From: Joe Touch (touch@ISI.EDU)
Date: Mon Apr 17 2000 - 15:04:47 PDT
Strata Rose Chalup wrote:
>
> Very true, and a good catch. Domain based security is a good oxymoron
> candidate in most (not *all*) situations, though.
>
> Given DNS spoofing attacks, I would not expect most sites to rely on
> domains as a security measure.
Most sites don't rely on it as the _only_ security measure, but it is
very common in addition, to hide the existence of local, but not highly
sensitive, information.
> Not scaleable, not recommended, but better than either being wide-open
> or putting up with the reverse lookup on everything. If you care, for
> later, you can just post-analyze your logs with any of the zillions of
> little perl scripts whirling by on various net.eddies.
I'm not sure - many organizations aren't so hyped about keeping their
phonebooks, directories, etc, "absolutely private", but aren't concerned
with letting you have that info if you make it inside their firewall.
The 'need to know' principle applies.
Admittedly, reverse lookups are an expensive way to pay for this.
However, given the extensive logging that's already done (esp. for
high-perf sites, which want to write about their performance), it
doesn't seem like a huge additional hit.
The question is whether "turn logging off" is a reasonable
recommendation.
Joe
This archive was generated by hypermail 2b29 : Mon Apr 17 2000 - 15:07:15 PDT