Firewalls That Check DNS Entries?

Stonefish asks: "I was wondering if there is a firewall or packet filter that only allows traffic from the internal network to external networks if the host has an entry in DNS. Currently the network that I administer uses a bootptab file with MAC addresses. I would like to get to the stage where DHCP gets a request from a valid MAC address, adds the entries to DNS and the firewall checks outgoing packets for a valid DNS entry, it's simple but not foolproof. Currently in most organisations there is either an all-or-nothing approach to networking. As newer DNS implimentations are incorporating public keys other methods that incorporate a more secure DNS->firewall interaction are possible and equally obvious."

On Mac Addresses

[GreenPickles]

Making certain that the DNS server is really who it says it is probably not a good idea.. On the internet, the last router on your hop gets the mac address for the packets. Imagine someone swapping routers! Everything goes hay-wire.

If you're talking on a LAN, that's still probably a bad idea. If you ever become a large orginization and get several dns servers, multipul level firewalls and the like.. What happens if a machine goes down and you gotta switch network cards? You have to change a whole bunch of access lists.

Also such a setup requires tons of documentation, what happens if you quit your job? The next guy is going to get screwed on this.

Re:Several options

[GreenPickles]

yowza.. i find this hard to recommend, especially with all the security exploits for firewall-1 as of recent.

Several options

[yabHuj]

While there are firewalls supporting this option (e.g. CheckPoint's Firewall-1) it is not considered to be a good idea as DNS is comparatively easy to compromise. Use IP addresses instead of DNS for the rulebase and real authentication mechanisms for authentication.

I guess you want to enable some kind of authentication so only a limited number of people can get outside? Then authenticate the people, not their hardware (PCs, identified by the MAC address). For a number of protocols (esp. HTTP and SMTP) there are good standard authentication models (HTTP basic authentication on the proxy for example) you can use on proxy or SMTP servers for this purpose. Then only allow the mail and proxy servers to go out through the firewall.

A second method will involve firewalls that support user-, session- or link-authentication for known and/or unknown protocols. The latter usually requires authenticating on a special telnet session or web site on the firewall itself: as long as the (telnet) session is open, the firewall allows packets from the same IP address through. Nearly all commercial firewalls support at least one of these authentication methods.

Basic question here: what do you want to protect/authenticate and how strong/circumventable shall the authentication mechanism be?

Re:Several options

[earlytime]

yeah checkpoint FW-1 handles these things pretty well, especially in combination with their MetaIP product. I'll let checkpoint toot their own horn, but the bottom line is that MetaIP integrates your DNS with your DHCP, and from there you can create firewall rules based on date from the MetaIP system.
i.e. you can create rules that will effectively be based on MAC address, since MetaIP can tell the firewall what IP is assigned to that MAC address. of course you could create dns based rules with out MetaIP, so that one's a gimme.

-earl

Re:FP

[King of the World]

"Frist Pist" on a non-front-page story? Oh please.

That's requires as much skill as beating up a 'tard.

try freesco

[Beowulf_Boy]

www.Freesco.com

re MAC Addresses

[djmoocow]

A router does not actually use a MAC address it uses IP address ..... and perhaps sticking a router infront of your Firewall might help because a router can act as a natural firewall.....