I'm going to go out on a limb & defend/amend #4. It should read "Do not
run any other service on the firewall device." Why single out DNS? I can
tell you that if you run BIND 8.2.2p5, deny version probes, recursion no,
fetch glue no, allow-transfer {none;}, you are no worse than you are w/o
DNS. Lance will disagree with me, :) Well-patched, DNS is no more dangerous
than any other services. If you choose to combine services w/ your fw, you
expose yourself to resource depletion & service associated holes, so don't do
this, but don't hang the rap on DNS.
Let's qualify this, I'm talking about your external DNS server, not your
corporate internal DNS server. One can also make the case that if
you limit your external zone size & only answer authoritatively, you don't
consume much mem, & you can get away with it. But we won't go there.
CT
"Ivan Fox" <[EMAIL PROTECTED]> wrote:
>Date: Fri, 18 Aug 2000 10:04:06 -0400
>
>I did a search on the subject using yahoo and hotbot, there were only 3
>entries pertaining to it hosted by securityportal.com.
>
>I need to compile a list of best practices for managing firewalls for
>internal use. I will send the compiled list to whoever contributed their
>idea/suggestions/comments.
>
>The following is what I have at the moment for Check Point:
>
>1) The OS of choice for Check Point is Solaris for performance and less
>vulnerability
>2) If NT is used, it should be hardened. Guidelines can be found on
>www.phoneboy.com or www.deathstar.ch.
>3) Regardless of OS, apply the current patches.
>4) Do not run DNS on the firewall device. If it is absolutely necessary,
>run it as a secondary DNS.
>5 Do not run anti-virus program on the firewall device.
>6) Deploy Fail-over/High Availability
>7) Change to firewall rules must be approved by the info-security team if
>any. It should not be the same one in the same team/department.
>8) If service (port) requested is not a "standard" one, check it if it is a
>trojan port on Simovits' http://www.simovits.com/nyheter9902.html site.
>
>Thanks,
>
>Ivan
>
>
>
>
>================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
