I think Micheal has "other" problems, if his FW is REALLY NATing ports,
then it's going to NAT the ports being on the FW itself as well anyway...
Also, I don't believe MS wrote DNS from scratch, I think it's a port from
BIND, but what do I know???
As for security, any of the suggestions would be acceptable for him, an
authoritative DNS server doing forwarding isn't going to send zone transfers
anywhere if you configure it correctly.
As for running other things on your firewall, it's just good practice to
let your firewall be just that, a firewall, and nothing else... Sure, it's
"probably" fine to run other stuff on it, but WHY???
And there's nothing wrong with NT if you know what you're doing with it,
nothing wrong with Unix or Linux either for that matter, they all have their
pro's and con's but what fits is always best. Some places don't have the
luxury of being able to choose one over the other either, so that's a
factor. Back to NT, you can tighten it up pretty good, so you more or less
end up with NT's kernel running your firewall and that's it...
-----Original Message-----
From: Bill Stackpole [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 08, 1999 11:53 AM
To: 'Burgess, Jeff'
Subject: RE: Firewall-1 NAT/DNS issue
I'm not sure what you mean by "You shouldn't run anything else on your
firewall." So long as it's secure why not? My firewall runs Tripwire,
TCP/IP wrapper and other applications in addition to FW-1.
Now if you're on an NT box then I might agree, but then again I wouldn't put
a firewall on an NT box. However, Microsoft claims they wrote their DNS
from scratch to avoid the BIND vulnerabilities. Assuming you can run it in
cache only mode, why would this be a problem?
The real question is: Does this solve the issue for Micheal in a secure
manner? I believe the answer is yes but I'd certainly like to know if it's
otherwise.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
