Security Basics mailing list archives
RE: DMZ Design and Functionality
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 18 Aug 2003 15:57:10 -0700
For a beginner, you've chosen a rather advanced approach. I think that for your anti-virus box to do what you hope, it's going to need to be a proxy. And so what you have is not so much a DMZ as three firewall layers between your users and the Internet. Two (a proxy and a stateful packet filter) is more than most civilian sites require. David Gillett
-----Original Message----- From: Dana Rawson [mailto:absolutezero273c () nzoomail com] Sent: August 18, 2003 12:53 To: security-basics () securityfocus com Subject: DMZ Design and Functionality Forgive me if these questions are too basic but I am relatively new to this. I am the network administrator at my company and over the past year have become aware of a need for increased security. I have been reading posts here in hopes of learning more about this. While I have learned considerable amounts, and have searched for answers elsewhere, I am still in need of guidance. Any help or direction would be greatly appreciated. I am open to reading any books that one might recommend. I have seen a few books out there but not sure which are worthwhile. Anyway, my background information is this: I wanted to install a DMZ at 2 of my company's locations. I do have a limited budget so I was planning on using OpenBSD for my first tier firewall. I do have a hardware based firewall in place currently which I was planning on using as my second tier firewall. My initial plan is to build a machine using OpenBSD that does nothing but firewall. Additionally, I wanted to add another machine to run Sendmail/SpamAssassin and an an anti-virus software. On this I was hoping to run Redhat as this is what I am most knowledgeable on. My thought behind this was to block spam, of course, and also run a gateway anti- virus solution that would block viruses coming from websites and employee's personal e-mail accounts. This due to the fact that I have seen a number of viruses coming in from either their 'webmail' or through their Outlook Express. I wish to set up an ftp server and webserver to facilitate OWA. Additionally I would like to make available VPNs and encrypt all data transmitted over remote connections. Remote connections may consist of a MS RAS and Citrix. With this information my questions are: 1. To begin, does this sound like an acceptable solution? 2. How do I size the machine that I am going to run OpenBSD? I have read that a DMZ will slow performance down some. If I have a fast enough machine will it aid performance? At what point is overkill when running OpenBSD. 3. How do I size the machine that will be running Redhat, Sendmail and SpamAssassin? Is this configuration acceptable? Should the Anti-virus software be running on a separate machine? 4. What open source options to I have for encryption and VPNs? 5. Are there any potential problems running this configuration? Does everything mentioned here play nice together? Would you change anything here and if so why? Many thanks in advance. Dana -------------------------------------------------------------- ------------- -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- DMZ Design and Functionality Dana Rawson (Aug 18)
- RE: DMZ Design and Functionality David Gillett (Aug 18)
- <Possible follow-ups>
- RE: DMZ Design and Functionality Meidinger Chris (Aug 19)
- Re: DMZ Design and Functionality Schneider Sebastian (Aug 20)