Hi ya mouss
yes/ditto to most all of your comments
for the dns issues...
- there is a primary dns...( usually under your control )
- it should have minimum info.... enough to meet incoming
requests from the outside...
- the secondary is sometimes at foo.com secondary dns support
- are their dns servers as secure as yours ???
- if the secondary dns is on the same ip# range as your primary...
as it seems common practice nowdays...
than you're dead when your isp goes kapput...
as opposed to a secondary at an electrically/geographically
unrelated isp/ip#
- we'll see lots of these issues coming up with the
power problems in california...since the isp out here
are power hoggs and generates lots of "emf radiation" too
- if both the primary/secondary dns goes down since its on the
the same wire in the office...you dont need a firewall cause
they cant find the dns server first.... :-)
- secondary dns should be offsite on a secure dns server
---
- for my comment that most linux are basically the same...
they all run the same basic sw...
linux-2.2.19
bash-2.04.11
libc-2.2
bind-8.2.3
gcc-2.96
openSSH_2.3.0p1
ipchains-1.3.9
..etc...
- therefore one cannot be more secure than the other
unless they tweeked something to make it different
better/easier to upgrade etc..etc..
redhat is notorious for making good/bad kernel tweeks...
- linux distro....( rh-7.x, suse-7.x, slack-7.x, deb-2.2, etc..etc..
- most of the default installs are worthless...
( good for entertainment value ... full of holes ??
- i typically spend 6-8 hrs to clean it up...before
the server goes online or for the user to use...
( excluding time spent for distro patches... )
- common things that are usually broken/hazard
partitions, kernel, passwd, ssh, bind, inetd,
printer, /home, apache, sendmail, pop3, gcc, etc
have fun
alvin
http://www.linux-1u.net
On Mon, 7 May 2001, mouss wrote:
> Hi Alvin,
>
> At 07:00 07/05/01 -0700, Alvin Oga wrote:
>
> >hi ya mouss...
> >
> >just curious.... when you say:
> >
> > > I'll always run DNS on the FW.
>
> I like configuring the FW to respond for the limited public IPs of a domain,
> and configure an internal DNS for insiders, which is slave to the FW's one.
>
> I know people would say, "oh but then you have a possibly vulnerable piece
> of soft on
> the FW", but then I'll say that it's the only manageable situation
> (compared to having
> your DNS at your ISP, who is as all ISPs just a sucking company trying to
> get money
> by giving you connectvity with a pool of incompetent people. Well, I hope
> not all ISPs
> are like that, but those I knew....). Putting the server on a DMZ doesn't
> change things
> seriously enough.
>
>
>
> >the reasoning i hear....( and somewhat concur )
> >
> >when anyone on the net wants to find {mail,www}.foo.com...
> >that the folks on the net would find the dns server first
> >than go to the ip# where its directed...
> >
> >- note too that sometimes, people use a secondary DNS server
> > that is not their own...
>
> they should. That was required in the past...
>
>
> >- we also assume, the dns sserver would not disclose the internal
> > vpn connections etc...
>
> I hope so!
>
>
> >maintaining security for DNS + FW might be easier than
> >maintaining it for 2 different servers ( dns and fw )...
> >esp if its at different rev levels and/or different vendors ??
> > ( there are many versions/permutations for dns too )
> >
> >for the "linux basics"... ( same == same version/patch level )
> >most all distros run the same kernel, same bind, same libc,
> >same gcc, same "syscall", same bash, same cron, same ssh,
> >same ipchains, etc..etc..
>
> dunno what do you mean here. I'd prefere a debian if I have to linux!
> (but that's mostly personnal. I don't have enough args to go for a battle
> on that)
>
> >whats different is all the linux distro's add/subtract their own
> >tweeks to teh "basic cdrom" they distribute
>
> most problems come from the fact that the default install and default software
> are not really meant for a FW but for a "usable" machine. That's normal, since
> there are less FWs than desktop machines.
>
>
> >lots of issues... guess thats the fun of all this stuff
>
> someday there'll be so many FWs based on open source that we'll have nothing
> to say about the underlying OS. for now, we have to keep with "generic" OSes
> (the alternative being going for commercial prods, but they aren't that
> better).
>
> >and yes...one usually makes do with the design/implementation
> >and security of the network...within the budget...and if its
> >a sitting duck for disaster...time to pass on it and move onto
> >a better client/employeer ??
>
> I tend to follow the same approach! if they suck, move on!
>
>
> cheers,
> mouss
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
