On Sun, 27 Feb 2000, Eric wrote:
> 1) So how frequent is it to use access lists on routers to
> as a first level of security? My impression is that it is
> not uncommon. The only problem with access lists that I
> know of is that they slow everything down a bit. But I
> considered that preferrable to leaving it wide open. (An
> outer firewall was not an option.)
It's about the most common screening tool out there. I personally
wouldn't install an Internet connection without at least one screening
router.
> 2) Why would anyone think that Microsoft's RAS is too insecure
> to run on a web server but not too insecure to run on the
> firewall to the internal network?
Because they're incompetent.
> 3) Why would using access lists on a firewall be "less secure"
> than not running access lists? For that matter, why would
> anyone not use access lists on the router itself to keep
> everyone in the world from connecting to it?
They wouldn't be, see above.
> 4) Why would anyone allow finger to run on a router unless access
> was sharply limited?
>
No good reason, see 2).
> 5) Am I correct in my guess that two dns servers are running?
> Is it possible for one dns server to handle one kind of
> query and another dns server to handle another?
Only one program should be able to bind to port 53. You may be seeing
WINS results from MS clients on the network though.
> 6) Any suggestions on how to handle this? Should I just not worry
> about it and wait until it all blows up? (I'm 46, that brother
> is 58 or so and when he decides not to listen, there is little
> or no way to do anything about it.)
I'd point out the inconsistancies in logic and reasoning, the fact that
the security level seems to have gone down, and try to get the guilty
party to enumerate *why* they think the things they've done have increased
security and enumerate what security threats they saw in the prior
configuration.
Poking holes in that should be fun.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
