NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] http security server

Because of the ability to do dns hacking, redirect traffic to another site based on
the standard lookup.  If the reverse dns references a different domain and
servername than you requested, then this could mean that you are not really talking
to the site you are looking for.  Anyway, the Failed to connect to www server is
more often a timeout on the initial GET request session setup.

Cheers,
CryptoTech

[email protected] wrote:

> I was wondering if someone could help with this?  I am seeing this same
> issue and I would like to know why Checkpoing considers the missing or
> inconsistent "reverse DNS" a security risk.  BTW, this was from Phoneboy's
> site(thanks!)
>
> Q:
> When I connect to some sites, I get the following error message:
> Failed to connect to www server
>
> A:
> There is two possible reasons for this:
> Connection to the site timed out or was refused at the remote end
> The remote site either has a missing or inconsistant "reverse DNS" entry
> for it's IP (thanks to Arjan van der Valk for uncovering this)
> Check Point considers the latter a security risk and does not allow these
> sites to be contacted through the HTTP Security Server.
> Check Point also does not allow you to turn this feature off. Your options
> for working around this are:
> Contact the remote site in question to ask them to fix their reverse DNS
> entry
> Add an entry in your firewall's local host file and have the system resolve
>  against the hosts file first (note: This is untested)
> Exclude the site in question from going through the security server by
> adding a rule above your security server rule that permits normal HTTP to
> the site
>
> Thanks,
> Donna
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>               http://www.checkpoint.com/services/mailing.html
> ================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.