Re: [fw-wiz] SCADA
- From: ArkanoiD <ark@xxxxxxxxx>
- Date: Tue, 28 Apr 2009 00:14:27 +0400
We are speaking application proxy, not a DNS proxy, so there is no
good reason (well, none that come to mind immediately) to have outside
domain and address space to be resolvable from client machine.
If we implement a DNS proxy, well-behaving one *should* check if the
answer at least seems to be valid.
On Mon, Apr 27, 2009 at 02:05:33PM -0400, Dotzero wrote:
On Mon, Apr 27, 2009 at 1:09 PM, Jim Seymour <jseymour@xxxxxxxxxxx> wrote:
Dotzero <dotzero@xxxxxxxxx> wrote:
[snip]
or DNS
So-called "Janus DNS" solves this. First described in print in
Cheswick & Bellovin's "Firewalls and Internet Security: Repelling
the Wily Hacker," I believe.
It's not just executable code. I do a DNS lookup to find out where to
connect to. The proxy passes the answer. It does not guarantee the
answer is correct. And for those who would point to DNSSEC, how many
domains currently sign? When will the root sign? When will .com sign?
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- Re: [fw-wiz] SCADA
- From: Dotzero
- Re: [fw-wiz] SCADA
- From: Jim Seymour
- Re: [fw-wiz] SCADA
- From: Dotzero
- Re: [fw-wiz] SCADA
- Prev by Date: Re: [fw-wiz] SCADA
- Next by Date: [fw-wiz] State of security technology for the enterprise
- Previous by thread: Re: [fw-wiz] SCADA
- Next by thread: Re: [fw-wiz] SCADA
- Index(es):
