Darren writes:
>>
>>
>> Marcus wrote:
>> >Marcus,
>>
>> >>
>> >> None of the (real) security experts I know say that split
>> >> DNS is important. See some of my previous postings in the archives
>> >> for more detailed explanations of why split DNS doesn't buy you
>> >> anything but a few warm fuzzies.
>> >>
>>
>> Ken Lee wrote:
>>
>> >What is it that makes someone a "real" security expert?
^ so there are imaginary ones?
BTW, I think that the word "expert" is way over used...
>>
>> >Ken Lee
>>
>> John writes:
>> "Its someone who knows where to get the expertise, how to apply it, and what
>> to charge for it".
>
>Really ? I could have sworn that two `security experts' were just about
>to give away a tool which will probably do more than many so called experts
>do (assuming that such exist).
>
>Only if you're very paranoid would you worry about split DNS (and then
>you need to do a fair amount more work to ensure it stays that way).
>
>If you're properly firewalled and your internal security is as good as
>your firewalls, then I can't see why it would be useful...you're hiding
>hostnames that are never going to be of use to anyone breaking into your
>system from beyond the firewall.
Yes this is true...unless they can break into your firewall and then it
get real easy to get those internal names...
It is true the split DNS is only a warm fuzzie...and is not "real
security"...more like obscurity...but people like it... Many security
officers at companies like the idea and it looks alot like their corp
policy... But we all know that names leak out in all sorts of ways
... not just through the DNS... I don't think that doing a split DNS
hurts the actual security of a site and once it is setup it is not that
hard to maintain... But I do think that it is a dis-service to tell
someone that a Split DNS stops all name leaking...this just is not true...
Frank
Follow-Ups:
|
|
