Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Gauntlet v3.0 (NT) questions

From: Steve George <steve () po i-way co uk>
Date: Wed, 27 Jan 1999 11:46:27 GMT
Hi Jim,

Umm you are probably sending these questions to the wrong forum, you'd be
better served by senind Gauntlet specific questions to gauntlet-users.

1)  I think you can do DNS in the way you are suggesting, though I would be
tempted to leave any external hosts as being advertised by your ISP, saves
your bandwidth and makes things easier.

2)  You don't want *any* sort of logical grouping across the FW, no Domain,
no WINS, no shares etc.  Gauntlet cannot proxy SMB so they should use FTP
and logins which have been specified on the DMZ machines.  Perhaps you
should consider putting these machines on a thrid interface, called a
'service network' in the Gauntlet literature: this allows you to protect
them more fully.  Any trust relationships
which extend beyond the FW weaken your security.

Best wishes,

Steve



---Reply to mail from Lisa Joan Haswell Hebert about Gauntlet v3.0 (NT) questions

Hi,

I have a couple of questions regarding V3.0 of Gauntlet firewall on an NT
platform.

1.) There is an internal DNS server that is the primary and currently the ISP
supports a secondary DNS server. When we install the firewall the internal
primary DNS server will remain. The plan is to do a split DNS by having the
firewall become the primary DNS for the hosts that need to be advertised to the
external networks. I believe that I need to have the firewall point to the
internal DNS server and that the internal DNS server uses the forward command
to the firewall's external IP interface. Is there anything else that I need to
do to allow DNS through the firewall?

2.) There will be a DMZ that will have various web servers and ftp servers
located on it. What do I need to do on the firewall to allow internal users
access to these servers?, i.e., do I need to put the firewall in the same NT
domain? Do I want to put the firewall in the same NT domain or should I do
something differnet? Should those servers be able to access/announce themselves
to the WINS server located on the internal network? Does this require that I
turn off the computer browser on the firewall?

Thanks in advance.



Jim




---End reply
Previous By Date Next
Previous By Thread Next

Current thread: