On 1/17/08, Joe Greco <jgreco@ns.sol.net> wrote:
Wow, as far as I can tell, you've pretty much condemned most firewall software and devices then, because I'm really not aware of any serious ones that will successfully implement rules such as "allow from 123.45.67.0/24" via DNS. Besides, if you've gone to the trouble of acquiring your own address space, it is a reasonable assumption that you'll be able to rely on being able to tack down services in that space. Being expected to walk through every bit of equipment and reconfigure potentially multiple subsystems within it is unreasonable.
Taking, as one simple example, an older managed ethernet switch, I see the IP configuration itself, the SNMP configuration (both filters and traps), the ACL's for management, the time server IP, etc. I guess if you feel that Bay Networks equipment was a bad buy, you're welcome to that opinion. I can probably dig up some similar Cisco gear.
... JG
Agreed. I'd see a huge security hole in letting someone put host.somewhere.net in a firewall rule in a PIX/ASA/etc. as opposed to an IP, especially since it's rare to see DNSSEC in production. -brandon