Search This Blog

Wednesday, April 14, 2010

firewall-wizards Digest, Vol 48, Issue 2

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: DNS Names for external services (Bruce B. Platt)
2. Re: DNS Names for external services (Henri Salo)
3. Re: DNS Names for external services (Jim Seymour)


----------------------------------------------------------------------

Message: 1
Date: Tue, 13 Apr 2010 17:30:07 -0400
From: "Bruce B. Platt" <bruce@ei3.com>
Subject: Re: [fw-wiz] DNS Names for external services
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <02cc01cadb50$7d4c4ee0$77e4eca0$@com>
Content-Type: text/plain; charset="us-ascii"


Among other things, Paul said:

Snip ...


What's a bigger burden, your support costs or your security costs? If
your VPN is attackable, because of weak userid-passwords or other flaws,
it'll be attacked sooner or later- if you've done your job, then flaws
won't be exploitable and the name doesn't matter- if you've done a poor
implementation or selection job, then all you're doing by hiding is
postponing the inevitable.

Paul

...

I agree. I also support using non eponymous names. Rather than
vpnserver.company.com, something like bart.company.com can be remembered,
but does not immediately tell anyone what the machine might do. So a little
obscurity may help.

Or, make the server as impregnable as possible first, Then give it a name
people can remember, then watch to see if people try to bust in or
compromise it.

Bruce

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------------

Message: 2
Date: Tue, 13 Apr 2010 22:36:14 +0300
From: Henri Salo <henri@nerv.fi>
Subject: Re: [fw-wiz] DNS Names for external services
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20100413223614.7d4cc4b0@foo.fgeek.fi>
Content-Type: text/plain; charset=US-ASCII

On Tue, 13 Apr 2010 11:16:06 -0500
"Behm, Jeff" <jbehm@burnsmcd.com> wrote:

> Just curious, what is your opinions of the security vs. ease of use
> trade-offs on putting DNS entries in (vs. making people know/use an
> IP address) for services you expose to the Internet.
>
> For example,
>
> webmail.companynamehere.com for your webmail service
>
> www.companynamehere.com for your web site
>
> The two above are typically common and don't cause me much concern.
> What about this next one?
>
> vpn.companynamehere.com for your employees to access your company's
> VPN server
>
> It's this last one that really begs the question. Should I just as
> well use the name "attackmehere.companynamehere.com" rather than
> vpn.companynamehere.com. I searched around on the Internet, but
> couldn't really find pros and cons...
>
> Just looking for opinions. There are no "right" answers ;-)
>
> Jeff

Please use domain example.com in your examples. Domain
companynamehere.com is registered.

---
Henri Salo


------------------------------

Message: 3
Date: Tue, 13 Apr 2010 16:22:22 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
Subject: Re: [fw-wiz] DNS Names for external services
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID: <20100413202222.84B71B1A@jimsun.linxnet.com>

> From: "Behm, Jeff" <jbehm@burnsmcd.com>
> To: Firewall Wizards Security Mailing List
> <firewall-wizards@listserv.icsalabs.com>
> Date: Tue, 13 Apr 2010 11:16:06 -0500
> Subject: [fw-wiz] DNS Names for external services
>
> Just curious, what is your opinions of the security vs. ease of use
> trade-offs on putting DNS entries in (vs. making people know/use an
> IP address) for services you expose to the Internet.
[snip]

I believe there's nothing significant to be gained by such
obfuscation.

Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 48, Issue 2
***********************************************

Posted by at

1 comment:

Lisa Valentine said...

Speaking of firewalls, here's a helpful resource for IT depts considering blocking social media apps on the enterprise network. It's a whitepaper called “To Block or Not. Is that the question?”

http://bit.ly/9f8WOT

It has lots of insightful and useful information about identifying and controlling Enterprise 2.0 apps (Facebook, Twitter, Skype, SharePoint, etc.)

3:44 PM

Post a Comment

Subscribe to: Post Comments (Atom)