| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] DNS TCP
Don --
Why not a DMZ or Service Network?
Elisabeth
Don <[email protected]>
Sent by: Mailing list for To: [email protected]
discussion of Firewall-1 cc:
<[email protected] Subject: Re: [FW-1] DNS TCP
kpoint.com>
05/09/2002 01:10 PM
Please respond to Mailing list for
discussion of Firewall-1
DNS is, and always has been, a very insecure protocol. Given this, and the
fact that DNS queries involve a lot of firewall overhead for very small
amounts of data, you are probably better off just putting them in front of
your firewall and just watching them. If all you run on them is DNS
anyway, it will not matter if they are in front of or behind the firewall.
They can be compromised either way. If they are behind the firewall,
however, such a compromise gives an attacker a bridgehead into your
network which would definitely not be a good idea.
-Don
NOTE: This electronic message and attachment(s), if any, contains information which is intended solely for the designated recipient(s). Unauthorized disclosure, copying, distribution, or other use of the contents of this message or attachment(s), in whole or in part, is prohibited without the express authorization of the author of this message.
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
