Firewall Wizards mailing list archives

Re: Is it possible at all ...?

From: Jonn Martell <martell () ucs ubc ca>
Date: Sun, 27 Aug 2000 10:35:47 -0700 (PDT)


I agree with Ryan here.  I don't see why one would allow Microsoft
Networking "stuff" across firewalls.  Use a VPN to shape the stuff
properly.

Cheap devices like the Lynksys NAT ($100) prevent it altogether.  Some
mid-level boxes like Sonicwall will allow outbound (which I still think is
a problem) but not inbound.

So, yes, "it's possible" on a technical level but not if you are really
concerned about security IMHO. Fortunately, we have VPNs these days.

 ..... J Martell

On Sat, 26 Aug 2000, Ryan Russell wrote:

Date: Sat, 26 Aug 2000 11:22:30 -0700 (PDT)
From: Ryan Russell <ryan () securityfocus com>
To: Chris <puetzc () yahoo com>
Cc: firewall-wizards () nfr net
Subject: Re: [fw-wiz] Is it possible at all ...?

On Fri, 25 Aug 2000, Chris wrote:

different IP networks. I'd like setup the DMZ and the
Inside as follows, so that the domain controllers can
exchange information, browsing works, NT user
authentication and all the typical NT Domain stuff
work. 

Is that possible at all? I opened ports
135,137,138,139 between the DMZ and the Inside but I
do not get it to work?


Perhaps you don't have a WINS server set up, or the DMZ machines can't
reach it, or don't have it programmed properly?  As soon as you go to more
than one IP subnet (which you almost always have to do with a DMZ) you
will have to use WINS to make things work right.

Of course, and I'm sure I won't be the only one to point this out, with
the setup you've described, you might as well not have a DMZ.  The moment
one of your DMZ machines gets nailed (and you have to assume it
will... that's why DMZs exist) then the attacker has everything they need
to 0wn any inside machine they want.  

Why do you want NetBIOS running between the inside and DMZ?

                                      Ryan


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards



_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

Is it possible at all ...? Chris (Aug 26)
- Re: Is it possible at all ...? Ryan Russell (Aug 26)
  - Re: Is it possible at all ...? Jonn Martell (Aug 27)