> - first you hit the dns server...than the firewall
>
> - take away the primary and secondary dns
> and nobody will find your firewall
This is ABSOLUTELY not true:
1. How do people find your primary DNS? Hint: It's NOT magic. The
domain registration records/root DNS servers tell where to find the
primary/secondary(/tertiary/etc) DNS servers for the foo.com domain;
they don't even have to be at the same site as your firewall, but if
the root servers say they are, callers will be directed to/via your
firewall even if the DNS servers are "taken away".
2. A significant proportion of the DNS traffic I've seen logged (at
the firewall...) in the last six months has been sweeps/probes
looking for vulnerable BIND installations. The prober has NO IDEA
what domain they're probing or where its DNS is served from. In
fact, lots of non-DNS traffic caught by my firewall is from folks who
obviously are using raw IP addresses and not host/domain names, yet
they manage to find my firewall just fine.
DNS is an exploitable service. Putting it on the firewall makes
for a firewall you can't trust.
David Gillett
On 7 May 2001, at 8:25, Alvin Oga wrote:
>
> hi carl
>
> you have secondary dns if the priamry dns machine dies...
>
> you usually dont' have a secondary firewall... if it dies...
> so you are still sol till you fix the firewall
>
> I dont necessarily recommend dns to run on the firewall
> except when absolutely needed
> ( when i am forced to have only 2 servers...
> ( and one has to be a firewall... the other server
> ( would be internally accessed only..
>
> your question...if we allow dns on the fw,
> why NOT other services like smtp, httpd, ftp ???
> - because....those protocals are NOT required to
> find the domain called foo.com and direct incoming
> queries to the proper servers
> - first you hit the dns server...than the firewall
>
> - take away the primary and secondary dns
> and nobody will find your firewall
>
> - it'd be really foolish to add those other services
> to the firewall
>
> - it'd be equally foolish to have "open" firewall rules
> as is some of the stuff i've seen/heard on the fw
> acting as if there was not firewall cause they didnt
> configure it correctly
>
> if they only have the budget/"upper management" for 2 systems...
> my comments would be:
> - server1: firewall + dns
> - server2: email/web/pop/etc internal to the firewall
>
> - is usually add...dont you have some 486 box that we
> can make into a fw and another to be the dns server...
> and use server1 for backups...
>
> remember...you cannot find the firewall till you first find
> the primary or secondary dns...
> - primary dns should be the same level of lockdown
> as a firewall or the loghost machines
>
> i prefer one server per major function...but one does not
> always get the $$$ or the time to properly maintain um all
> - firewall by itself
> - dns by itself
> - loghost by itself
> - email by itself
> - web by itself
> - home server by itself
> - ssh/authentication server
> - db server by itself
> - pop3 server by itself
> - ppp server by itself
> - ftp server by itself
> - backup server by itself ( full and separate incremental )
> - etc..etc...
>
> - now how many of us all have these happily separated servers...
>
> "itself" -->> no other services running
> ( it should be separated for various reasons...
>
> have fun
> alvin
>
>
> On Mon, 7 May 2001, Carl E. Mankinen wrote:
>
> > You would recommend running DNS daemon on the firewall?
> >
> > That sounds pretty scary to me. Lots of reasons why I would not do this:
> >
> > Firewall should be locked down as much as humanly possible and all unnecessary
>system files qua
rantined. It should be as close to an
> > appliance as you can get it without preventing FW1 from running, this is not very
>conducive to
running other services. If you agree
> > to running DNS on your fw, why not other services like SMTP, FTP, HTTP, etc etc?
> >
> > What happens in the case of one of those services being compromised or a system
>failure (electr
ical/mechanical etc) ? Do you end up
> > rebuilding your firewall or causing an outtage for all those services while you
>fix it? Putting
your eggs in one basket is a sure
> > way to end up with no breakfast.
> >
> > I think I would prefer using seperate bastion host as DNS server myself.
> >
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
