Firewall Wizards mailing list archives
RE: Gauntlet v3.0 (NT) questions
From: "Shivdasani, Meenoo" <Meenoo_Shivdasani () NAI com>
Date: Fri, 29 Jan 1999 11:15:37 -0800
1.) There is an internal DNS server that is the primary and currently >the
ISP supports a secondary DNS server. When we install the firewall >the internal primary DNS server will remain. The plan is to do a split >DNS by having the firewall become the primary DNS for the hosts that >need to be advertised to the external networks. I believe that I need >to have the firewall point to the internal DNS server and that the >internal DNS server uses the forward command to the firewall's external >IP interface. Is there anything else that I need to do to allow DNS >through the firewall? By default, NT Gauntlet will not allow DNS traffic to pass through it. You have two options: 1) Install a DNS server on the firewall 2) Packet filter DNS traffic from the internal server to the external server. With the first option you are at the mercy of whichever DNS product you put on the firewall -- Microsoft DNS isn't super robust in my experience. MetaInfo may still be making their DNS server. With the second option you either have to have routeable internal addresses or use a combination of NAT and packet filtering to get the traffic to pass through. It's my opinion that packet filtering UDP traffic is unsafe from a security perspective, however for some environments this may be the optimal solution. You'd need to weigh your risks.
2.) There will be a DMZ that will have various web servers and ftp >servers
located on it. What do I need to do on the firewall to allow >internal users access to these servers?, i.e., do I need to put the >firewall in the same NT domain? Do I want to put the firewall in the >same NT domain or should I do something differnet? Should those servers >be able to access/announce themselves to the WINS server located on the >internal network? Does this require that I turn off the computer >browser on the firewall? Theoretically (and technically speaking) you could allow NetBIOS and related traffic through from the DMZ to the internal network, however I wouldn't consider that a good security measure. The firewall can be configured so that internal users can ftp to the servers on the service net and can http to the same servers. That should provide adequate access. M
Current thread:
- RE: Gauntlet v3.0 (NT) questions Shivdasani, Meenoo (Feb 01)
- Re: Gauntlet v3.0 (NT) questions Joseph S D Yao (Feb 02)
- Re: Gauntlet v3.0 (NT) questions dreamwvr (Feb 03)
- Re: Gauntlet v3.0 (NT) questions Joseph S D Yao (Feb 02)