Re: [c-nsp] ASA Firewalls placement in the network!

Mon, 12 Oct 2009 09:08:47 -0700

I have to agree here, good solid server administration and best practices are far superior to placing hardware in front to do your job for you. (Microsoft, are you listening?) The services running should be the bare minimum, should have their own internal ACLs properly configured (think SSH as an example) and the internal facility such as IPChains or IPF what ever should be used after the services are squared away. This is an art that seems lost on a lot of administrators.:( 


----- Original Message ----- 
From: "Joe Shen" <sj_h...@yahoo.com.cn>
To: "Brian Johnson" <bjohn...@drtel.com>; "Gert Doering" 
<g...@greenie.muc.de>

Cc: "Cisco-nsp" <cisco-nsp@puck.nether.net>
Sent: Monday, October 12, 2009 7:46 AM
Subject: Re: [c-nsp] ASA Firewalls placement in the network!



Well, the point of a well-maintained server is that it is
*open* to
the world - if you want a web server to be visible by the
world, then
there isn't much you can do, besides "open HTTP to
it". And other
services should not be running in the first place.



Agree.  Focusing server resource on its public service and remove all 
unnecessary should be first consideration other than putting  in another 
box.



The worst thing you can do is put a stateful firewall in
front of a
busy DNS server


Yes. We do suffer from such solution years ago. At that time, when

incoming request increases the firewall we use reaches its threshhold 
quickly and reject new ones. Now, we just connect DNS servers to cisco 
6509 directly, ACL on interface protects server very well.



On the other hand,  tuning DNS server performance is relatively easily 
than application servers. But, it seems there needs new technology or 
method on detecting and controling abnormal incoming requests.



Months ago, failure of  primary DNS server for baofeng.com causes ISP 
cache server out of resource because too many clients resolve that domain 
recursively.


Joe



     ___________________________________________________________
 好玩贺卡等你发,邮箱贺卡全新上线!
http://card.mail.cn.yahoo.com/
_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at http://puck.nether.net/pipermail/cisco-nsp/ 


_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/






















					Reply via email to