While I do agree that putting things on the firewall is not a cool idea,
I still believe that "the right" way is:
- analyze your needs
- analyze the security consequences of all configurations
and then if the config you choose is ok, there is no problem.
In oher words, I am against any religious-like arguments for how to configure
a firewall and other stuff.
It is reasonable to have an anonymous ftp server, a mail server, a bind daemon,
... on the firewall, if the stuff is well configured. The important thing
is to watch
the basket, not what to put in the basket.
That said, it is generally simpler to install the ervers inside the network
or in the DMZ,
as this "decomposes" the problem of security mgmt into two easier ones.
However,
there is no point in setting up an internal anonymous ftp server, opening
the necessary
holes in the firewall, and waiting for the attacker to wash his hands and
come over...
regards,
mouss
At 13:00 26/07/00 -0500, Ron DuFresne wrote:
>never on the firewall, leave it outside and harden the host.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
