[c-nsp] ASA Firewalls placement in the network!

Scott Granados gsgranados at comcast.net
Mon Oct 12 12:00:33 EDT 2009


I have to agree here, good solid server administration and best practices 
are far superior to placing hardware in front to do your job for you. 
(Microsoft, are you listening?) The services running should be the bare 
minimum, should have their own internal ACLs properly configured (think SSH 
as an example) and the internal facility such as IPChains or IPF what ever 
should be used after the services are squared away.  This is an art that 
seems lost on a lot of administrators.:(


----- Original Message ----- 
From: "Joe Shen" <sj_hznm at yahoo.com.cn>
To: "Brian Johnson" <bjohnson at drtel.com>; "Gert Doering" 
<gert at greenie.muc.de>
Cc: "Cisco-nsp" <cisco-nsp at puck.nether.net>
Sent: Monday, October 12, 2009 7:46 AM
Subject: Re: [c-nsp] ASA Firewalls placement in the network!


>> Well, the point of a well-maintained server is that it is
>> *open* to
>> the world - if you want a web server to be visible by the
>> world, then
>> there isn't much you can do, besides "open HTTP to
>> it". And other
>> services should not be running in the first place.
>
> Agree.  Focusing server resource on its public service and remove all 
> unnecessary should be first consideration other than putting  in another 
> box.
>
>> The worst thing you can do is put a stateful firewall in
>> front of a
>> busy DNS server
>
> Yes. We do suffer from such solution years ago. At that time, when
> incoming request increases the firewall we use reaches its threshhold 
> quickly and reject new ones. Now, we just connect DNS servers to cisco 
> 6509 directly, ACL on interface protects server very well.
>
> On the other hand,  tuning DNS server performance is relatively easily 
> than application servers. But, it seems there needs new technology or 
> method on detecting and controling abnormal incoming requests.
>
> Months ago, failure of  primary DNS server for baofeng.com causes ISP 
> cache server out of resource because too many clients resolve that domain 
> recursively.
>
> Joe
>
>
>
>      ___________________________________________________________
>  好玩贺卡等你发,邮箱贺卡全新上线!
> http://card.mail.cn.yahoo.com/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 



More information about the cisco-nsp mailing list