>>>>> "SJG" == Simon J Gerraty <sjg @
quick .
com .
au> writes:
[... TEXT DELETED ...]
SJG> The most common means by which such info "leaks" is in e-mail and
SJG> news headers. You can configure sendmail on your firewall to hide
Yes, I must think about for a moment ... I will write later.
SJG> from addresses etc, but unless you make sendmail remove Received
SJG> headers (bad idea btw), the original hostname and each hop will be
SJG> leaked. Regardless of whether you have an air gap such info can be
SJG> useful for social engineering ("Hi, I'm from XYZ, I need to install
SJG> an urgent patch on host fubar and the sysadmin is away... what's
SJG> the passwd?") lame, but you get the idea. If asked nicely many
SJG> people are only too pleased to help :-)
[... TEXT DELETED ...]
SJG> That depends on the site. My own little site here runs two bind's
SJG> on the firewall, one that the outside world looks at and is bound to
SJG> the ppp interface only, and another which is a secondary for my
SJG> internal domains and forwards via the bind on the ppp interface (its
SJG> the only one the kernel will allow to talk to the outside world) and
SJG> the other internal nameservers forward to the bind listening on the
SJG> firewall's ethernet. External sites provide secondary DNS for my
SJG> external view.
Well, yes for small site with not to high security it's ok, i think. But if
your Firewall get hacked, also your both DNS get hacked, didn' they? If
you have primary DNS for your Site in the internal network (for example
network with test-IPs 10. than I have to hack one machine more, that is the
Internal DNS-Server). Yes I know if the FW get hacked, than the game is
nearly over, but I think its somewhat more dificult. I have to go through
the DMZ, I have to go through the router to my internal net, and this I can
do only with the FW-IP, so I have to install my hack-software on the FW
first and so on ...
SJG> I also run the firewalls and DNS for a _big_ corp, and there I set
SJG> things up such that there is zero DNS traffic through the firewall.
SJG> The reasons are many but include: 1. internally rooted DNS allows
SJG> extended disconnection from Internet without impact on corporate
I don't understand Point Nr. 1. Sorry :(
SJG> network. 2. use of illegal nets on corp net means external address
SJG> resolution is meaningless in most cases. 3. the forwarding model
SJG> described above does not scale well to _big_ corporate nets.
SJG> 4. passing zero DNS traffic through firewall ensures that Internet
SJG> is not poluted with internal roots.
2.3 I don't understand it either. So if I am on the Corp-net, and I want to
nslookup www.microsoft.com, so how do I get the IP if I have no DNS-traffic
through the FW? It seems that I get the IP from DNS on the firewall. Did
you mean that? But so there is no problem to have primary DNS on Corp-net
for the Corp-net with forward to the Firewall, which have forward to my ISP.
4. I cannot imagine that, because it's one DNS-forward more as for the
situation without the firewall (If I have no FW than I forward to my
ISP-DNS directly). If I have caching server it should scale
good. I have here site with 400+ Machines, and DNS is OK. I cannot imagine,
that one DNS-forward more and caching DNS-Server should not scale good.
Could you please explain?
[... TEXT DELETED ...]
--
____________________________________________________________________________
Bogdan Pelc; Sekr. MA 6-3, Ma682; Tel: 030-31423607, 030-31422491
pelc @
math .
tu-berlin .
de
Do You realize , that this world is totally FUGAZI, where are the poets,
where are the visionaries ... (FISH)
Follow-Ups:
References:
|
|
