I agree with your sentiments "why single out DNS", I don't believe you
should run any other daemons, SMTP, POP3 etc. But DNS has proven to be very
easy in the past to compromise and so why take the risk. Your firewall
should be a black box solution and not connectable from anywhere other than
strictly authorised sources.
Just my two pence worth.
----- Original Message -----
From: "Christine Tran" <[EMAIL PROTECTED]>
To: "Firewall-1" <[EMAIL PROTECTED]>
Sent: Friday, August 18, 2000 7:51 PM
Subject: [FW1] DNS on fw [WAS Best Practices for managing a firewalls]
>
>
> I'm going to go out on a limb & defend/amend #4. It should read "Do not
> run any other service on the firewall device." Why single out DNS? I can
> tell you that if you run BIND 8.2.2p5, deny version probes, recursion no,
> fetch glue no, allow-transfer {none;}, you are no worse than you are w/o
> DNS. Lance will disagree with me, :) Well-patched, DNS is no more
dangerous
> than any other services. If you choose to combine services w/ your fw,
you
> expose yourself to resource depletion & service associated holes, so don't
do
> this, but don't hang the rap on DNS.
>
> Let's qualify this, I'm talking about your external DNS server, not your
> corporate internal DNS server. One can also make the case that if
> you limit your external zone size & only answer authoritatively, you don't
> consume much mem, & you can get away with it. But we won't go there.
>
> CT
>
>
> "Ivan Fox" <[EMAIL PROTECTED]> wrote:
> >Date: Fri, 18 Aug 2000 10:04:06 -0400
> >
> >I did a search on the subject using yahoo and hotbot, there were only 3
> >entries pertaining to it hosted by securityportal.com.
> >
> >I need to compile a list of best practices for managing firewalls for
> >internal use. I will send the compiled list to whoever contributed their
> >idea/suggestions/comments.
> >
> >The following is what I have at the moment for Check Point:
> >
> >1) The OS of choice for Check Point is Solaris for performance and less
> >vulnerability
> >2) If NT is used, it should be hardened. Guidelines can be found on
> >www.phoneboy.com or www.deathstar.ch.
> >3) Regardless of OS, apply the current patches.
> >4) Do not run DNS on the firewall device. If it is absolutely necessary,
> >run it as a secondary DNS.
> >5 Do not run anti-virus program on the firewall device.
> >6) Deploy Fail-over/High Availability
> >7) Change to firewall rules must be approved by the info-security team if
> >any. It should not be the same one in the same team/department.
> >8) If service (port) requested is not a "standard" one, check it if it is
a
> >trojan port on Simovits' http://www.simovits.com/nyheter9902.html site.
> >
> >Thanks,
> >
> >Ivan
> >
> >
> >
> >
>
>===========================================================================
=====
> > To unsubscribe from this mailing list, please see the instructions
at
> > http://www.checkpoint.com/services/mailing.html
>
>===========================================================================
=====
>
>
>
>
>
============================================================================
====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
============================================================================
====
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
