I have to agree here, good solid server administration and best practices
are far superior to placing hardware in front to do your job for you.
(Microsoft, are you listening?) The services running should be the bare
minimum, should have their own internal ACLs properly configured (think SSH
as an example) and the internal facility such as IPChains or IPF what ever
should be used after the services are squared away. This is an art that
seems lost on a lot of administrators.:(
----- Original Message -----
From: "Joe Shen" <sj_h...@yahoo.com.cn>
To: "Brian Johnson" <bjohn...@drtel.com>; "Gert Doering"
<g...@greenie.muc.de>
Cc: "Cisco-nsp" <cisco-nsp@puck.nether.net>
Sent: Monday, October 12, 2009 7:46 AM
Subject: Re: [c-nsp] ASA Firewalls placement in the network!
Well, the point of a well-maintained server is that it is
*open* to
the world - if you want a web server to be visible by the
world, then
there isn't much you can do, besides "open HTTP to
it". And other
services should not be running in the first place.
Agree. Focusing server resource on its public service and remove all
unnecessary should be first consideration other than putting in another
box.
The worst thing you can do is put a stateful firewall in
front of a
busy DNS server
Yes. We do suffer from such solution years ago. At that time, when
incoming request increases the firewall we use reaches its threshhold
quickly and reject new ones. Now, we just connect DNS servers to cisco
6509 directly, ACL on interface protects server very well.
On the other hand, tuning DNS server performance is relatively easily
than application servers. But, it seems there needs new technology or
method on detecting and controling abnormal incoming requests.
Months ago, failure of primary DNS server for baofeng.com causes ISP
cache server out of resource because too many clients resolve that domain
recursively.
Joe
___________________________________________________________
好玩贺卡等你发,邮箱贺卡全新上线!
http://card.mail.cn.yahoo.com/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/