Re: External Network / Firewall Setup.
From: Greg Stiavetti (gstiavetti_at_rentoneonline.com)
To: <firstname.lastname@example.org>, <email@example.com> Date: Wed, 7 Sep 2005 17:20:44 -0700
If cost is an issue you can do the firewall/router redundancy with statefull
failover of router/firewall/vpn AND load-balancing, for much less with a
pair of Nokia IP-VPN 10i's.
The feature set is incredible for the price, and the support is fantastic.
----- Original Message -----
From: "Mikhail Minyailov" <firstname.lastname@example.org>
Sent: Wednesday, September 07, 2005 4:17 AM
Subject: RE: External Network / Firewall Setup.
>I can recommend you using 3-port firewalls (with outside, inside & dmz
> Cisco PIX for example... or Checkpoint firewall or BSD boxes - doesn't
> really matters
> the totally resilient design should be:
> ISP1 ISP2
> | \ / |
> crosslinks here (from each router two uplinks)
> | / \ |
> EdgeRouter1 EdgeRouter2 (HSRP)
> | /
> 2 PIXes (main + fail-over - that will save $$$ on licenses) --- server(s)
> in DMZ
> | /
> about smtp relay in dmz - it's a good schema, but don't forget about
> also you should always remember the purposes of DMZ
> - if server in DMZ is hacked - it gotta be impossible to use it as a
> platform to attack you LAN so the filters inside <-> dmz should be also
> restrictive as possible as inside <-> outside & outside <-> dmz
>> -----Original Message-----
>> From: email@example.com [mailto:firstname.lastname@example.org]
>> Sent: Monday, September 05, 2005 3:45 PM
>> To: email@example.com
>> Subject: External Network / Firewall Setup.
>> Hi all,
>> Background: We're a .sch.uk with a currently county-managed
>> firewall and webmail provision. We have a 2mb symmettric DSL
>> connection with approx 30% use at any one time. Due to
>> service and reliability issues with the county-managed
>> solution we are looking to run our own mailserver, accessible
>> from the internet. On balance, maintaining our own firewall
>> setup is less hassle than keeping what we currently have.
>> I'm currently in the process of working out the firewall
>> requirements, what I have so far is this:
>> | |___Mailserver
>> I suspect this setup may be overkill for the amount of
>> traffic we receive, but I'm wary of a single point of
>> failure. Hardware isn't a problem.
>> Further info: The mailserver will be running Horde. I'm
>> hoping to convince management to use a PIX or similar for the
>> first firewall and then something *nix based for the second,
>> otherwise it will be two *nix boxes (IPcop and something BSD based).
>> Something I'm still unsure about is internal clients
>> connecting to the mailserver in the DMZ - how much of a
>> security issue is this? Should I use the DMZ mailserver
>> simply as a relay for an internal mailserver?
>> Would anyone mind looking this over and telling me if I've
>> screwed up / overlooked something?