Eric wrote: > Can anyone explain this? > > I do some work for my brother's company part time (if you can > call 40-80 hours a week part time while working on a doctorate). > While I'm at Texas A&M, I have to telecommute to install > software, maintain the network, ... . Yesterday, he had someone > come in and install some new equipment and change the ip addresses > to a new C block. > > So far so good. > > First, the guy couldn't find the dns on the dns server. So he > decided it wasn't there and added another. Now, there are two > dns servers running. The original is an NT port of bind. The > new one is Microsoft's dns server. Now, it seems that if I connect > to the dns server and do a ls -d example.com (for reasons that > are obvious later, I don't want to mention the actual domain > name), I get the new ip addresses. But if I look up specific > hosts, including those that the installer did not transfer to the new > dns server, I get the old ip addresses! So it certainly appears > that both dns servers are running. I suspected that this > was going to happen and specifically looked for it since I figured > that if someone can't find the dns software that has been running > fine for quite a while without any problems and then installs > another dns server, he is not likely to shut down the original > dns server. > > But that really doesn't matter. They apparently didn't wait > for a confirmation message before shutting it down and switching > everything over. So the confirmation message they need to respond > to is probably undeliverable and no longer exists. As a result, > the records identify the old dns ip address, not the new one. I'm > not sure how long this will take to fix. My brother is under the > impression that he can just call them up on the telephone and they'll > do it for him while he waits. > > I had the system set up using the router as a first level of > protection and an internal firewall to protect the internal > network. Between them are the e-mail, dns, and web servers. > Even a 5 hour denial of service attack on December 26/27 > (something like 10 pm to 3 am) didn't cause much problems > because the router refused to pass the packets through. But > the installer pronounced it very insecure (offering no protection > at all), removed the access lists when reconfiguring the router, > and then announced that now it is secure. (It should be obvious > why I didn't mention the domain names and ip addresses now.) This > "expert" said that noone uses access lists on routers! > > Also, I run my own smtp server for my own use with a fixed address > on that domain running pptp. They deinstalled RAS (they said > it was very, very insecure!) so now I can't do that. I had to > resubscribe to every mailing list with my tamu.edu address. > > In spite of the fact that they proclaimed RAS as too insecure > to reside on a web server (where I need it for the work I do) > and removed it, they decided that RAS is secure enough to > install on the firewall where a breach could expose the entire > internal network! So during spring break, they want me to drive > up and install RAS on the firewall. It is not very often that I > need or want access to the internal network. > > Thus, they told me not to change anything on the web servers, > the mail server, and the dns server and they have removed any > possibility that I can fix any problems without driving 600 > miles each direction. And, since the guy that did the installation > now has a contract to maintain the equipment, even if I drive up > there, there's not much that I can do. > > Some of the things I did was to disallow all incoming traffic that > we didn't need. For example, all port 137, 138, and 139 access > was blocked at the router. (The company is also an ISP and has > dialup lines between the router and the firewall.) All incoming > connections to the firewall were completely disallowed -- the > only incoming traffic allowed was established connections. And all > nonroutable addresses and obviously fake packets were dropped. Of > course, now there is no restrictions on the traffic at all. > > On the other hand, since I now don't have to worry about making > sure the system is running smoothly without anyone breaking in, > and since I can't install or support any web software I write, > I can spend more time on robotics and get my doctorate quicker. > > So my questions are: > > 1) So how frequent is it to use access lists on routers to > as a first level of security? My impression is that it is > not uncommon. The only problem with access lists that I > know of is that they slow everything down a bit. But I > considered that preferrable to leaving it wide open. (An > outer firewall was not an option.) Very common. It's the easyest and generally the first line of defence people use. Though alone they can be circumvented. Have a look at "firewalk" for more information. http://packetstorm.securify.com/UNIX/audit/firewalk/ If it's the border to the DMZ then make sure the servers in the DMZ are hardened. Basic filters can't protect you against content based attacks. > > > 2) Why would anyone think that Microsoft's RAS is too insecure > to run on a web server but not too insecure to run on the > firewall to the internal network? > RAS should realy be on it's own server. If that's not possible then it should be on a box with as few (i.e. NO) services exposed to the net. It's just a case of best practice. In this case they seem to have chosen a box that only has ports open to the inside (i.e the RAS service is not outwardly exposed). I would always avoid running services of any kind on a firewall. It should trust no-one and be trusted by on-one. > > 3) Why would using access lists on a firewall be "less secure" > than not running access lists? For that matter, why would > anyone not use access lists on the router itself to keep > everyone in the world from connecting to it? > Absolutly no reason at all, these guy's sound a bit stupid. If you have a drawbridge then use it! > > 4) Why would anyone allow finger to run on a router unless access > was sharply limited? > In the good old innocent days it was a useful service. These days it's asking for trouble. > > 5) Am I correct in my guess that two dns servers are running? > Is it possible for one dns server to handle one kind of > query and another dns server to handle another? > No idea, but given their approach to filters you might want to revert to what you trust. > > 6) Any suggestions on how to handle this? Should I just not worry > about it and wait until it all blows up? (I'm 46, that brother > is 58 or so and when he decides not to listen, there is little > or no way to do anything about it.) If he's your brother then maybe he won't sue you for breaking in and leaving a Post-It ... On the inside of his screen! > > > Eric Johnson > - > [To unsubscribe, send mail to [EMAIL PROTECTED] with > "unsubscribe firewalls" in the body of the message.] Tom - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
