Solved

Enterprise Firewall configuration

Posted on 2008-06-14
5
428 Views
Last Modified: 2013-11-16
Can Domain names spoof the IP that an Internet lookup returns?
Can Internet Firewalls be configured to allow traffic based on dns names?  Can something like CBAC or Anonymizer come into play?
What does Internet RFCs require regarding reverse lookups?

This large company (LC-inc) provides over 5000 non-profit agencies with an app to process claims.  The non-profits process the claims locally in the app and then select the upload to send files to LC-inc.  Once LC-inc completes it processing, the non-profit is notified to download the files for their records thru the app.

LC-inc uses a data center of parallel fail-over locations to provide Internet connectivity to their server.
The app uses java to connect to the LC-inc servers thru the Internet to upload/download latest files.

The non-profit firewalls must be configured to allow the app & Java to connect to the LC-inc server thru the Internet.  The LC-inc server uses a STD domain naming convention, ex. link.LCinc.com.  The app is configured to connect to link.LCinc.com.  
The non-profits set their firewalls to allow traffic to & from the link.LCinc.com IP: 147.150.100.50. (not real IP/Name)

Recently LC-inc changed their IP address; and sent out a notice stating they would no longer publish their IP.  The policy states now all non-profits must configure their firewalls to allow traffic to & from link.LCinc.com.
Some could not comply and LC-inc IT dept told them to open the firewall to 147*.*.* - Even if the firewall could do this, it seems  unimaginable!  Can firewalls handle wildcards like this?

Using Dig - link.LCinc.com resolved to two new IPs; however, on any given day it would be one or the other, never the same one.
i added these IPs to some of the Firewalls and upload/download completed without a hitch.
Note: Reverse lookups on the IP returned the IP number only.

Other more robust Cisco environments received the Server down or unavailable error.  However, when they allowed the app PC unrestricted access to the internet - things worked as expected.

Can Domain names spoof the IP that an Internet lookup returns?
Can Internet Firewalls be configured to allow traffic based on dns names?  Can something like CBAC or Anonymizer come into play?
What does Internet RFCs require regarding reverse lookups?

Although, this is more than one question, i think they can be answered by the same info.
As always, if not, i am happy to create multiple questions.
0
Comment
Question by:kbbcnet
  • 3
5 Comments
 
LVL 10

Expert Comment

by:Casey Herman
Comment Utility
Some could not comply and LC-inc IT dept told them to open the firewall to 147*.*.* - Even if the firewall could do this, it seems  unimaginable!  Can firewalls handle wildcards like this?

SOME DO.

I wouldn't do it though.  Around 16000000 ip's would have full access through the firewall. If they gave you the first three octets then maybe....  ex  147.23.45.* the last start would be the wildcard.  That limits it to only 255 addresses that can potentially give you grief.

It is easier to spoof a name instead of an ip though.  Sound like their IT is overbudgeted. I could even see opening a very small port range to that company on that ip scheme.

Good Luck
Just  MHO though

Casey
0
 
LVL 16

Author Comment

by:kbbcnet
Comment Utility
casedog21:
 
Agreed, it makes no sense to me why they do not want the non-profits to use the IP?
I do not see the benefit and am  trying to verify it is a unnecessary position to take before i confront their IT with what i think is pointless.

Thus, the answers i seek as i stated above in this question.
0
 
LVL 7

Expert Comment

by:naughton
Comment Utility
I don't think CBAC has anything to do with what you are doing.
I'd suggest that if security is a concern, the approach taken isn't really solving anything, but creating problems for 5,000 odd users.

there are other, better alternatives to providing secure connectivity than having your end users open firewalls up 147*.*.* ip addresses.  either the architect of the solution is kidding himself, a completely incompetent in relation to netowrk security, or pushing someone else's agenda to make problems for other people while saving them money.

there are any number of technologies available to securely connect  numbers of disparate locations.






0
 
LVL 16

Author Comment

by:kbbcnet
Comment Utility
naughton:

Yes, i agree.  
Unfortunately i am not inside the LC-inc IT Security dept.
i  am in the field supporting some of the non-proifts and working with other non-profits pro bono support folks like myself remotely.

A few years ago i worked with enterprise conectivity via the Internet; and many times apps, suchas Oracle and others required an IP in the Cinfig file.  Even though for years the FQDN worlked.  In that case after an Oracle upgrade, i discovered a resolution to the security issue thru the firewall by usign the IP in the Oracle config.  Eventually, as i recall Oracle fixed the issue.

The border security had to allow the IP & port range thru the firewall in both directions.  They further had to monitor the ports range since Oracle did not use the same port out & back in.

At that time, i never had an instance where satelite firewalls used FQDNs, or any names; we always configure the firewall access using IPs.  No one would have even considered opening a network of IPS thru the firewall.

Is there anyone in EE who works with the following - who knows definitely?

Can Domain names spoof the IP that an Internet lookup returns?  
In the Past, No i never saw it.  My question now Is it possible now?

Can Internet Firewalls be configured to allow traffic based on dns names?
In the past, not in my experience; perhaps now Yes?  
i am looking for someone who works with this, such as an ISP Administrator or the like.
They would know.
 
What does Internet RFCs require regarding reverse lookups? Anyone know?
0
 
LVL 16

Accepted Solution

by:
kbbcnet earned 0 total points
Comment Utility
Solution, and then close the question by clicking "Accept as Solution" on your own post.

i have verifified the info i was looking for.

The simple answer i was looking to verify is that a large corp as this one could not de-publish, nor spoof their IP.  
The the dns name would always resolve to some IP which then could be added to a Firewall if needed.

Also, many firewalls can use the dns name &/or filter by packet at the higher layers allowing the server name thru and yes filtering, CBAC & Anonymizer could come into play; however, they did not in this environment.

Once the Firewall & Networks cached info & routes were cleared; things worked as expected.  As it turns out just the usual kind of Windows DNS issues.

*The confusion occurred here - when the main site went down off & on; the realtime failover site had different a IP; so Dig would give back the IP that was available when the main site was not.   When the Main site was up the other IP would be returned by a DNS lookup.

Thanks.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now