Hi,
At 09:03 08/05/01 -0400, Fredy Santana wrote:
>I have a opinion about this:
welcome to the party!
>I think to have any other application over a firewall increase the
>probability of compromise the fw, then the internet access (if the fw is
>for internet). Having the others servers in another machines will decrease
>the likelihood of a succeful attack.
The other viewpoint is that It won't decrease anything. The likelihood of
successful attacks is to be compared to the global number of weaknesses
you have, not on their place.
Anyway, if you set up a DNS server inside or in a DMZ protected by the FW,
then you need to allow outsiders to talk to this server across the FW, and
this adds to the risks. So, there's still a tradeoff between minimizing the
number of services on the FW and minimizing the number of open channels.
Well, all this is theoritical and I have done no real analysis, but
arguments seem
to be balanced... Note that this would be a nice paper to write...
>A example, in the old times when a city was besieged the people hide food
>in many houses because if you store all the food in the same house and
>this is burned, you won't have any food and the attackers will take the
>city easily. :)
But that's food, and it should be compared to real services (web, ftp,
mail, ...)
DNS is a pure technical service. It's not a service from a "people standpoint".
I never spent a night surfing on a DNS server! (well, not yet at least).
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
