Firewalls - Reviewed

There are some software based firewalls that allow for this. Specifially the old NAI Gauntlet firewall used to allow for this. It was very handy, and I'd love that functionality back. I'd rather not deal with a seperate DNS/SMTP server if at all possible.

Wolfgang is right, invest in a firewall and make the DNS server a seperate system. Just throw togather a cheap Linux or BSD system for your DNS.

-Jared

In article , neophite wrote: :I'm looking for a solid but fairly priced firewall that will :specifically allow me to host my own MX record and act as Primary NS :for my domain. Any suggestions?

Those aren't traditional firewall features -- I can't say that I've ever encountered a firewall appliance that was also a DNS server.

There are two traditional firewall features that I can think of may be of interest to you: port forwarding; and DNS address translation of internal IP addresses to external addresses.

Port forwarding is very common, even in low-end devices that do not keep track of packet state. For port forwarding, you usually just go into a simple configuration screen, enter the port number as known to the outside world, enter the internal IP address you want the packets forwarded to, and enter the internal port number on that internal machine (the same as the external port number much of the time.)

DNS address translation is a convenience. If you have DNS address translation, then when your internal machines query your internal DNS server, then they get told the internal IP addresses, but when external machines query the -same- internal DNS servers, they get told the external IP address. This allows you to use a single DNS server for internal and external clients. If you do not have that feature, then you either need to configure different DNS servers for internal and external clients, or else you need to configure a single DNS server to have "split views", in which it specifically notices where the query is coming from and returns different data to the different callers [this may require essentially duplicating records, but at least it doesn't require a second server.]

An example of a firewall that does do DNS address translation is the Cisco PIX 501. But as I indicated above, with a bit of work you can get away without having this feature: in that case, you are just looking for standard firewall functionality, and the model of the device you buy will depend on your other needs (e.g., bandwidth shaping, content filtering, virus checking), and upon your Threat Risk Assessment.

Filtering devices should run and offers as little services as possible. In the case of an exploit in a service which the filtering device offers, your gateway is toast. You definitely don't want to risk that. Gateways are gateways and servers are servers. Period.

Wolfgang

Firewalls and MX/DNS have nothing to do with each other.

DNS is a service that runs on a computer - it should be inside your LAN and provide DNS Forwarding for things that resolve outside your LAN.

Firewalls are for blocking access - they have nothing to do with DNS.

Symantec Raptor may be able to provide the features you desire. I personally think Raptor sucks, but it does have that feature.

I realize that smtp (MX) and NS (DNS) have nothing to do with the firewall, but for ease of adminstration and security, it would be extremely handy to have a box that provides all these features on one box. I also understand DNS and it's functionality, however, it's not true that it runs specifically on the inside to forward outside. I need a NS on the outside because I am "primary" for my domain, therefore the need to have a secured DNS server on the outside of my firewall, or part of the firewall. Same goes for my SMTP traffic. I host my MX record, therefore need a secure SMTP server on the outside.

In article , neophite wrote: :I also understand DNS and it's functionality, however, it's not true :that it runs specifically on the inside to forward outside.

I must have missed the posting in which anyone said that it did?

: I need a :NS on the outside because I am "primary" for my domain, therefore the :need to have a secured DNS server on the outside of my firewall, or :part of the firewall.

What you want is not really a DNS server on the outside: what you want more is a DNS server on a DMZ ("Delimiterized Zone") -- something that can be -reached- from the outside, but has its ports secured by the firewall, and which can only reach to the inside systems to the extent that you have specifically configured.

:Same goes for my SMTP traffic. I host my MX record, therefore need a :secure SMTP server on the outside.

Again, not on the outside, on a DMZ.

You will see DMZ listed against quite a few low-end devices, but in many of the low-end devices, "DMZ" is just a way of saying, "an address which is not subject to the firewall protections, and which is expected to have been secured some other way." The "DMZ" on such devices might operate in public IP space, or might operate in the private NAT'd IP space, but on the low-end devices there often is little or no barrier between the "DMZ" and the "inside".

A proper DMZ requires an extra interface (or at least use of VLANs) and mechanisms for seperately configuring the interactions between outside and DMZ, outside and inside, and DMZ and inside.

I do not happen to be familiar with any consumer-class firewalls that provide a real DMZ. There are probably some out there; I just don't know of them.

Earlier I mentioned the Cisco PIX 501: it does NOT have DMZ capability (the Cisco PIX 506/506E does, but only via VLANs; the lowest commonly- available PIX model with seperate interfaces is the 515 and 515E.)

There can be good reasons to run your own DNS server, or at the very least be a "hidden" primary that the ISP gets zone files from. Lack of knowledge and understanding of DNS is the main concern -- most providers simply don't grok DNS, but are happy enough if it appears to "work" with very limited functionality. I bet that 9 out of 10 ISPs won't let you update entries using key signed update requests -- simply because they have no clue how to set this up. Nor have a different view for requests from your site.

Here, I have the DHCP server updating the DNS server as machines go online/offline, and only known clients can query local machines, or get an internal MX for mail. I doubt there's many ISPs that would handle such a setup for you.

Also, there's firewall appliances that will proxy DNS requests, so you don't really need to expose the DNS server through the firewall (although it's always a good idea to put boxes serving the outside world in a DMZ).

Regards,

First, you need to understand firewalls - you can have a DNS server inside your network to resolve your names to their private addresses, this lets your internal computers resolve to the private addresses of your servers/services.

If you are also hosting your own DNS, if your ISP/Provider lets you do that, you need to setup a DNS server in a DMZ network, not on the public side - in this case you would forward DNS traffic ONLY to the internal DNS server residing in the DMZ. This means that only DNS traffic makes it from outside the network to the DMZ - meaning you have a lot less exposure.

If you purchased a domain name, you might find it easier to allow the provider to host your public DNS, it's one less machine you have to purchase, and it's likely to be more reliable than running your own DNS server unless you have a real data center.

Again, you need a DNS service exposed through the firewall and located in your DMZ, do not put the DNS server outside the firewall. I would suggest that you host your DNS at your ISP or domain name providers location. We have about 80 domain names, not one of them is hosted on our DNS Servers, we have them configured with our domain name providers.

If you really want to get fancy there are firewalls out there (Sidewinder for one) which run a split-dns and spli-sendmail configuration.

Look at the Sidewinder appliance. We have customers using it in the configuration you are talking about. it will cover DNS for your internal network, DMZ and external network for providing name services.

So, send me a link to one that does what the FireBox X700 does, I'll look at it.