[37501] in North American Network Operators' Group
Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
daemon@ATHENA.MIT.EDU (Christopher A. Woodfield)
Mon May 14 23:01:43 2001
Date: Mon, 14 May 2001 17:27:09 -0400
To: nanog@nanog.org
Message-ID: <20010514172709.B6037@semihuman.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010514102454.F6987@flounder.net>; from adam@flounder.net on Mon, May 14, 2001 at 10:24:54AM -0700
From: "Christopher A. Woodfield" <rekoil@semihuman.com>
Errors-To: owner-nanog-outgoing@merit.edu
I didn't intend to imply that matching forward/reverse DNS was a security
measure I'd trust by itself, but it certainly doesn't hurt to implement as
a "outer perimeter" measure in conjunction with IP-based rules and
secure authentication...
-C
On Mon, May 14, 2001 at 10:24:54AM -0700, Adam McKenna wrote:
>
> On Mon, May 14, 2001 at 11:46:05AM -0400, Christopher A. Woodfield wrote:
> > Reverse DNS by itself is insufficient for authentication, but
> > enforcing matching forward and reverse DNS entries is much more reliable
> > (no substitute for secret-based or cert-based authentication, but a good
> > "front door" for something like tcp wrappers). at last check, tcpd and sshd
> > can both be configured to block connections without matching forward/reverse
> > records.
>
> No. This is joke security, as is any security that relies on hostnames. TCP
> wrappers is basically worthless as a security measure unless you are using
> IP-based rules. And even then, it's deprecated in favor of kernel
> firewalling (In Linux) or ipfilter (on BSD's and other platforms that support
> it).
>
> --Adam
>
--
---------------------------
Christopher A. Woodfield rekoil@semihuman.com
PGP Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB887618B
