Firewalls That Check DNS Entries? 7
Stonefish asks: "I was wondering if there is a firewall or packet filter that only allows traffic from the internal network to external networks if the host has an entry in DNS. Currently the network that I administer uses a bootptab file with MAC addresses. I would like to get to the stage where DHCP gets a request from a valid MAC address, adds the entries to DNS and the firewall checks outgoing packets for a valid DNS entry, it's simple but not foolproof. Currently in most organisations there is either an all-or-nothing approach to networking. As newer DNS implimentations are incorporating public keys other methods that incorporate a more secure DNS->firewall interaction are possible and equally obvious."
On Mac Addresses (Score:1)
If you're talking on a LAN, that's still probably a bad idea. If you ever become a large orginization and get several dns servers, multipul level firewalls and the like.. What happens if a machine goes down and you gotta switch network cards? You have to change a whole bunch of access lists.
Also such a setup requires tons of documentation, what happens if you quit your job? The next guy is going to get screwed on this.
Re:Several options (Score:1)
Several options (Score:3)
I guess you want to enable some kind of authentication so only a limited number of people can get outside? Then authenticate the people, not their hardware (PCs, identified by the MAC address). For a number of protocols (esp. HTTP and SMTP) there are good standard authentication models (HTTP basic authentication on the proxy for example) you can use on proxy or SMTP servers for this purpose. Then only allow the mail and proxy servers to go out through the firewall.
A second method will involve firewalls that support user-, session- or link-authentication for known and/or unknown protocols. The latter usually requires authenticating on a special telnet session or web site on the firewall itself: as long as the (telnet) session is open, the firewall allows packets from the same IP address through. Nearly all commercial firewalls support at least one of these authentication methods.
Basic question here: what do you want to protect/authenticate and how strong/circumventable shall the authentication mechanism be?
Re:Several options (Score:2)
i.e. you can create rules that will effectively be based on MAC address, since MetaIP can tell the firewall what IP is assigned to that MAC address. of course you could create dns based rules with out MetaIP, so that one's a gimme.
-earl
Re:FP (Score:1)
That's requires as much skill as beating up a 'tard.
try freesco (Score:2)
re MAC Addresses (Score:1)