RE: External Network / Firewall Setup.

["Yvonne McInally" <ymcinally () cyberguard co uk>]

Hi All, 

You mention DMZ!! If you would like to evaluate EAL4+ compliant
firewalls for High enterprise Customers or IPsec SME firewalls - please
contact me. 

Kind Regards 
 
Yvonne 
 
Yvonne McInally 
Internal Sales /Training Co-oridinator EMEA 
 
CyberGuard Europe Ltd
No 1, The Arena 
Downshire Way 
Bracknell 
Berkshire 
RG12 1PU 
 
United Kingdom
 
Phone +44 (0) 870 460 4766
Fax + 44 (0) 870 460 4767
Support +44 (0) 870 460 4755 
 
www.cyberguard.com 
 

-----Original Message-----
From: Mikhail Minyailov [mailto:mminyailov () runway ru] 
Sent: 07 September 2005 12:17
To: security-basics () securityfocus com
Subject: RE: External Network / Firewall Setup.

I can recommend you using 3-port firewalls (with outside, inside & dmz
interfaces) 
Cisco PIX for example...  or Checkpoint firewall  or BSD boxes - doesn't
really matters

the totally resilient design should be:

ISP1            ISP2
| \                 / |
 crosslinks here (from each router two uplinks)
|      /            \ |
EdgeRouter1 EdgeRouter2 (HSRP)
|                                  /
2 PIXes (main + fail-over - that will save $$$ on licenses)  ---
server(s)
in DMZ
|    /
LAN


about smtp relay in dmz - it's a good schema, but don't forget about
content
filtering(spam/antivirus)

also you should always remember the purposes of DMZ
- if server in DMZ is hacked - it gotta be impossible to use it as a
platform to attack you LAN so the filters inside <-> dmz  should be also
restrictive as possible as inside <-> outside & outside <-> dmz
 

> -----Original Message-----
> From: lists () ninjafriendly com [mailto:lists () ninjafriendly com] 
> Sent: Monday, September 05, 2005 3:45 PM
> To: security-basics () securityfocus com
> Subject: External Network / Firewall Setup.
>
> Hi all,
>
> Background: We're a .sch.uk with a currently county-managed 
> firewall and webmail provision.  We have a 2mb symmettric DSL 
> connection with approx 30% use at any one time.  Due to 
> service and reliability issues with the county-managed 
> solution we are looking to run our own mailserver, accessible 
> from the internet.  On balance, maintaining our own firewall 
> setup is less hassle than keeping what we currently have.
>
> I'm currently in the process of working out the firewall 
> requirements, what I have so far is this:
>
> Internet
> |
> Router
> |
> Firewall(1)
> |
> HUB---Snort(1)
> | |___Mailserver
> |
> Firewall(2)
> |
> HUB---Snort(2)
> |
> |
> LAN
>
> I suspect this setup may be overkill for the amount of 
> traffic we receive, but I'm wary of a single point of 
> failure.  Hardware isn't a problem.
>
> Further info: The mailserver will be running Horde.  I'm 
> hoping to convince management to use a PIX or similar for the 
> first firewall and then something *nix based for the second, 
> otherwise it will be two *nix boxes (IPcop and something BSD based).
>
> Something I'm still unsure about is internal clients 
> connecting to the mailserver in the DMZ - how much of a 
> security issue is this?  Should I use the DMZ mailserver 
> simply as a relay for an internal mailserver?
>
> Would anyone mind looking this over and telling me if I've 
> screwed up / overlooked something?
>
> Thanks
>
> Pete