While I might agree with you when someone that really knows their stuff is
putting things together and monitoring the system, folks new to the game
should follow standards, and those standards state nothing on the firewall
box but the firewall, and don't let things inside that are hard to tack
down. Better to setup something more standard and go as the skill grwo.
Play with other solutions on the test network, when the bugs are worked
out, then perhaps consider implementing something a tad more 'risky'.
Hell, I'd rather see someone ssh in and scp the files about, anon ftp
does not belong either on the firewall nor inside the network, period.
Why put up the firewall if it's going to be one big gaping hole? There's
no need to have tunnel vision and think there's only one solution to the
problem at hand, yes, I agree...
Thanks,
Ron DuFresne
On Wed, 26 Jul 2000, mouss wrote:
> While I do agree that putting things on the firewall is not a cool idea,
> I still believe that "the right" way is:
> - analyze your needs
> - analyze the security consequences of all configurations
> and then if the config you choose is ok, there is no problem.
>
> In oher words, I am against any religious-like arguments for how to configure
> a firewall and other stuff.
>
> It is reasonable to have an anonymous ftp server, a mail server, a bind daemon,
> ... on the firewall, if the stuff is well configured. The important thing
> is to watch
> the basket, not what to put in the basket.
>
> That said, it is generally simpler to install the ervers inside the network
> or in the DMZ,
> as this "decomposes" the problem of security mgmt into two easier ones.
> However,
> there is no point in setting up an internal anonymous ftp server, opening
> the necessary
> holes in the firewall, and waiting for the attacker to wash his hands and
> come over...
>
> regards,
> mouss
>
>
>
>
> At 13:00 26/07/00 -0500, Ron DuFresne wrote:
>
> >never on the firewall, leave it outside and harden the host.
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
