Security Basics mailing list archives
RE: External Network / Firewall Setup.
From: <Tim.BUTTON () Dest gov au>
Date: Wed, 7 Sep 2005 15:05:29 +1000 (EST)
but I'm wary of a single point of failure<<<<
I'm not sure what you're referring to about a single point of failure. In the network design you've provided, there is no apparent redundancy......so each of the devices is a single point of failure. To avoid that, you'll need multiple devices in HA, which may well be overkill for what you need.
Something I'm still unsure about is internal clients connecting to
the mailserver in the DMZ - how much of a security issue is this? Should I use the DMZ mailserver simply as a relay for an internal mailserver?<<< IMHO, better to use your box in the DMZ as a relay only. You can run postfix/sendmail/whatever and use it to do some granular filtering. If you're keen enough, install some different virus scanner/anti-spam software on there, and get your box to pass the mail to that before allowing anything inbound. The other advantage of doing this is that it allows you to kill anything you don't want at the border. Finally, it means that if your internal server blows up or something, you'll still queue inbound mail....which is good. If you get super keen, you can set it up to run iptables and tcpwrappers and tie it down. My 2 bobs worth -----Original Message----- From: lists () ninjafriendly com [mailto:lists () ninjafriendly com] Sent: Monday, 5 September 2005 21:45 To: security-basics () securityfocus com Subject: External Network / Firewall Setup. Hi all, Background: We're a .sch.uk with a currently county-managed firewall and webmail provision. We have a 2mb symmettric DSL connection with approx 30% use at any one time. Due to service and reliability issues with the county-managed solution we are looking to run our own mailserver, accessible from the internet. On balance, maintaining our own firewall setup is less hassle than keeping what we currently have. I'm currently in the process of working out the firewall requirements, what I have so far is this: Internet | Router | Firewall(1) | HUB---Snort(1) | |___Mailserver | Firewall(2) | HUB---Snort(2) | | LAN I suspect this setup may be overkill for the amount of traffic we receive, but I'm wary of a single point of failure. Hardware isn't a problem. Further info: The mailserver will be running Horde. I'm hoping to convince management to use a PIX or similar for the first firewall and then something *nix based for the second, otherwise it will be two *nix boxes (IPcop and something BSD based). Something I'm still unsure about is internal clients connecting to the mailserver in the DMZ - how much of a security issue is this? Should I use the DMZ mailserver simply as a relay for an internal mailserver? Would anyone mind looking this over and telling me if I've screwed up / overlooked something? Thanks Pete Notice: The information contained in this e-mail message and any attached files may be confidential information, and may also be the subject of legal professional privilege. If you are not the intended recipient any use, disclosure or copying of this e-mail is unauthorised. If you have received this e-mail in error, please notify the sender immediately by reply e-mail and delete all copies of this transmission together with any attachments.
Current thread:
- External Network / Firewall Setup. lists (Sep 06)
- Re: External Network / Firewall Setup. Michael Gale (Sep 07)
- Re: External Network / Firewall Setup. Ivan . (Sep 07)
- Re: External Network / Firewall Setup. lists (Sep 07)
- RE: External Network / Firewall Setup. Mikhail Minyailov (Sep 07)
- Re: External Network / Firewall Setup. Greg Stiavetti (Sep 07)
- Red Cross needs network security tech volunteers Kelley Greenman (Sep 12)
- Re: External Network / Firewall Setup. Greg Stiavetti (Sep 07)
- RE: External Network / Firewall Setup. David Gillett (Sep 07)
- Re: External Network / Firewall Setup. Jayson Anderson (Sep 08)
- <Possible follow-ups>
- RE: External Network / Firewall Setup. Tim.BUTTON (Sep 07)
- RE: External Network / Firewall Setup. lists (Sep 07)
- Re: External Network / Firewall Setup. Florian Rommel (Sep 07)
- RE: External Network / Firewall Setup. Tim.BUTTON (Sep 07)
- RE: External Network / Firewall Setup. Jayson Anderson (Sep 08)
- RE: External Network / Firewall Setup. Yvonne McInally (Sep 08)