At 10:52 07/05/01 -0400, Carl E. Mankinen wrote:
>You would recommend running DNS daemon on the firewall?
yes
>That sounds pretty scary to me. Lots of reasons why I would not do this:
I understand that. I myself heard many of them...
>Firewall should be locked down as much as humanly possible and all
>unnecessary system files quarantined. It should be as close to an
>appliance as you can get it without preventing FW1 from running, this is
>not very conducive to running other services. If you agree
>to running DNS on your fw, why not other services like SMTP, FTP, HTTP,
>etc etc?
Not the same thing. I consider DNS as a proxy. It has bugs, but proxies
also have bugs. And IP filters do have bugs.
(why do you speak of FW1? I guess this is a typo...). So, all the stuff
running there may have bugs and experience
has shown that it indeed contain bugs (at every level: kernel, daemons,
scripts, programs, files...).
>What happens in the case of one of those services being compromised or a
>system failure (electrical/mechanical etc) ? Do you end up
>rebuilding your firewall or causing an outtage for all those services
>while you fix it? Putting your eggs in one basket is a sure
>way to end up with no breakfast.
What happens when your FW is compromised? Do you end up [same as you said]
I know of nobody who protects his internal hosts from the FW (the internal
one if he has many). so when this is compromised,
all the network is compromised. Sure they in the military area have a
different way to do things, but that costs a lot if ever
possible.
>I think I would prefer using seperate bastion host as DNS server myself.
Which DNS server? I like configuring the FW as the primary for the few
public addresses that I need
to rely on and change whenever I want (Mostly the FW external IP). all the
rest is either inside if only needed
inside or at the ISP or someone else. But not the FW IP nor that of any
external IP that I need to rely on.
Let's take an example:
- I set up an Tunnel with 3DES between my network and that of some
subsidiary out there, for SMTP traffic.
So I configure my tunnel using the remote IP address.
- my sendmail needs to get the MX for that domain, so it checks the DNS
somewhere. It then forwards
the mail to the MX
- If the MX happens to be different from the one I configured in my Tunnel,
I'm just out of luck.
so I need to make sure that the MX is correct, and I can only do that
seriously if _I_ manage the DNS,
and that the DNS server is secure. In other words, if the DNS server gets
broken, then it's already too bad!
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
