On 17 Feb 00, at 12:52, Peter Capelli wrote:
> Lets think about this for a minute. Even if you did want your
> inside servers to talk to the mail server on the translated address,
> how would you *stop* them from talking to it on the inside address?
> If they are on the same network, the inside servers will send the
> traffic directly to the mail server, and the PIX will never even see
> it! Any firewall (not just the PIX) needs to see the traffic (i.e.
> be in the datastream) in order to control the traffic.
>
> If you want to control *all* traffic to your mail server, put it on
> a third, *screened* subnet off the PIX. Then *all* traffic destined
> for the server will necessarily have to traverse the firewall. This
> also fixes your two DNS "problem", which isn't really a problem
> anyway ...
OK, so the example of using the PIX between 2 hosts on the DMZ was a bad
one - I just put it in to show that it could cause problems, I didn't say I was
going to use the PIX to build security between the hosts.
> You should be running an internal and an external DNS *anyway*.
> Your internal users should use the internal DNS; external users
> should use the external DNS. This way, external users will not be
> able to determine the addresses or names of any internal hosts you
> don't want them to know. This is a well known and respected
> configuration, and any halfway decent firewall/network security book
> should explain the configuration to you.
As we don't actually use DNS for internal hosts this is an unnecessary
expenditure for us. We only use DNS for our public servers, and we actually
run the DNS software on our mail and web servers. If I have to set up 2 more
DNS servers just for our DMZ machines to talk to each other I can see my
boss complaining about more hidden costs.
> I would certainly hope that you have better change management
> procedures in place at your firm than just letting people willy-nilly
> change DNS entries. A proper change management procedure will
> alleviate this "problem", and others you will have without it! In
> any case, you should try and avoid using /etc/hosts!
You should see things - I've got IT managers registering domains all over the
place without even setting them up on the DNS. This causes all sorts of
loopback problems. But there's not a lot I can do about it - they are at the
same level as I am in a different company, but we share the equipment so
it's difficult to force them to have to do all the DNS work through one person
who knows what they're doing.
> Most 'modern' firewalls will allow you to do what you ask; the
> question is, why would you want to do that?
I've already shown why - I have 2 DNS servers, and only 2, and I need them
to be used by the public for resolving our DMZ hosts, by my internal users to
resolve internet addresses, and by the DMZ servers to resolve other DMZ
hostnames. There should at least be an option in the PIX to allow the
configuration I need, rather than forcing me to have to change my setups
because other people use DNS for internal host resolution.
Maybe 5.1 will provide more options - I can only hope.
Dan
---
D.C. Crichton email: [EMAIL PROTECTED]
Senior Systems Analyst tel: +44 (0)121 706 6000
Computer Manuals Ltd. fax: +44 (0)121 606 0477
Computer book info on the web:
http://computer-manuals.co.uk/
Want to earn money? Join our affiliate scheme!
http://computer-manuals.co.uk/affiliate/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
