Hi:
I have a opinion about this:
If I have a FW-1 running on a Solaris 2.6, in the same machine it is the
DNS running a vulnerable version of Bind a hacker could compromise the
firewall and the DNS. By the other side, if the firewall and DNS are not
in the same machine this will not happen 'cause the firewall won't have
any port open (at least in theory...) and the fw will not be compromised.
I think to have any other application over a firewall increase the
probability of compromise the fw, then the internet access (if the fw is
for internet). Having the others servers in another machines will decrease
the likelihood of a succeful attack.
A example, in the old times when a city was besieged the people hide food
in many houses because if you store all the food in the same house and
this is burned, you won't have any food and the attackers will take the
city easily. :)
Regards from Chile
[EMAIL PROTECTED] writes:
>At 10:52 07/05/01 -0400, Carl E. Mankinen wrote:
>>You would recommend running DNS daemon on the firewall?
>
>yes
>
>
>>That sounds pretty scary to me. Lots of reasons why I would not do this:
>
>I understand that. I myself heard many of them...
>
>>Firewall should be locked down as much as humanly possible and all
>>unnecessary system files quarantined. It should be as close to an
>>appliance as you can get it without preventing FW1 from running, this is
>>not very conducive to running other services. If you agree
>>to running DNS on your fw, why not other services like SMTP, FTP, HTTP,
>>etc etc?
>
>Not the same thing. I consider DNS as a proxy. It has bugs, but proxies
>also have bugs. And IP filters do have bugs.
>(why do you speak of FW1? I guess this is a typo...). So, all the stuff
>running there may have bugs and experience
>has shown that it indeed contain bugs (at every level: kernel, daemons,
>scripts, programs, files...).
>
>
>>What happens in the case of one of those services being compromised or a
>>system failure (electrical/mechanical etc) ? Do you end up
>>rebuilding your firewall or causing an outtage for all those services
>>while you fix it? Putting your eggs in one basket is a sure
>>way to end up with no breakfast.
>
>What happens when your FW is compromised? Do you end up [same as you said]
>I know of nobody who protects his internal hosts from the FW (the
>internal
>one if he has many). so when this is compromised,
>all the network is compromised. Sure they in the military area have a
>different way to do things, but that costs a lot if ever
>possible.
>
>
>
>>I think I would prefer using seperate bastion host as DNS server myself.
>
>Which DNS server? I like configuring the FW as the primary for the few
>public addresses that I need
>to rely on and change whenever I want (Mostly the FW external IP). all
>the
>rest is either inside if only needed
>inside or at the ISP or someone else. But not the FW IP nor that of any
>external IP that I need to rely on.
>
>Let's take an example:
>
>- I set up an Tunnel with 3DES between my network and that of some
>subsidiary out there, for SMTP traffic.
>So I configure my tunnel using the remote IP address.
>
>- my sendmail needs to get the MX for that domain, so it checks the DNS
>somewhere. It then forwards
>the mail to the MX
>
>- If the MX happens to be different from the one I configured in my
>Tunnel,
>I'm just out of luck.
>
>so I need to make sure that the MX is correct, and I can only do that
>seriously if _I_ manage the DNS,
>and that the DNS server is secure. In other words, if the DNS server gets
>broken, then it's already too bad!
>
>cheers,
>mouss
>
>
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
Saludos
Fredy R. Santana V.
Ingeniero Civil El�ctrico - CCSA
Orion 2000 - Servicios Profesionales en Seguridad Inform�tica
La Concepcion 322 piso 12, Providencia.
Santiago, Chile
Fono: 56-2-6403944, Fax: 56-2-6403990
e-mail: [EMAIL PROTECTED]
http://www.orion.cl
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
