> Shore up the application's security first, then start looking beyond it.
Yes, I understand. I happen to be upgrading the firewall now, but also planned
on improving host security as well.
> BIND 8 added a lot of the security stuff we've all been whining about
> for years from version masking to per-network access control to
> configurable logging (thank goodness- having to recompile to switch
> logging sucked.) That feature set should ideally be your first line of
> defense.
Yes, I've configured a few of my other boxes with bind-8, but haven't gotten
around to this particular one yet. I shouldn't have confused things by hinting
that my box was bind-4...
> I'll admit to being slightly confused when you say you want to use your
> firewall to protect your external nameserver. Are you saying the
> nameserver is on the internal network? That's probably a less-than-ideal
Hmm.. Sorry for the confusion. I meant I'm rebuilding my external firewall, and
was speaking of my DNS server in the DMZ, between my interior and exterior fw's.
> topology choice from a security perspective if so. If it's off of a
> third service network that's not so bad, but IMO you'd be doing just as
Well, yes, it's actually a three-NIC box making up my DMZ, then another firewall
protecting my internal network.
> well to add the filtering rules to the DNS machine itself along with the
> application rules. Physical access or encrypted access are the only ways
> I'd let administrators in to the DNS. Core infrastructure should be
> closely guarded. DNS qualifies as core infrastructure.
Yes, I already have strict rules thru my internal firewall to the DMZ/DNS
server, as well as ssh-only login access. I was also thinking that it would be
easier to maintain firewall rules on only one firewall, instead of a default
accept rule to that box, when everything else is deny...
Thanks again,
Dave
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
