request for help w/ ATT and terminology

Brandon Galbraith brandon.galbraith at gmail.com
Thu Jan 17 23:50:33 UTC 2008


On 1/17/08, Joe Greco <jgreco at ns.sol.net> wrote:
>
>
> Wow, as far as I can tell, you've pretty much condemned most firewall
> software and devices then, because I'm really not aware of any serious
> ones that will successfully implement rules such as "allow from
> 123.45.67.0/24" via DNS.  Besides, if you've gone to the trouble of
> acquiring your own address space, it is a reasonable assumption that
> you'll be able to rely on being able to tack down services in that
> space.  Being expected to walk through every bit of equipment and
> reconfigure potentially multiple subsystems within it is unreasonable.
>
> Taking, as one simple example, an older managed ethernet switch, I see
> the IP configuration itself, the SNMP configuration (both filters and
> traps), the ACL's for management, the time server IP, etc.  I guess if
> you feel that Bay Networks equipment was a bad buy, you're welcome to
> that opinion.  I can probably dig up some similar Cisco gear.
>
> ... JG
>

Agreed. I'd see a huge security hole in letting someone put
host.somewhere.net in a firewall rule in a PIX/ASA/etc. as opposed to an IP,
especially since it's rare to see DNSSEC in production.

-brandon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20080117/0318bbec/attachment.html>


More information about the NANOG mailing list