[c-nsp] Best practice to put a DNS server at same lan segment as
main internet gateway
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Tue Jun 21 14:21:52 EDT 2005
On Tue, Jun 21, 2005 at 09:15:55AM +0200, Kim Onnel wrote:
> Hi,
>
> I must put 2 servers at the same LAN segment where the internet gateway is,
> i have a 506 PIX and the servers are supposed to be tight, but still i feel
> that its dangerous to do that.
>
> if i understand correctly, i will give the DNS server a private IP and let
> it PAT through the PIX to the DNS ports, for added security, i've placed it
> on a different switch.
>
> Any suggestions ideas, is there recommended configurations on PIX in this
> case ?
>
> Regards
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
don't use the PIX.. you have described a complex, error prone
configuration. take the DNS server platform and ensure that
it only runs the basic set of services... for many folks
this consists of :
DNS - port 53 udp/tcp
NTP - port 123 udp/tcp
SSH - port 22 udp/tcp
no HTTP, netbios, snmp, smtp, or pretty much anything else.
if you are physically in front of the box and it has a console,
you can turn off SSH.
ymmv of course.
--bill
More information about the cisco-nsp
mailing list