[c-nsp] cisco-nsp Digest, Vol 83, Issue 39

[Scott Granados]

And further more, why inject more points of failure for little to no value?

Everything listed in the OP's message that he considers good things about 
firewalls in front can be done with a properly administered server and good 
patching habbits. Firewalls have their places but generally not in the front 
of DNS servers or servers in general.  (Anything Microsoft could be an 
exception to this) As long as you're running a real OS and have decent to 
good clue firewalls are extra and offer almost nothing.

Thank you
Scott



----- Original Message ----- 
From: <sthaug at nethelp.no>
To: <Joel.Snyder at Opus1.COM>
Cc: <gert at greenie.muc.de>; <cisco-nsp at puck.nether.net>
Sent: Monday, October 12, 2009 12:37 PM
Subject: Re: [c-nsp] cisco-nsp Digest, Vol 83, Issue 39


>> If you have a lousy firewall (i.e., one that is doing nothing more than
>> keeping a UDP session open), yes, absolutely.  However, good firewalls
>> are doing a lot more than that.
>
> Some of us have seen too much damage done by firewalls to DNS, SMTP and
> a number of other protocols to really believe in this.
>
>> Now, if you put in a piece-o-crap firewall that is misconfigured, too
>> slow, doesn't have a big enough session table, and doesn't do anything
>> more than your average reflexive access control list, then you're right
>> on: rip that junk out and go bareback.
>
> It would seem that the piece-o-crap firewalls vastly outnumber the good
> firewalls. See, for instance, the discussions on various DNS lists
> about firewalls and EDNS0.
>
>> But if you do it right, there is value to be provided by a firewall.
>
> In some circumstances, agreed. For DNS servers (whether recursive or
> authoritative), absolutely not.
>
> Steinar Haug, Nethelp consulting, sthaug at nethelp.no
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/