Re: [c-nsp] cisco-nsp Digest, Vol 83, Issue 39

Mon, 12 Oct 2009 13:01:40 -0700 

And further more, why inject more points of failure for little to no value?
Everything listed in the OP's message that he considers good things about firewalls in front can be done with a properly administered server and good patching habbits. Firewalls have their places but generally not in the front of DNS servers or servers in general. (Anything Microsoft could be an exception to this) As long as you're running a real OS and have decent to good clue firewalls are extra and offer almost nothing. 

Thank you
Scott
----- Original Message ----- From: <sth...@nethelp.no> 
To: <joel.sny...@opus1.com>
Cc: <g...@greenie.muc.de>; <cisco-nsp@puck.nether.net>
Sent: Monday, October 12, 2009 12:37 PM
Subject: Re: [c-nsp] cisco-nsp Digest, Vol 83, Issue 39



If you have a lousy firewall (i.e., one that is doing nothing more than
keeping a UDP session open), yes, absolutely.  However, good firewalls
are doing a lot more than that.


Some of us have seen too much damage done by firewalls to DNS, SMTP and
a number of other protocols to really believe in this.


Now, if you put in a piece-o-crap firewall that is misconfigured, too
slow, doesn't have a big enough session table, and doesn't do anything
more than your average reflexive access control list, then you're right
on: rip that junk out and go bareback.


It would seem that the piece-o-crap firewalls vastly outnumber the good
firewalls. See, for instance, the discussions on various DNS lists
about firewalls and EDNS0.


But if you do it right, there is value to be provided by a firewall.


In some circumstances, agreed. For DNS servers (whether recursive or
authoritative), absolutely not.

Steinar Haug, Nethelp consulting, sth...@nethelp.no
_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/ 

_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Reply via email to