DHCP, DNS, and firewalls (was: Meeting - Wed 24 Mar 2004 ...)

[bscott at ntisys.com]

  I received an off-list reply to my announcement on a talk on DNS.  With
the original poster's permission, I am sending my reply to this list, as I
feel it is more appropriate here.

On Tue, 9 Mar 2004, at 4:15pm, rob at chesler.absol.com wrote:
> for old dogs like me who always rely on static IP addresses for security
> to pass through firewalls, it is interesting to look to this new era of
> dynamic IP addresses.

  Generally speaking, if one is using network access control based on the
host, one does it using static IP addresses.  You can use DHCP reservations
to make IP configuration management a lot easier, but you still use static
addressing.  Trying to keep a firewall's ruleset in sync with DNS (or
anything else) would be a major hassle, and likely be sufficiently
complicated that security is diminished.

  That being said, I generally prefer not to depend on host-based network
access control.  A common configuration is (1) block direct access to the
Internet, (2) use a proxy server for Internet access, (3) require proxy
authentication (username/password) for Internet access.  In this way, any
Internet access attempt requires a username/password, which provides much
better AAA control.

> Perhaps in your talk you can speak to the various techniques for keeping a
> working forward lookup to a host's current A record, and any solutions for
> the PTR record.

  That is reasonably easy.  Use DHCP with Dynamic DNS Update.  The DHCP
server submits DNS updates to the DNS server when a lease is allocated or
released.  You can do this with ISC BIND named and ISC DHCP dhcpd.

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |