RE: External Network / Firewall Setup.

[<Tim.BUTTON () Dest gov au>]

> > > I meant if firewall (1) is compromised, firewall (2)should prevent
attack from getting into the internal network.<<<

Ok, it's important to remember that firewalls will only stop
ILLEGITIMATE traffic, and, depending on the type of firewall, they may
only match illegitimate traffic against its LAYER 3 fingerprint.  Unless
the firewall is an application level firewall such as Sidewinder,
Cyberguard or Netscreen (or even an old Gauntlet), the firewall only
cares if the source, destination and protocol is allowed and if the
connection is stateful.  It won't stop malformed packets, buffer
overflows and so forth.  If you want that sort of protection (say for
inbound HTTP to a web server), then you either need to spend the big
$$'s and start looking at an application level firewall (which still may
not do 100% of the job) OR look into configuring squid as a reverse
proxy (really only applicable to HTTP and maybe HTTPS when the squid
project includes SSL acceleration).

Firewalls aren't a replacement for hardening a box and strong
processes...they're an addition.  Always remember, security is like an
onion....it should be layered.



-----Original Message-----
From: lists () ninjafriendly com [mailto:lists () ninjafriendly com] 
Sent: Thursday, 8 September 2005 0:01
To: security-basics () securityfocus com
Subject: RE: External Network / Firewall Setup.

Quoting Tim.BUTTON () Dest gov au:

> > > > but I'm wary of a single point of failure<<<<
>
> I'm not sure what you're referring to about a single point of failure.
sorry, wrong terminology.  I meant if firewall (1) is compromised, 
firewall (2)
should prevent attack from getting into the internal network.

> avoid that, you'll need multiple devices in HA, which may well be
> overkill for what you need.

yup, which is just as well because we can't afford it.

> > > > > Something I'm still unsure about is internal clients connecting to
> the mailserver in the DMZ - how much of a security issue is this?
>
> Should I use the DMZ mailserver simply as a relay for an internal
> mailserver?<<<
>
> IMHO, better to use your box in the DMZ as a relay only. You can run
> postfix/sendmail/whatever and use it to do some granular filtering. If
> you're keen enough, install some different virus scanner/anti-spam
> software on there, and get your box to pass the mail to that before
> allowing anything inbound. The other advantage of doing this is that
it
> allows you to kill anything you don't want at the border. Finally, it
> means that if your internal server blows up or something, you'll still
> queue inbound mail....which is good.
>
> If you get super keen, you can set it up to run iptables and
tcpwrappers
> and tie it down.

Cheers - I have some reading to do.


Notice:
The information contained in this e-mail message and any attached files may
be confidential information, and may also be the subject of legal
professional privilege.  If you are not the intended recipient any use,
disclosure or copying of this e-mail is unauthorised.  If you have received
this e-mail in error, please notify the sender immediately by reply e-mail
and delete all copies of this transmission together with any attachments.