Re: External Network / Firewall Setup.

From: Greg Stiavetti (gstiavetti_at_rentoneonline.com)
Date: 09/08/05

  • Next message: Paul Day: "Re: Apples / osX"
    To: <mminyailov@runway.ru>, <security-basics@securityfocus.com>
    Date: Wed, 7 Sep 2005 17:20:44 -0700
    
    

    If cost is an issue you can do the firewall/router redundancy with statefull
    failover of router/firewall/vpn AND load-balancing, for much less with a
    pair of Nokia IP-VPN 10i's.

    The feature set is incredible for the price, and the support is fantastic.

    ----- Original Message -----
    From: "Mikhail Minyailov" <mminyailov@runway.ru>
    To: <security-basics@securityfocus.com>
    Sent: Wednesday, September 07, 2005 4:17 AM
    Subject: RE: External Network / Firewall Setup.

    >I can recommend you using 3-port firewalls (with outside, inside & dmz
    > interfaces)
    > Cisco PIX for example... or Checkpoint firewall or BSD boxes - doesn't
    > really matters
    >
    > the totally resilient design should be:
    >
    > ISP1 ISP2
    > | \ / |
    > crosslinks here (from each router two uplinks)
    > | / \ |
    > EdgeRouter1 EdgeRouter2 (HSRP)
    > | /
    > 2 PIXes (main + fail-over - that will save $$$ on licenses) --- server(s)
    > in DMZ
    > | /
    > LAN
    >
    >
    > about smtp relay in dmz - it's a good schema, but don't forget about
    > content
    > filtering(spam/antivirus)
    >
    > also you should always remember the purposes of DMZ
    > - if server in DMZ is hacked - it gotta be impossible to use it as a
    > platform to attack you LAN so the filters inside <-> dmz should be also
    > restrictive as possible as inside <-> outside & outside <-> dmz
    >
    >
    >> -----Original Message-----
    >> From: lists@ninjafriendly.com [mailto:lists@ninjafriendly.com]
    >> Sent: Monday, September 05, 2005 3:45 PM
    >> To: security-basics@securityfocus.com
    >> Subject: External Network / Firewall Setup.
    >>
    >> Hi all,
    >>
    >> Background: We're a .sch.uk with a currently county-managed
    >> firewall and webmail provision. We have a 2mb symmettric DSL
    >> connection with approx 30% use at any one time. Due to
    >> service and reliability issues with the county-managed
    >> solution we are looking to run our own mailserver, accessible
    >> from the internet. On balance, maintaining our own firewall
    >> setup is less hassle than keeping what we currently have.
    >>
    >> I'm currently in the process of working out the firewall
    >> requirements, what I have so far is this:
    >>
    >> Internet
    >> |
    >> Router
    >> |
    >> Firewall(1)
    >> |
    >> HUB---Snort(1)
    >> | |___Mailserver
    >> |
    >> Firewall(2)
    >> |
    >> HUB---Snort(2)
    >> |
    >> |
    >> LAN
    >>
    >> I suspect this setup may be overkill for the amount of
    >> traffic we receive, but I'm wary of a single point of
    >> failure. Hardware isn't a problem.
    >>
    >> Further info: The mailserver will be running Horde. I'm
    >> hoping to convince management to use a PIX or similar for the
    >> first firewall and then something *nix based for the second,
    >> otherwise it will be two *nix boxes (IPcop and something BSD based).
    >>
    >> Something I'm still unsure about is internal clients
    >> connecting to the mailserver in the DMZ - how much of a
    >> security issue is this? Should I use the DMZ mailserver
    >> simply as a relay for an internal mailserver?
    >>
    >> Would anyone mind looking this over and telling me if I've
    >> screwed up / overlooked something?
    >>
    >> Thanks
    >>
    >> Pete
    >>
    >>
    >>
    >
    >


  • Next message: Paul Day: "Re: Apples / osX"