OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: RE: DNS -vs- the firewall: security though

RE: DNS -vs- the firewall: security thoughts


Joe Ippolito (joejoesnet.com)
Thu, 12 Mar 1998 23:10:01 -0800


I do about the same but, everyone gets access by NT Domain group
membership, Web, ftp, and a few telnet. Only the proxy gets access through
the Firewall. The only bad part is that they must use IE since Netscape is
missing the NTLM piece. We really do owe Bill a few complaints about that
one. The only way Netscape will work is if you let anyone use the proxy
and that just isn't going to happen. The really good part is that every
stinking URI gets logged to SQL server by username. There is no way of
getting away with violating the acceptable use policy. The other great
part is that we really don't care what address they get from the DHCP
server. It is almost as easy as IPX without the noise.

-----Original Message-----
From: Bennett Todd [SMTP:betrahul.net]
Sent: Thursday, March 12, 1998 1:13 PM
To: joejoesnet.com
Cc: firewall-wizardsnfr.net
Subject: Re: DNS -vs- the firewall: security thoughts

On Thu, Mar 12, 1998 at 07:39:58AM -0800, Joe Ippolito wrote:
> It sounds like you are doing a protocol conversion which takes a special
> Winsock.

I see no winwocks here. Windows neither. I Don't Do Windows.

What we have is web browsers. When you tell a web browser to use a proxy
at such and so port on whatchamacallit machine (visible on the inside
net) it passes the URLs, hostname and all, to the proxy and lets it do
any lookups and whatnot --- the presumption is that whether the client
can or can't look up the host, it can't reach that IP address anyway.

We have email clients. They they just toss their traffic at the nearest
in-house Mail Transport Agent (MTA). The MTAs are configured so if they
can't look up a hostname, they toss it at the firewall and let it take a
bash at it.

We have a very small handful of users who do telnetting or ftp-ing out
--- they have to telnet or ftp to the firewall, authenticate themselves
to the proxy there, then tell the proxy the name of the host they want
to connect to.

-Bennett



This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:40 CDT