Taylor (May 13)
- Re: firewall holes for particular machines Kevin Wilcox (May 13)
- Re: firewall holes for particular machines Chris Green (May 13)
- Re: firewall holes for particular machines David Gillett (May 13)
- Re: firewall holes for particular machines Gary Flynn (May 13)
- Re: firewall holes for particular machines Megan Carney (May 13)
- Re: firewall holes for particular machines leo song (May 14)
- Re: firewall holes for particular machines Zach Jansen (May 14)
- Re: firewall holes for particular machines Kevin Wilcox (May 14)
- Re: firewall holes for particular machines Megan Carney (May 14)
- Re: firewall holes for particular machines Jason Frisvold (May 15)