RE: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500

From: Reckhard, Tobias (tobias.reckhard@secunet.com)
Date: 02/14/03

Next message: john.smith@minolta-qms.com: "[fw-wiz] FirePass questions"

Previous message: Dave Mitchell: "Re: [fw-wiz] PIX split tunneling"
Next in thread: Rob Payne: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
Reply: Rob Payne: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
Maybe reply: Reckhard, Tobias: "RE: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Reckhard, Tobias" <tobias.reckhard@secunet.com>
To: firewall-wizards@honor.icsalabs.com
Date: Fri, 14 Feb 2003 08:58:41 +0100

> On Thursday, February 13, 2003 3:39 AM, Rob Payne
[mailto:rnspayne@the-paynes.com] wrote:
>
> Nothing personal to anyone, but a lot of firewalls really need to get
> these kinds of things right. If they do not, firewalls are going to
> get in the way of (DNS) security when zones start getting signed.
> (Rhetorical: Has anyone attempted to fit current DNS data plus
> RSA/SHA1 keys and signatures in packets 512 datagrams long?)

The question is when will DNS RRs ever get signed, if at all. The sheer
amount of queries and number of records being requested, as well as the
tremendous increase in payload due to signatures appears to create very
real, practical problems. See http://cr.yp.to/djbdns/forgery.html and
http://cr.yp.to/talks/2003dnssec.pdf.

Cheers,
Tobias
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: john.smith@minolta-qms.com: "[fw-wiz] FirePass questions"
Previous message: Dave Mitchell: "Re: [fw-wiz] PIX split tunneling"
Next in thread: Rob Payne: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
Reply: Rob Payne: "Re: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
Maybe reply: Reckhard, Tobias: "RE: [fw-wiz] Allowing DNS servers to operate behind NetScreen 500"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: AD/DNS with NAT
... Datacenters host servers as Domain Controllers AD2003, DNS, Exchange ... sites with the Net ID they use and how they are connected (VPN, ... every small offices to use NAT in order to keep the private IP range ... Forget Firewalls and forget NAT. ...
(microsoft.public.windows.server.networking)
Re: 99.9 % of Software/Hardware Firewalls DO-NOT.....
... If you're saying that MAC address ... > Internet, because MAC ADDRESSES ARE A LAN issue, not a WAN issue. ... > "Most firewalls do not come preconfigured to block Private Addresses, ... > "...gain entry via DNS UDP, or worse yet, DNS TCP for Zone Transfers"? ...
(comp.security.firewalls)
Re: 99.9 % of Software/Hardware Firewalls DO-NOT.....
... The only way your really going to get someone's mac address, ... > Internet, because MAC ADDRESSES ARE A LAN issue, not a WAN issue. ... > "Most firewalls do not come preconfigured to block Private Addresses, ... > "...gain entry via DNS UDP, or worse yet, DNS TCP for Zone Transfers"? ...
(comp.security.firewalls)
Re: network goes down everyday at same time
... gateway and the other controls rules for our servers and has a .1 ... So physically we have two different firewalls that are the ... as for the DNS stuff you mentioned im not sure i know what you mean. ... side" and "server side". ...
(microsoft.public.windows.server.networking)
Re: 99.9 % of Software/Hardware Firewalls DO-NOT.....
... If you're saying that MAC address ... Internet, because MAC ADDRESSES ARE A LAN issue, not a WAN issue. ... "Most firewalls do not come preconfigured to block Private Addresses, ... "...gain entry via DNS UDP, or worse yet, DNS TCP for Zone Transfers"? ...
(comp.security.firewalls)