On 4/27/07, RB <[EMAIL PROTECTED]> wrote:
> Authentication by IP is a bad idea, restricting who can connect in the
> first place and proceed to authentication stage is a further line of
Having been an enterprise firewall admin in the midst of previously
established enterprise firewall admins, the "going wisdom" is that you
always set rules by IP rather than DNS. When pressed for a reason,
especially given that Cisco PIX allow DNS rules, they always resorted
to the koan of "that's the way it's always been done - DNS can be
poisoned or the source of a DoS". phbbbttt
My response: if someone is in the position to poison my DNS, they're
already in the position to spoof a trusted IP and likely a whole lot
more. For that matter, they're likely already inside my network. If
the allow/block is critical enough to require the *tiny* edge provided
by IP-based rules, then the client will be critical enough to have a
statically assigned IP.
If DNS is unreachable or non-responsive during rule load, your rules
fail to load. That sounds extremely DUMB to me. With that said, I
fully expect someone who cares enough to make this a reality to step
up before too long. As long as it's done using the alias system so
that the lookups can be cached, this can work.
--Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
