[EAS] IPAWS IP vs. FDQN

Ed Czarnecki ed.czarnecki at monroe-electronics.com
Fri Jun 29 09:16:51 CDT 2012 

I'm also dealing with a major operation that is wrestling with this as well
- their IT and security are freaking out about relying on domain names.  

Yes, while traditional firewall policies tend to be based on source and
destination IP addresses, ports, and services, some other firewall systems
support fully qualified domain name network objects.  With Cisco, for
example, the host (IPAWS') FQDN can be used in a rule instead of its IP
address, using their identity-aware policy feature in Security Manager.
Just an example.  That way, if the IPAWS host address changes the rule will
still apply.	

Simpler/older firewall systems may not be able to support FQDN, which will
post an additional challenge (cost) for some.  Which is one of the reasons
we had advocated a defense-in-depth strategy that combines firewalls, proxy
servers, etc...  Frankly, even if FEMA was to support IP addresses, we'd
still advocate advanced firewalls, NAT and reverse proxy servers.

On the other hand, I can in part see FEMA's thinking behind this.  FEMA
IPAWS is recommending reliance on a fully qualified domain name, since the
underlying IP addresses may change periodically, and potentially even
unpredictably (unscheduled).  Management of the host IP addresses are, as
far as I understand, handled by a different entities than IPAWS.

So IPAWS itself might not have real-time info that the IP addresses were
changed by another branch/agency (just a reality in many large
organizations), and may not realistically have the ability to ensure that
every broadcaster/cable operator is informed of the change.  Whether or not
it's the best call, I can see the logic behind their focus on FQDN over IP
addresses.

-----Original Message-----
From: eas-bounces at radiolists.net [mailto:eas-bounces at radiolists.net] On
Behalf Of Dave Turnmire

On 6/28/2012 3:58 PM, Ed Czarnecki wrote:
> I posed this question to the IPAWS office recently.  Here is their
guidance:
>
> "IPAWS does NOT support the use of connecting to the feed by designating
an IP vice fully qualified domain name. The IP may change ...  If a device
is set to hit the IP and the IP changes, the station will no longer be
monitoring the feed ... There should be no confusion: fema/ipaws neither
supports nor suggests using the ip address in lieu of the fqdn."
>
> So that is where we are at the present time.	
>
Maybe someone in IPAWS should talk to their IT staff about the REAL WORLD.
I'm not talking about how we configure the EAS box... as far as I know, they
all except domain names.  On the other hand... while I don't pretend to be
an expert on all routers and firewalls... ALL of the ones I AM familiar
with... work exclusively with IP addresses.  The nature of what they do make
that almost an imperative.  And nothing can 
connect to FEMA without passing through routers and firewalls.   FEMA's 
IT staff should know this... presumably their IT staff is at least as
security conscious as broadcast engineers.  I bet THEIR firewall
configurations to allow incoming traffic into THEIR CAP Server knows the IP
address involved.  And IF their server IP changes... NO ONE will have access
until someone tells the person(s) managing their firewalls/routers!

Dave

_______________________________________________
This is the EAS Forum Discussion List

Please invite your friends to join our Forum!
http://lists.radiolists.net/mailman/listinfo/eas

And, remember the main page: http://eas.radiolists.net

More information about the EAS mailing list