hi carl...
if the firewall is using the ip# of the primary dns...
than i see no problems... and the secondary firewall at the
secondary dns....
- the primary dns is now not really the primary dns...
but the fw...
if the firewall is NOT using theprimary dns ip#.... than i wonder
about their network topology and how we from the outside can find them..
and yes,... i've heard many reasons NOT to run anything on the
firewall.... its NOT that i've NOT heard... i also contend that
there are just as similar numbers of ipchains and kernel exploits that
could still exists on the firewall even w/o bind.....
- more apps you add on the firewall..than more likely
to have more exploits than otherwise w/o those apps
and adding bind may or may not compound the possible exploits
-- just epends on their network and budget and resources..
there will always be NEW exploits and tools people find to
get into the network if they wanted too...
as of today .... i would suspect that 2.4.4 kernel w/ bind-8.2.3
is NOT that bad of an option if one has only 2 boxes that they
willing to get.. but i'd rattle their cage for the standalone 486-based
firewall machine... ( just need a few extra hours to build
a 3rd box...to save many headaches in the near future
its their call...NOT mine.... they that pay the bills/invoices/salary...
let them be the one "held accountable" if its done "their way"....
if security really is an issue...than firewalls is just one of many
dozens of major items that need to be addressed for security...
( firewall by itself is not sufficient...
- ie... people running pop3 w/ netscape/ie or ftp/telnet
from the outside into the local internal lan seems worst
than running dns on the fw
- see it all the time...but...they decided...so
one has to cover ones butt...
- people will want to do crazy things.... to make their life
easy and probably complicate things on the security side...
and lastly...the problem is one can NEVER guarantee that if they did
this..and did that... that there is no problem with security and hackers
and crackers....someone will always get in....if its a worthy prize
to go after
security is only as good as the weakest link...
- the servers
- the admins defending it
- the attackers poking around at it
- the network/security policy
- the network topology
have fun
alvin
-- whatever you do....just make sure its written down some place,
that these "decisions" were made because of those
"stipulation/restrictions/specifications"...
On Mon, 7 May 2001, Carl E. Mankinen wrote:
> My point was that the argument to run DNS on the firewall was so weak, it could be
>applied to running other services as well. It had
> nothing to do with "finding domains". I know how DNS works.
>
> "First you hit the DNS, then the firewall?" if they are on the same box, packets are
>inspected by the firewall 1st no matter what
> you think.
> I prefer my firewall to be rather transparent (except when necessary), and people
>will direct traffic to my DNS servers which are
> always protected by the firewall. First you get ADDRESS of my dns servers, then you
>hit my firewall.....then you hit bastion
> running DNS, not the other way around.
>
> If it's economics....they can only afford 2 servers and thats all, right?.
> I would have them not forget that their 2 server solution has many hidden costs that
>may cost them dearly.
>
> In your example, the company would be effectively closed for business if either
>server fails.
> If they decide to run IIS, SQL, and put all their customers financial data on that
>one server, then they get *permanently* closed
> for business when they get hacked and all their customers data is exposed, they get
>blackmailed/extorted by russian mafia backed
> teenagers (hehe), or when prospective stockholders find out (Egghead
>anyone?)....their stock value drops to the floor. (try to find
> a black-sholes eqn to solve that risk problem!) Penny Wise, Pound Foolish.
>
> Why not run BIND on a firewall? If I am not mistaken, the security problems with
>BIND are legendary....and you have heard no reasons
> NOT to run BIND on your firewall? Incredible....
>
>
> ----- Original Message -----
> From: "Alvin Oga" <[EMAIL PROTECTED]>
> To: "Carl E. Mankinen" <[EMAIL PROTECTED]>
> Cc: "Alvin Oga" <[EMAIL PROTECTED]>; "mouss" <[EMAIL PROTECTED]>;
><[EMAIL PROTECTED]>
> Sent: Monday, May 07, 2001 11:25 AM
> Subject: Re: fw + dns ( was RE: )
>
>
> >
> > hi carl
> >
> > you have secondary dns if the priamry dns machine dies...
> >
> > you usually dont' have a secondary firewall... if it dies...
> > so you are still sol till you fix the firewall
> >
> > I dont necessarily recommend dns to run on the firewall
> > except when absolutely needed
> > ( when i am forced to have only 2 servers...
> > ( and one has to be a firewall... the other server
> > ( would be internally accessed only..
> >
> > your question...if we allow dns on the fw,
> > why NOT other services like smtp, httpd, ftp ???
> > - because....those protocals are NOT required to
> > find the domain called foo.com and direct incoming
> > queries to the proper servers
> > - first you hit the dns server...than the firewall
> >
> > - take away the primary and secondary dns
> > and nobody will find your firewall
> >
> > - it'd be really foolish to add those other services
> > to the firewall
> >
> > - it'd be equally foolish to have "open" firewall rules
> > as is some of the stuff i've seen/heard on the fw
> > acting as if there was not firewall cause they didnt
> > configure it correctly
> >
> > if they only have the budget/"upper management" for 2 systems...
> > my comments would be:
> > - server1: firewall + dns
> > - server2: email/web/pop/etc internal to the firewall
> >
> > - is usually add...dont you have some 486 box that we
> > can make into a fw and another to be the dns server...
> > and use server1 for backups...
> >
> > remember...you cannot find the firewall till you first find
> > the primary or secondary dns...
> > - primary dns should be the same level of lockdown
> > as a firewall or the loghost machines
> >
> > i prefer one server per major function...but one does not
> > always get the $$$ or the time to properly maintain um all
> > - firewall by itself
> > - dns by itself
> > - loghost by itself
> > - email by itself
> > - web by itself
> > - home server by itself
> > - ssh/authentication server
> > - db server by itself
> > - pop3 server by itself
> > - ppp server by itself
> > - ftp server by itself
> > - backup server by itself ( full and separate incremental )
> > - etc..etc...
> >
> > - now how many of us all have these happily separated servers...
> >
> > "itself" -->> no other services running
> > ( it should be separated for various reasons...
> >
> > have fun
> > alvin
> >
> >
> > On Mon, 7 May 2001, Carl E. Mankinen wrote:
> >
> > > You would recommend running DNS daemon on the firewall?
> > >
> > > That sounds pretty scary to me. Lots of reasons why I would not do this:
> > >
> > > Firewall should be locked down as much as humanly possible and all unnecessary
>system files quarantined. It should be as close
> to an
> > > appliance as you can get it without preventing FW1 from running, this is not
>very conducive to running other services. If you
> agree
> > > to running DNS on your fw, why not other services like SMTP, FTP, HTTP, etc etc?
> > >
> > > What happens in the case of one of those services being compromised or a system
>failure (electrical/mechanical etc) ? Do you end
> up
> > > rebuilding your firewall or causing an outtage for all those services while you
>fix it? Putting your eggs in one basket is a
> sure
> > > way to end up with no breakfast.
> > >
> > > I think I would prefer using seperate bastion host as DNS server myself.
> > >
> >
> >
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
