On 1/17/08, Joe Greco <[EMAIL PROTECTED]> wrote: > > > Wow, as far as I can tell, you've pretty much condemned most firewall > software and devices then, because I'm really not aware of any serious > ones that will successfully implement rules such as "allow from > 123.45.67.0/24" via DNS. Besides, if you've gone to the trouble of > acquiring your own address space, it is a reasonable assumption that > you'll be able to rely on being able to tack down services in that > space. Being expected to walk through every bit of equipment and > reconfigure potentially multiple subsystems within it is unreasonable. > > Taking, as one simple example, an older managed ethernet switch, I see > the IP configuration itself, the SNMP configuration (both filters and > traps), the ACL's for management, the time server IP, etc. I guess if > you feel that Bay Networks equipment was a bad buy, you're welcome to > that opinion. I can probably dig up some similar Cisco gear. > > ... JG >
Agreed. I'd see a huge security hole in letting someone put host.somewhere.net in a firewall rule in a PIX/ASA/etc. as opposed to an IP, especially since it's rare to see DNSSEC in production. -brandon
