Security Basics mailing list archives
RE: External Network / Firewall Setup.
From: "Yvonne McInally" <ymcinally () cyberguard co uk>
Date: Thu, 8 Sep 2005 10:39:40 +0100
Hi All, You mention DMZ!! If you would like to evaluate EAL4+ compliant firewalls for High enterprise Customers or IPsec SME firewalls - please contact me. Kind Regards Yvonne Yvonne McInally Internal Sales /Training Co-oridinator EMEA CyberGuard Europe Ltd No 1, The Arena Downshire Way Bracknell Berkshire RG12 1PU United Kingdom Phone +44 (0) 870 460 4766 Fax + 44 (0) 870 460 4767 Support +44 (0) 870 460 4755 www.cyberguard.com -----Original Message----- From: Mikhail Minyailov [mailto:mminyailov () runway ru] Sent: 07 September 2005 12:17 To: security-basics () securityfocus com Subject: RE: External Network / Firewall Setup. I can recommend you using 3-port firewalls (with outside, inside & dmz interfaces) Cisco PIX for example... or Checkpoint firewall or BSD boxes - doesn't really matters the totally resilient design should be: ISP1 ISP2 | \ / | crosslinks here (from each router two uplinks) | / \ | EdgeRouter1 EdgeRouter2 (HSRP) | / 2 PIXes (main + fail-over - that will save $$$ on licenses) --- server(s) in DMZ | / LAN about smtp relay in dmz - it's a good schema, but don't forget about content filtering(spam/antivirus) also you should always remember the purposes of DMZ - if server in DMZ is hacked - it gotta be impossible to use it as a platform to attack you LAN so the filters inside <-> dmz should be also restrictive as possible as inside <-> outside & outside <-> dmz
-----Original Message----- From: lists () ninjafriendly com [mailto:lists () ninjafriendly com] Sent: Monday, September 05, 2005 3:45 PM To: security-basics () securityfocus com Subject: External Network / Firewall Setup. Hi all, Background: We're a .sch.uk with a currently county-managed firewall and webmail provision. We have a 2mb symmettric DSL connection with approx 30% use at any one time. Due to service and reliability issues with the county-managed solution we are looking to run our own mailserver, accessible from the internet. On balance, maintaining our own firewall setup is less hassle than keeping what we currently have. I'm currently in the process of working out the firewall requirements, what I have so far is this: Internet | Router | Firewall(1) | HUB---Snort(1) | |___Mailserver | Firewall(2) | HUB---Snort(2) | | LAN I suspect this setup may be overkill for the amount of traffic we receive, but I'm wary of a single point of failure. Hardware isn't a problem. Further info: The mailserver will be running Horde. I'm hoping to convince management to use a PIX or similar for the first firewall and then something *nix based for the second, otherwise it will be two *nix boxes (IPcop and something BSD based). Something I'm still unsure about is internal clients connecting to the mailserver in the DMZ - how much of a security issue is this? Should I use the DMZ mailserver simply as a relay for an internal mailserver? Would anyone mind looking this over and telling me if I've screwed up / overlooked something? Thanks Pete
Current thread:
- RE: External Network / Firewall Setup., (continued)
- RE: External Network / Firewall Setup. Mikhail Minyailov (Sep 07)
- Re: External Network / Firewall Setup. Greg Stiavetti (Sep 07)
- Red Cross needs network security tech volunteers Kelley Greenman (Sep 12)
- Re: External Network / Firewall Setup. Greg Stiavetti (Sep 07)
- RE: External Network / Firewall Setup. David Gillett (Sep 07)
- Re: External Network / Firewall Setup. Jayson Anderson (Sep 08)
- RE: External Network / Firewall Setup. Tim.BUTTON (Sep 07)
- RE: External Network / Firewall Setup. lists (Sep 07)
- Re: External Network / Firewall Setup. Florian Rommel (Sep 07)
- RE: External Network / Firewall Setup. Tim.BUTTON (Sep 07)
- RE: External Network / Firewall Setup. Jayson Anderson (Sep 08)
- RE: External Network / Firewall Setup. Yvonne McInally (Sep 08)
- RE: External Network / Firewall Setup. Mikhail Minyailov (Sep 07)