[101771] in North American Network Operators' Group
Re: request for help w/ ATT and terminology
daemon@ATHENA.MIT.EDU (Brandon Galbraith)
Thu Jan 17 18:56:42 2008
Date: Thu, 17 Jan 2008 17:50:33 -0600
From: "Brandon Galbraith" <brandon.galbraith@gmail.com>
To: "Joe Greco" <jgreco@ns.sol.net>
Cc: Valdis.Kletnieks@vt.edu, nanog@merit.edu
In-Reply-To: <200801172136.m0HLaUiA022308@aurora.sol.net>
Errors-To: owner-nanog@merit.edu
------=_Part_3332_11463805.1200613833870
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On 1/17/08, Joe Greco <jgreco@ns.sol.net> wrote:
>
>
> Wow, as far as I can tell, you've pretty much condemned most firewall
> software and devices then, because I'm really not aware of any serious
> ones that will successfully implement rules such as "allow from
> 123.45.67.0/24" via DNS. Besides, if you've gone to the trouble of
> acquiring your own address space, it is a reasonable assumption that
> you'll be able to rely on being able to tack down services in that
> space. Being expected to walk through every bit of equipment and
> reconfigure potentially multiple subsystems within it is unreasonable.
>
> Taking, as one simple example, an older managed ethernet switch, I see
> the IP configuration itself, the SNMP configuration (both filters and
> traps), the ACL's for management, the time server IP, etc. I guess if
> you feel that Bay Networks equipment was a bad buy, you're welcome to
> that opinion. I can probably dig up some similar Cisco gear.
>
> ... JG
>
Agreed. I'd see a huge security hole in letting someone put
host.somewhere.net in a firewall rule in a PIX/ASA/etc. as opposed to an IP,
especially since it's rare to see DNSSEC in production.
-brandon
------=_Part_3332_11463805.1200613833870
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On 1/17/08, <b class="gmail_sendername">Joe Greco</b> <<a href="mailto:jgreco@ns.sol.net">jgreco@ns.sol.net</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>Wow, as far as I can tell, you've pretty much condemned most firewall<br>software and devices then, because I'm really not aware of any serious<br>ones that will successfully implement rules such as "allow from
<br><a href="http://123.45.67.0/24">123.45.67.0/24</a>" via DNS. Besides, if you've gone to the trouble of<br>acquiring your own address space, it is a reasonable assumption that<br>you'll be able to rely on being able to tack down services in that
<br>space. Being expected to walk through every bit of equipment and<br>reconfigure potentially multiple subsystems within it is unreasonable.<br><br>Taking, as one simple example, an older managed ethernet switch, I see
<br>the IP configuration itself, the SNMP configuration (both filters and<br>traps), the ACL's for management, the time server IP, etc. I guess if<br>you feel that Bay Networks equipment was a bad buy, you're welcome to
<br>that opinion. I can probably dig up some similar Cisco gear.<br><br>... JG<br></blockquote></div><br>Agreed. I'd see a huge security hole in letting someone put <a href="http://host.somewhere.net">host.somewhere.net
</a> in a firewall rule in a PIX/ASA/etc. as opposed to an IP, especially since it's rare to see DNSSEC in production.<br><br>-brandon<br>
------=_Part_3332_11463805.1200613833870--
