RE: DMZ Design and Functionality

["David Gillett" <gillettdavid () fhda edu>]

  For a beginner, you've chosen a rather advanced approach.

  I think that for your anti-virus box to do what you hope,
it's going to need to be a proxy.  And so what you have is 
not so much a DMZ as three firewall layers between your 
users and the Internet.  Two (a proxy and a stateful packet
filter) is more than most civilian sites require.

David Gillett

> -----Original Message-----
> From: Dana Rawson [mailto:absolutezero273c () nzoomail com]
> Sent: August 18, 2003 12:53
> To: security-basics () securityfocus com
> Subject: DMZ Design and Functionality
>
> Forgive me if these questions are too basic but I am 
> relatively new to  this.  I am the network administrator at 
> my company and over the past year  have become aware of a 
> need for increased security.  I have been reading  posts here 
> in hopes of learning more about this.  While I have learned  
> considerable amounts, and have searched for answers 
> elsewhere, I am still  in need of guidance.  Any help or 
> direction would be greatly appreciated.   I am open to 
> reading any books that one might recommend.  I have seen a  
> few books out there but not sure which are worthwhile.    
> Anyway, my background information is this: I wanted to 
> install a DMZ at 2 of my company's locations.  I do have a  
> limited budget so I was planning on using OpenBSD for my 
> first tier  firewall.  I do have a hardware based firewall in 
> place currently which I  was planning on using as my second 
> tier firewall.   My initial plan is to build a machine using 
> OpenBSD that does nothing but  firewall.  Additionally, I 
> wanted to add another machine to run  Sendmail/SpamAssassin 
> and an an anti-virus software.  On this I was hoping  to run 
> Redhat as this is what I am most knowledgeable on.  My 
> thought  behind this was to block spam, of course, and also 
> run a gateway anti- virus solution that would block viruses 
> coming from websites and  employee's personal e-mail 
> accounts.  This due to the fact that I have  seen a number of 
> viruses coming in from either their 'webmail' or through  
> their Outlook Express. I wish to set up an ftp server and 
> webserver to  facilitate OWA.  Additionally I would like to 
> make available VPNs and  encrypt all data transmitted over 
> remote connections.  Remote connections  may consist of a MS 
> RAS and Citrix.  With this information my questions are:  1. 
> To begin, does this sound like an acceptable solution? 2. How 
> do I size the machine that I am going to run OpenBSD?  I have 
> read  that a DMZ will slow performance down some.  If I have 
> a fast enough  machine will it aid performance?  At what 
> point is overkill when running  OpenBSD. 3. How do I size the 
> machine that will be running Redhat, Sendmail and  
> SpamAssassin?  Is this configuration acceptable?  Should the 
> Anti-virus  software be running on a separate machine? 4. 
> What open source options to I have for encryption and VPNs? 
> 5. Are there any potential problems running this 
> configuration?  Does  everything mentioned here play nice 
> together?  Would you change anything  here and if so why?  
> Many thanks in advance.  Dana
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------