lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <F9C0B32C4FFE7147BD0FF6A40BE806E701AE79@Hammer_Exchange.hammerofgod.com>
Date: Fri, 18 Jan 2008 11:37:15 -0800
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: Country by Country ISA Computer Sets

> Not at all, if you have the ability to integrate DNS lookups into
> your filtering process (coupled with a DNS cache running locally on
> the firewall, this should not be particularly demanding on your
> resources). This problem has already been solved by people wanting
> to weight scores for incoming E-mail from mailservers in different
> geographic regions. One of the more popular free geographic DNS
> lookup services is described at http://countries.nerd.dk/ (and
> Jacobsen makes updated versions of his DNS zone data available for
> download in case you want to host your own copy instead of relying
> on someone else's nameservers).

Sure - but that just adds more cycles to your firewall, and does nothing
for back end reporting.  These sets directly integrate that
functionality, both filtering and reporting, directly on the box, and is
far more efficient in my opinion... But, it's a great point and I'm glad
you shared that. 

> 
> > Sure, if I wanted to block all of China I could block APNIC, but
> > that would block WAY more than I would want.
> [...]
> 
> In my professional life, I see frequent requests of this nature from
> customers in western/English-speaking countries. My immediate
> response is, "you *are* aware that Australia and New Zealand are
> part of APNIC, right?"

Yep- which is why I said "but that would block WAY more than I want." ;)

t

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ