Security Basics mailing list archives

Re: External Network / Firewall Setup.

From: Michael Gale <michael.gale () bluesuperman com>
Date: Tue, 06 Sep 2005 23:18:15 -0600

Hello,

I would use the mailserver as a relay / SPAM / AV filter only and keepthe corp IMAP (assuming IMAP) on the internal network.


|
|
router
|
Swtich with management port for snort
|_____________
Firewall NIC1 |
(external)    |
              |_____
        Firewall NIC2 (DMZ)
              |
              |
Firewall NIC3 |
(internal)    |
---------------
|
Switch with management port for snort
|

I hope my drawing is understandable ...

A few other things I would personally do is not place snort on theexternal network, I find it would generate to many alarms. Causing themto be ignored.

What are you doing for web mail ? Because ideally you would place a webmail proxy on the DMZ allow authenticated users from external access totheir mail box located on a internal server.


Michael



lists () ninjafriendly com wrote:

Hi all,

Background: We're a .sch.uk with a currently county-managed firewall and webmail
provision.  We have a 2mb symmettric DSL connection with approx 30% use at any
one time.  Due to service and reliability issues with the county-managed
solution we are looking to run our own mailserver, accessible from the
internet.  On balance, maintaining our own firewall setup is less hassle than
keeping what we currently have.

I'm currently in the process of working out the firewall requirements, what I
have so far is this:

Internet
|
Router
|
Firewall(1)
|
HUB---Snort(1)
| |___Mailserver
|
Firewall(2)
|
HUB---Snort(2)
|
|
LAN

I suspect this setup may be overkill for the amount of traffic we receive, but
I'm wary of a single point of failure.  Hardware isn't a problem.

Further info: The mailserver will be running Horde.  I'm hoping to convince
management to use a PIX or similar for the first firewall and then something
*nix based for the second, otherwise it will be two *nix boxes (IPcop and
something BSD based).

Something I'm still unsure about is internal clients connecting to the
mailserver in the DMZ - how much of a security issue is this?  Should I use the
DMZ mailserver simply as a relay for an internal mailserver?

Would anyone mind looking this over and telling me if I've screwed up /
overlooked something?

Thanks

Pete

Current thread:

External Network / Firewall Setup. lists (Sep 06)
- Re: External Network / Firewall Setup. Michael Gale (Sep 07)
- Re: External Network / Firewall Setup. Ivan . (Sep 07)
  - Re: External Network / Firewall Setup. lists (Sep 07)
- RE: External Network / Firewall Setup. Mikhail Minyailov (Sep 07)
  - Re: External Network / Firewall Setup. Greg Stiavetti (Sep 07)
    - Red Cross needs network security tech volunteers Kelley Greenman (Sep 12)
- RE: External Network / Firewall Setup. David Gillett (Sep 07)
- Re: External Network / Firewall Setup. Jayson Anderson (Sep 08)
- <Possible follow-ups>
- RE: External Network / Firewall Setup. Tim.BUTTON (Sep 07)
  - RE: External Network / Firewall Setup. lists (Sep 07)
  - Re: External Network / Firewall Setup. Florian Rommel (Sep 07)

(Thread continues...)