RE: Security/Firewall question

["Michael Dunn" <MDunn () sscincorporated com>]

Gregg,

If you're more comfortable with Win2K than BSD, then that's what I would recommend you stick with.  A properly hardened 
NT box makes a decent bastion host. 

I have had good success with Microsoft's ISA server.  There are a few books I recommend if you go that route:

Securing Windows NT/2000 Servers Stefan Norberg - 1-56592-768-0
Configuring ISA Server 2000 - Dr. Thomas Shinder - 1-928994-29-6
ISA Server and Beyond Dr. Thomas Shinder - 1-931836-66-3

The "beauty" of ISA server is that you only *need* one public IP address.  Your mail server can be on your LAN using a 
private IP.  You publish your mail service on the ISA box. Of course, you may configure a DMZ and place your mail 
server (with a public IP of its own) here.  This requires enough IP's to do ( I don't think 5 is enough), as you'll 
need a 3rd NIC on the ISA box, plus burn 1 for the network id, etc.

I ran Win2k and ISA on a Celeron 333a with 128MB - it was very slow to use the console, but our T1 line at 1.5 Mbps 
worked fine. It actually sped up some sites, as ISA can act as a cache as well.

Best of luck with your implementation, BSD or otherwise!

Regards,

-Mike



-----Original Message-----
From: Gregg [mailto:gbtech () citlink net]
Sent: Tuesday, July 29, 2003 4:41 AM
To: security-basics () securityfocus com
Subject: Security/Firewall question




Hi everyone!



I'm still pretty new to security and firewalls and such, and I'm having a 

problem wrapping my head around a couple of concepts. Here's what I have-

I have a stand alone email server behind an Adsl router (with 4prt hub). 

The router is set to pass-thru (nat and firewall disabled). 1 port goes to 

a firewall device, and my LAN behind that. 1 port goes to my Email server, 

a Win2k box (hey, quit lookin at me like that). 



I've got a handful of fixed IP's to work with. Here's what I'd like to do-



Keep everything the same BUT- put an OpenBSD box in between the router and 

the email server (protect the snivelling email server). So, I builts me 

dis purty OpenBSD box from the broken bodies of mine enemies past (a Dell 

Dim XPS V350 with a bad video card). Put 2 Nics in the beast. Lovely.



Now, I have an IP from my block of 5 registered currently for my email 

server. 

I'm not certain if- 

I want to assign that IP to the OpenBSD firewall, and use NAT and/or RDR 

to pass on SMTP traffic on port 25 to the email server. Yes? No? Maybe? Am 

I a shame on my species? 

---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------