Re: External Network / Firewall Setup.

[Florian Rommel <frommel () gmail com>]

Hi,
I think what was meant with single point of failure was that the failure 
point was not in control (county management) ....

Please correct me if i am wrong.

Now about your setup.. it might be a bit overkill but actually not too 
badly.. at least you got it well from a security point... I am jut 
wondering, if you have only a mailserver in the DMZ, why not install a 
hostbased IDS on it (snort locally) and have it log to the other snort 
machine. That would also help in making the analysis easier since you 
have everything on one machine. Unless both of them log to the same 
analysis machine.
Word of the wise, configure your snort well, especially snort(1) because 
the number of false positives you will receive is astronomical. A good 
advise that I got in one of the Symantec IDS trainings was: " and 
IDS/IPS system is an ongoing thing, if you dont have the time to check 
it as much as it needs, dont use it". We have deployed a few snort based 
IDS systems and once they are configured well a daily check or 2  for 
small companies is actually enough, it just has to be consistently checked.

Otherwise I like the setup, you have no redundancy so if a hub fails you 
loose connection and I totaly agree with what Tim wrote about the mail 
server just being a relay etc.
Should be a quite neat small setup when done. about the PIX, if you  can 
afford it, go for it. Otherwise you can use a OBSD box for that which 
IMHO is a very very nice granular first firewall because of the small HW 
requirements and the small memory footprint.


well my 2 cents

//Florian

http://www.2blocksaway.com





Tim.BUTTON () Dest gov au wrote:

> > > > but I'm wary of a single point of failure<<<<
> > > >        
>
> I'm not sure what you're referring to about a single point of failure.
> In the network design you've provided, there is no apparent
> redundancy......so each of the devices is a single point of failure.  To
> avoid that, you'll need multiple devices in HA, which may well be
> overkill for what you need.
>
>  
>
> > > > > Something I'm still unsure about is internal clients connecting to
> > > > >          
> the mailserver in the DMZ - how much of a security issue is this?
>
> Should I use the DMZ mailserver simply as a relay for an internal
> mailserver?<<<
>
> IMHO, better to use your box in the DMZ as a relay only. You can run
> postfix/sendmail/whatever and use it to do some granular filtering. If
> you're keen enough, install some different virus scanner/anti-spam
> software on there, and get your box to pass the mail to that before
> allowing anything inbound. The other advantage of doing this is that it
> allows you to kill anything you don't want at the border. Finally, it
> means that if your internal server blows up or something, you'll still
> queue inbound mail....which is good.
>
> If you get super keen, you can set it up to run iptables and tcpwrappers
> and tie it down.
>
> My 2 bobs worth
>
>
> -----Original Message-----
> From: lists () ninjafriendly com [mailto:lists () ninjafriendly com] 
> Sent: Monday, 5 September 2005 21:45
> To: security-basics () securityfocus com
> Subject: External Network / Firewall Setup.
>
> Hi all,
>
> Background: We're a .sch.uk with a currently county-managed firewall and
> webmail
> provision.  We have a 2mb symmettric DSL connection with approx 30% use
> at any
> one time.  Due to service and reliability issues with the county-managed
> solution we are looking to run our own mailserver, accessible from the
> internet.  On balance, maintaining our own firewall setup is less hassle
> than
> keeping what we currently have.
>
> I'm currently in the process of working out the firewall requirements,
> what I
> have so far is this:
>
> Internet
> |
> Router
> |
> Firewall(1)
> |
> HUB---Snort(1)
> | |___Mailserver
> |
> Firewall(2)
> |
> HUB---Snort(2)
> |
> |
> LAN
>
> I suspect this setup may be overkill for the amount of traffic we
> receive, but
> I'm wary of a single point of failure.  Hardware isn't a problem.
>
> Further info: The mailserver will be running Horde.  I'm hoping to
> convince
> management to use a PIX or similar for the first firewall and then
> something
> *nix based for the second, otherwise it will be two *nix boxes (IPcop
> and
> something BSD based).
>
> Something I'm still unsure about is internal clients connecting to the
> mailserver in the DMZ - how much of a security issue is this?  Should I
> use the
> DMZ mailserver simply as a relay for an internal mailserver?
>
> Would anyone mind looking this over and telling me if I've screwed up /
> overlooked something?
>
> Thanks
>
> Pete
>
>
> Notice:
> The information contained in this e-mail message and any attached files may
> be confidential information, and may also be the subject of legal
> professional privilege.  If you are not the intended recipient any use,
> disclosure or copying of this e-mail is unauthorised.  If you have received
> this e-mail in error, please notify the sender immediately by reply e-mail
> and delete all copies of this transmission together with any attachments.
>
>
>
>