RE: DMZ Design and Functionality

[Meidinger Chris <chris.meidinger () badenit de>]

Hi Dana, 

i agree with David that it's a pretty advanced approach, but assuming you
have no time pressure, it's a sound infrastructure. Just be sure you don't
promise anyone when it will be in production.

One thing i would change in your place is i would put both the firewall and
the proxy/mail on the same operating system. It will be enough
administration if you have two new *nix boxes (assuming your background is
not unix) without you having to keep up on patches/updates/administration
for two operating systems.

How you size the firewall machine depends on the width of your internet
connection. What kind of a connection do you have? Now, if your firewall is
going to be fairly simple, you might even want to look into an inexpensive
hardware firewall. Assuming it would cost you say 2500$ (maybe a low
estimate) for a BSD machine that you would have to administer constantly,
you could already get a (smallish) hardware firewall for that money.

Sizing the proxy/mail machine will also depend on your web/mail traffic. We
have no idea how big your site is/what connextion you have/how much mail
traffic you have. 

If you want to do a serious VPN solution, then a hardware firewall instead
of the BSD machine makes even more sense. If you can get your company to
spring for it, get a CheckPoint FireWall-1 on Nokia with VPN-1. These things
can all be done in software on a self-installed OS, but if you are alone
setting everything up, a hardware solution will be to your advantage in
terms of time and manageability.

I hope i answered all your questions. If i was wrong on any point, then
list, please let me know.

badenIT GmbH
System Support
 
Chris Meidinger
Tullastrasse 70
79108 Freiburg


-----Original Message-----
From: Dana Rawson [mailto:absolutezero273c () nzoomail com]
Sent: Monday, August 18, 2003 9:53 PM
To: security-basics () securityfocus com
Subject: DMZ Design and Functionality




Forgive me if these questions are too basic but I am relatively new to 
this.  I am the network administrator at my company and over the past year 
have become aware of a need for increased security.  I have been reading 
posts here in hopes of learning more about this.  While I have learned 
considerable amounts, and have searched for answers elsewhere, I am still 
in need of guidance.  Any help or direction would be greatly appreciated.  
I am open to reading any books that one might recommend.  I have seen a 
few books out there but not sure which are worthwhile.  

Anyway, my background information is this:
I wanted to install a DMZ at 2 of my company's locations.  I do have a 
limited budget so I was planning on using OpenBSD for my first tier 
firewall.  I do have a hardware based firewall in place currently which I 
was planning on using as my second tier firewall.  
My initial plan is to build a machine using OpenBSD that does nothing but 
firewall.  Additionally, I wanted to add another machine to run 
Sendmail/SpamAssassin and an an anti-virus software.  On this I was hoping 
to run Redhat as this is what I am most knowledgeable on.  My thought 
behind this was to block spam, of course, and also run a gateway anti-
virus solution that would block viruses coming from websites and 
employee's personal e-mail accounts.  This due to the fact that I have 
seen a number of viruses coming in from either their 'webmail' or through 
their Outlook Express. I wish to set up an ftp server and webserver to 
facilitate OWA.  Additionally I would like to make available VPNs and 
encrypt all data transmitted over remote connections.  Remote connections 
may consist of a MS RAS and Citrix.

With this information my questions are:

1. To begin, does this sound like an acceptable solution?
2. How do I size the machine that I am going to run OpenBSD?  I have read 
that a DMZ will slow performance down some.  If I have a fast enough 
machine will it aid performance?  At what point is overkill when running 
OpenBSD.
3. How do I size the machine that will be running Redhat, Sendmail and 
SpamAssassin?  Is this configuration acceptable?  Should the Anti-virus 
software be running on a separate machine?
4. What open source options to I have for encryption and VPNs?
5. Are there any potential problems running this configuration?  Does 
everything mentioned here play nice together?  Would you change anything 
here and if so why?

Many thanks in advance.

Dana

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------