North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: To CAIS Engineers - WAKE UP AND TAKE CARE OF YOUR CUSTOMERS
- From: Adam McKenna
- Date: Mon May 14 17:21:35 2001
On Mon, May 14, 2001 at 11:46:05AM -0400, Christopher A. Woodfield wrote:
> Reverse DNS by itself is insufficient for authentication, but
> enforcing matching forward and reverse DNS entries is much more reliable
> (no substitute for secret-based or cert-based authentication, but a good
> "front door" for something like tcp wrappers). at last check, tcpd and sshd
> can both be configured to block connections without matching forward/reverse
> records.
No. This is joke security, as is any security that relies on hostnames. TCP
wrappers is basically worthless as a security measure unless you are using
IP-based rules. And even then, it's deprecated in favor of kernel
firewalling (In Linux) or ipfilter (on BSD's and other platforms that support
it).
--Adam
|
