Firewall Wizards mailing list archives
RE: Questions on Firewall-1 and Neighborhood Browser
From: "Burden, James" <JBurden () caiso com>
Date: Mon, 1 Jun 1998 09:44:40 -0700
Jim, IMHO, the DMZ should not be apart of the internal NT Domain. The DMZ should be for public access, and internal users should use local servers on the inside of the firewall. NetBEUI and NetBios are broadcast protocols that require client and server to be in the same collision domain for Network Neighborhood to work. If you cross a router/gateway, then a bridge must be configured to flatten the two subnets. I would suggest having an internal server that users update, and it update the DMZ servers with ftp (ssh). Users could easily find their resource, and only one hole has to be created in the firewall. I think CERT (or AF-CERT) put out an advisory that NetBios should not be enabled through a firewall in early 1997 (don't remember the exact one). Just my $.02. Jim James L. Burden Phone - 916.351.2243 Security Engineer Page - 916.814.2563 California ISO Fax - 916.351.2181 http://www.caiso.com Email - jburden () caiso com 41DF 0E4C 26E0 2FD3 8C81 A260 5C40 280E B4AE 7420 ____________________________________________ To Teach is to Learn - Aaron Nimzovich ____________________________________________ Disclaimer: The above represents my personal opinions and not an official endorsement or position by the California ISO, my current employer. I reserve the right to disavow them at my convenience.
-----Original Message----- From: Rodney van den Oever [SMTP:roever () nse simac nl] Sent: Friday, May 29, 1998 1:38 PM To: Jim Hebert Cc: firewall-wizards () nfr net Subject: Re: Questions on Firewall-1 and Neighborhood BrowserI have a customer that I'm working with using Check Point Firewall-1.Sorry, but I cut a *lot* of your original posting...255.255.255.240). The firewall, internal network, and DMZ are all inthesame WindowsNT domain. The firewall is a standalone server. Thecustomer Are you referring to the classic DMZ description, or the Checkpoint one? So your external victim hosts are trusted by your internal servers. If anything happens to them the entire network could be compromised. It's like a bypass around the firewall! Created a seperate domain, block all browsing, only patch a specific workstation to the DMZ to manage the web-/ftpserver(s).that they can see the shares that are available. By default, the user will not see these because the NetBEUI protocol is not routable, (theDon't confuse NetBEUI with NetBIOS. NetBEUI is a network protocol like IP. NetBIOS is a session-layer protocol that can run on top of IP, IPX or NetBEUI.internal network. I define a peering between the two (2) WINS servers and force a replication. The DMZ WINS server pushes and the internalYou don't want to allow stuff like WINS to cross your firewall, really... If you still do need to access a machine on the other side of the firewall, just create a '%SYSTEMROOT%\system32\drivers\etc\lmhosts'-file. Either: o Think about a good security policy and enforce it with the Firewall. o Just disable the firewall, it only stands in the way with all this stuff your customer wants to do :-). Good luck! -- Rodney van den Oever / 06 55868577 / PGP Key ID 0x0A6CCE53 When asked by an anthropologist what the Indians called America before the white man came, an Indian said simply "ours". - Vine Deloria, Jr.
Current thread:
- RE: Questions on Firewall-1 and Neighborhood Browser Burden, James (Jun 01)