Firewall Wizards mailing list archives

RE: Gauntlet v3.0 (NT) questions

From: "Shivdasani, Meenoo" <Meenoo_Shivdasani () NAI com>
Date: Fri, 29 Jan 1999 11:15:37 -0800

1.) There is an internal DNS server that is the primary and currently >the

ISP supports a secondary DNS server. When we install the firewall >the
internal primary DNS server will remain. The plan is to do a split >DNS by
having the firewall become the primary DNS for the hosts that >need to be
advertised to the external networks. I believe that I need >to have the
firewall point to the internal DNS server and that the >internal DNS server
uses the forward command to the firewall's external >IP interface. Is there
anything else that I need to do to allow DNS >through the firewall?

By default, NT Gauntlet will not allow DNS traffic to pass through it.  You
have two options:

1) Install a DNS server on the firewall
2) Packet filter DNS traffic from the internal server to the external
server.

With the first option you are at the mercy of whichever DNS product you put
on the firewall -- Microsoft DNS isn't super robust in my experience.
MetaInfo may still be making their DNS server.  

With the second option you either have to have routeable internal addresses
or use a combination of NAT and packet filtering to get the traffic to pass
through.  It's my opinion that packet filtering UDP traffic is unsafe from a
security perspective, however for some environments this may be the optimal
solution.  You'd need to weigh your risks.

2.) There will be a DMZ that will have various web servers and ftp >servers

located on it. What do I need to do on the firewall to allow >internal users
access to these servers?, i.e., do I need to put the >firewall in the same
NT domain? Do I want to put the firewall in the >same NT domain or should I
do something differnet? Should those servers >be able to access/announce
themselves to the WINS server located on the >internal network? Does this
require that I turn off the computer >browser on the firewall?

Theoretically (and technically speaking) you could allow NetBIOS and related
traffic through from the DMZ to the internal network, however I wouldn't
consider that a good security measure.  The firewall can be configured so
that internal users can ftp to the servers on the service net and can http
to the same servers.  That should provide adequate access.

M

Current thread:

RE: Gauntlet v3.0 (NT) questions Shivdasani, Meenoo (Feb 01)
- Re: Gauntlet v3.0 (NT) questions Joseph S D Yao (Feb 02)
  - Re: Gauntlet v3.0 (NT) questions dreamwvr (Feb 03)