hi ya mouss...
just curious.... when you say:
> I'll always run DNS on the FW.
the reasoning i hear....( and somewhat concur )
when anyone on the net wants to find {mail,www}.foo.com...
that the folks on the net would find the dns server first
than go to the ip# where its directed...
- note too that sometimes, people use a secondary DNS server
that is not their own...
- we also assume, the dns sserver would not disclose the internal
vpn connections etc...
maintaining security for DNS + FW might be easier than
maintaining it for 2 different servers ( dns and fw )...
esp if its at different rev levels and/or different vendors ??
( there are many versions/permutations for dns too )
for the "linux basics"... ( same == same version/patch level )
most all distros run the same kernel, same bind, same libc,
same gcc, same "syscall", same bash, same cron, same ssh,
same ipchains, etc..etc..
whats different is all the linux distro's add/subtract their own
tweeks to teh "basic cdrom" they distribute
lots of issues... guess thats the fun of all this stuff
and yes...one usually makes do with the design/implementation
and security of the network...within the budget...and if its
a sitting duck for disaster...time to pass on it and move onto
a better client/employeer ??
no matter how good/bad security is...one still needs a good backup
systems... as ( 75% or more ) most security/downtime problems
arise from internal "oops"
have fun
alvin
-- security is only as good as the weakest link ...
and nope... i tend NOT to follow...but stir the pott and see
what holds true....and what/which falls apart...
On Mon, 7 May 2001, mouss wrote:
> At 05:07 07/05/01 -0700, Alvin Oga wrote:
>
> >hi all..
> >
> >i probably should have added that the dns was for the
> >internet side...not local dns for local machines...
> >
> >and yes..its always a problem when they dont have the $$$$
> >for separating fw, dns, email, web, home server, db server,
> >backup servers, log server, pop3, ppp, etc
> > - so which servers do you combine ???
> > ( gets bad when they have their minds pre-defined already )
> >
> > - even a 486-based machine would be fine for most small corp
> > to run as dns or as simple "standalone" firewall...
>
> It's not a problem of $$$$. It's a problem of design and of security.
> I'll always run DNS on the FW. I know much guys here will shout,
> cry and scream, but I yet to hear anyone proving that this is bad.
>
> The old prinicples of minimality, defense in depth, and other nice names
> are just myths with no serious practical foundations.
>
> People have a tendency to blindly follow "well-known" principles. I for my own
> will say: don't follow me, don't follow anyone. get the truth by yourself.
>
>
>
> cheers,
> mouss
>
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
