North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: request for help w/ ATT and terminology

  • From: Brandon Galbraith
  • Date: Thu Jan 17 18:57:35 2008
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=8I5xtqCE2L6j8XT1GzPobp1tB9KbONIs19+tTbq7LaQ=; b=op3fmFIbqBCOCGYhKw9TO/pOMkMI+BoRm6qnsd3rwn/SDSTTeYEijOnu3j9jTiaFDiryT6xhkuxDa1fe1f/XD8LgQeSn18TJuYjA17qC2IuJOTJJgCaYMOO6K3HJ94H4VCx9xAnWCMROX1aPdf40oOtP9qAgAJ2jMmLrNY2Leg8=
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=MFzv7m+9NYmJpGz20BMC4wQ77e3L356O+1qANYXbbEpbQclD4nlPO5zqo0cvUBGpaXzVEosYmeZYOqsaJkwO5sZmf5RAW99X1IbgSZznTy2W5K0bdoESKddNt7hcyFzgDe+Tm7SN/jbubVmp0Rzv8WuZ6MDPGdHBhqAELx7+zxY=

On 1/17/08, Joe Greco <jgreco@xxxxxxxxxx> wrote:

Wow, as far as I can tell, you've pretty much condemned most firewall
software and devices then, because I'm really not aware of any serious
ones that will successfully implement rules such as "allow from
123.45.67.0/24" via DNS.  Besides, if you've gone to the trouble of
acquiring your own address space, it is a reasonable assumption that
you'll be able to rely on being able to tack down services in that
space.  Being expected to walk through every bit of equipment and
reconfigure potentially multiple subsystems within it is unreasonable.

Taking, as one simple example, an older managed ethernet switch, I see
the IP configuration itself, the SNMP configuration (both filters and
traps), the ACL's for management, the time server IP, etc.  I guess if
you feel that Bay Networks equipment was a bad buy, you're welcome to
that opinion.  I can probably dig up some similar Cisco gear.

... JG

Agreed. I'd see a huge security hole in letting someone put host.somewhere.net in a firewall rule in a PIX/ASA/etc. as opposed to an IP, especially since it's rare to see DNSSEC in production.

-brandon