RE: External Network / Firewall Setup.

[lists () ninjafriendly com]

Quoting Tim.BUTTON () Dest gov au:

> > > > but I'm wary of a single point of failure<<<<
>
> I'm not sure what you're referring to about a single point of failure.
sorry, wrong terminology.  I meant if firewall (1) is compromised, 
firewall (2)
should prevent attack from getting into the internal network.

> avoid that, you'll need multiple devices in HA, which may well be
> overkill for what you need.

yup, which is just as well because we can't afford it.

> > > > > Something I'm still unsure about is internal clients connecting to
> the mailserver in the DMZ - how much of a security issue is this?
>
> Should I use the DMZ mailserver simply as a relay for an internal
> mailserver?<<<
>
> IMHO, better to use your box in the DMZ as a relay only. You can run
> postfix/sendmail/whatever and use it to do some granular filtering. If
> you're keen enough, install some different virus scanner/anti-spam
> software on there, and get your box to pass the mail to that before
> allowing anything inbound. The other advantage of doing this is that it
> allows you to kill anything you don't want at the border. Finally, it
> means that if your internal server blows up or something, you'll still
> queue inbound mail....which is good.
>
> If you get super keen, you can set it up to run iptables and tcpwrappers
> and tie it down.

Cheers - I have some reading to do.