Can anyone explain this?
I do some work for my brother's company part time (if you can
call 40-80 hours a week part time while working on a doctorate).
While I'm at Texas A&M, I have to telecommute to install
software, maintain the network, ... . Yesterday, he had someone
come in and install some new equipment and change the ip addresses
to a new C block.
So far so good.
First, the guy couldn't find the dns on the dns server. So he
decided it wasn't there and added another. Now, there are two
dns servers running. The original is an NT port of bind. The
new one is Microsoft's dns server. Now, it seems that if I connect
to the dns server and do a ls -d example.com (for reasons that
are obvious later, I don't want to mention the actual domain
name), I get the new ip addresses. But if I look up specific
hosts, including those that the installer did not transfer to the new
dns server, I get the old ip addresses! So it certainly appears
that both dns servers are running. I suspected that this
was going to happen and specifically looked for it since I figured
that if someone can't find the dns software that has been running
fine for quite a while without any problems and then installs
another dns server, he is not likely to shut down the original
dns server.
But that really doesn't matter. They apparently didn't wait
for a confirmation message before shutting it down and switching
everything over. So the confirmation message they need to respond
to is probably undeliverable and no longer exists. As a result,
the records identify the old dns ip address, not the new one. I'm
not sure how long this will take to fix. My brother is under the
impression that he can just call them up on the telephone and they'll
do it for him while he waits.
I had the system set up using the router as a first level of
protection and an internal firewall to protect the internal
network. Between them are the e-mail, dns, and web servers.
Even a 5 hour denial of service attack on December 26/27
(something like 10 pm to 3 am) didn't cause much problems
because the router refused to pass the packets through. But
the installer pronounced it very insecure (offering no protection
at all), removed the access lists when reconfiguring the router,
and then announced that now it is secure. (It should be obvious
why I didn't mention the domain names and ip addresses now.) This
"expert" said that noone uses access lists on routers!
Also, I run my own smtp server for my own use with a fixed address
on that domain running pptp. They deinstalled RAS (they said
it was very, very insecure!) so now I can't do that. I had to
resubscribe to every mailing list with my tamu.edu address.
In spite of the fact that they proclaimed RAS as too insecure
to reside on a web server (where I need it for the work I do)
and removed it, they decided that RAS is secure enough to
install on the firewall where a breach could expose the entire
internal network! So during spring break, they want me to drive
up and install RAS on the firewall. It is not very often that I
need or want access to the internal network.
Thus, they told me not to change anything on the web servers,
the mail server, and the dns server and they have removed any
possibility that I can fix any problems without driving 600
miles each direction. And, since the guy that did the installation
now has a contract to maintain the equipment, even if I drive up
there, there's not much that I can do.
Some of the things I did was to disallow all incoming traffic that
we didn't need. For example, all port 137, 138, and 139 access
was blocked at the router. (The company is also an ISP and has
dialup lines between the router and the firewall.) All incoming
connections to the firewall were completely disallowed -- the
only incoming traffic allowed was established connections. And all
nonroutable addresses and obviously fake packets were dropped. Of
course, now there is no restrictions on the traffic at all.
On the other hand, since I now don't have to worry about making
sure the system is running smoothly without anyone breaking in,
and since I can't install or support any web software I write,
I can spend more time on robotics and get my doctorate quicker.
So my questions are:
1) So how frequent is it to use access lists on routers to
as a first level of security? My impression is that it is
not uncommon. The only problem with access lists that I
know of is that they slow everything down a bit. But I
considered that preferrable to leaving it wide open. (An
outer firewall was not an option.)
2) Why would anyone think that Microsoft's RAS is too insecure
to run on a web server but not too insecure to run on the
firewall to the internal network?
3) Why would using access lists on a firewall be "less secure"
than not running access lists? For that matter, why would
anyone not use access lists on the router itself to keep
everyone in the world from connecting to it?
4) Why would anyone allow finger to run on a router unless access
was sharply limited?
5) Am I correct in my guess that two dns servers are running?
Is it possible for one dns server to handle one kind of
query and another dns server to handle another?
6) Any suggestions on how to handle this? Should I just not worry
about it and wait until it all blows up? (I'm 46, that brother
is 58 or so and when he decides not to listen, there is little
or no way to do anything about it.)
Eric Johnson
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
