Tuesday, April 28, 2009

firewall-wizards Digest, Vol 36, Issue 38

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: SCADA (Dotzero)
2. Re: SCADA (Paul D. Robertson)
3. Re: SCADA (Jim Seymour)
4. Re: SCADA (Dotzero)
5. Re: SCADA (Paul D. Robertson)
6. Re: SCADA (ArkanoiD)


----------------------------------------------------------------------

Message: 1
Date: Mon, 27 Apr 2009 12:15:41 -0400
From: Dotzero <dotzero@gmail.com>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: mjr@ranum.com
Message-ID:
<7ae58c220904270915q472fbf3did857a99764eb259@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Mon, Apr 27, 2009 at 4:23 AM, Arthur Clune <arthur@clune.org> wrote:
>
> On 23 Apr 2009, at 22:18, R. DuFresne wrote:
>
>> Similair point to broader corporate network security, do not let insecure
>> protocols pass the perimiter.
>
>
> Good lucking blocking http at the perimeter.
>
>

or DNS


------------------------------

Message: 2
Date: Mon, 27 Apr 2009 12:42:56 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0904271242130.8138-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 27 Apr 2009, Dotzero wrote:

> or DNS

Actually, if you're using a proxy server, it's trivial to block DNS at the
perimeter. The proxy is the only system that needs to be able to resolve
external domains.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/

------------------------------

Message: 3
Date: Mon, 27 Apr 2009 13:09:22 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
Subject: Re: [fw-wiz] SCADA
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <20090427170922.0E71BE158@jimsun.linxnet.com>


Dotzero <dotzero@gmail.com> wrote:
[snip]
>
> or DNS

So-called "Janus DNS" solves this. First described in print in
Cheswick & Bellovin's "Firewalls and Internet Security: Repelling
the Wily Hacker," I believe.

Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.


------------------------------

Message: 4
Date: Mon, 27 Apr 2009 14:05:33 -0400
From: Dotzero <dotzero@gmail.com>
Subject: Re: [fw-wiz] SCADA
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<7ae58c220904271105k6ee8b527mbcf755019baf0ddf@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Mon, Apr 27, 2009 at 1:09 PM, Jim Seymour <jseymour@linxnet.com> wrote:
>
> Dotzero <dotzero@gmail.com> wrote:
> [snip]
>>
>> or DNS
>
> So-called "Janus DNS" solves this. ?First described in print in
> Cheswick & Bellovin's "Firewalls and Internet Security: Repelling
> the Wily Hacker," I believe.
>

It's not just executable code. I do a DNS lookup to find out where to
connect to. The proxy passes the answer. It does not guarantee the
answer is correct. And for those who would point to DNSSEC, how many
domains currently sign? When will the root sign? When will .com sign?


------------------------------

Message: 5
Date: Mon, 27 Apr 2009 16:11:21 -0400 (EDT)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0904271609280.8138-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 27 Apr 2009, Dotzero wrote:

> It's not just executable code. I do a DNS lookup to find out where to
> connect to. The proxy passes the answer. It does not guarantee the

No, a proxy *keeps* the answer, it doesn't pass it to the client, which is
why it's the best answer- otherwise tunneling over DNS is trivial.

> answer is correct. And for those who would point to DNSSEC, how many
> domains currently sign? When will the root sign? When will .com sign?

If the proxy goes to the roots, then the only potential point of
compromise is the ansering domain's DNS server- if you can pwn there, you
can probably pwn whatever it is that the client wants to get to. A very
minimal risk in my book.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/

------------------------------

Message: 6
Date: Tue, 28 Apr 2009 00:14:27 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] SCADA
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20090427201427.GA9712@eltex.net>
Content-Type: text/plain; charset=koi8-r


We are speaking application proxy, not a DNS proxy, so there is no
good reason (well, none that come to mind immediately) to have outside
domain and address space to be resolvable from client machine.

If we implement a DNS proxy, well-behaving one *should* check if the
answer at least seems to be valid.

On Mon, Apr 27, 2009 at 02:05:33PM -0400, Dotzero wrote:
> On Mon, Apr 27, 2009 at 1:09 PM, Jim Seymour <jseymour@linxnet.com> wrote:
> >
> > Dotzero <dotzero@gmail.com> wrote:
> > [snip]
> >>
> >> or DNS
> >
> > So-called "Janus DNS" solves this. ?First described in print in
> > Cheswick & Bellovin's "Firewalls and Internet Security: Repelling
> > the Wily Hacker," I believe.
> >
>
> It's not just executable code. I do a DNS lookup to find out where to
> connect to. The proxy passes the answer. It does not guarantee the
> answer is correct. And for those who would point to DNSSEC, how many
> domains currently sign? When will the root sign? When will .com sign?
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com
>
>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 36, Issue 38
************************************************

No comments:

Post a Comment