RE: [FW1] Reverse DNS Lookup Policy

Tue, 04 Jul 2000 11:53:12 -0700 



> I have an increasing number of users who want matching forward and reverse
> DNS records because they're using ftp and telnet to external sites that
> require it. This is a minor administrative hassle (DHCP reservations where
> I'd ordinarily have them dip into the pool), but from a security
> standpoint
> I'd rather minimize the amount of info about internal systems I advertise
> via DNS. These users generally have defensible business needs for the
> access.

Most people do a split-horizon DNS where there are multiple versions of DNS.
Only that which is necessary is published on the external DNS server and
your internal DNS server contains more information. I do this at home. :-)

> What can Firewall-1 do for me to spare me the administrative hassle or to
> minimize the amount of internal info I'd need to list in DNS? For example,
> can FW-1 help me implement some sort of ftp proxy server, where the proxy
> has matching DNS forward/reverse entries?

FireWall-1 does have an FTP proxy, but you would have to authenticate the
users going out. It's generally a pain to use if you don't have to. Probably
the easiest thing to implement would be a HIDE NAT whereby all of your users
appear to be coming from the external interface of your firewall. This is
relatively painless to set up and far more transparent to the end user. This
assumes, of course, your DNS server has an entry for your firewall, but that
should be relatively easy to fix.

In your Address Translation rulebase, you could add a rule that looks like
this:

Original                         Translated
Src                Dst   Svc     Src          Dst   Svc
internal-networks  any   ftp     firewall(h)  orig  orig

Theoretically, you could also leave the service as "any" and translate out
for all services. You could also translate all users to a different external
IP address. However, that requires more set up. Go visit my web site if you
want to go down that road.

--
Dameon D. Welch-Abernathy                          a.k.a. "PhoneBoy"
[EMAIL PROTECTED]                          http://www.phoneboy.com
The views expressed herein are not necessarily those of anyone else.



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to