Re: External Network / Firewall Setup.
From: Greg Stiavetti (gstiavetti_at_rentoneonline.com)
Date: 09/08/05
- Previous message: McKinley, Jackson: "Apples / osX"
- In reply to: Mikhail Minyailov: "RE: External Network / Firewall Setup."
- Next in thread: Kelley Greenman: "Red Cross needs network security tech volunteers"
- Reply: Kelley Greenman: "Red Cross needs network security tech volunteers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <mminyailov@runway.ru>, <security-basics@securityfocus.com> Date: Wed, 7 Sep 2005 17:20:44 -0700
If cost is an issue you can do the firewall/router redundancy with statefull
failover of router/firewall/vpn AND load-balancing, for much less with a
pair of Nokia IP-VPN 10i's.
The feature set is incredible for the price, and the support is fantastic.
----- Original Message -----
From: "Mikhail Minyailov" <mminyailov@runway.ru>
To: <security-basics@securityfocus.com>
Sent: Wednesday, September 07, 2005 4:17 AM
Subject: RE: External Network / Firewall Setup.
>I can recommend you using 3-port firewalls (with outside, inside & dmz
> interfaces)
> Cisco PIX for example... or Checkpoint firewall or BSD boxes - doesn't
> really matters
>
> the totally resilient design should be:
>
> ISP1 ISP2
> | \ / |
> crosslinks here (from each router two uplinks)
> | / \ |
> EdgeRouter1 EdgeRouter2 (HSRP)
> | /
> 2 PIXes (main + fail-over - that will save $$$ on licenses) --- server(s)
> in DMZ
> | /
> LAN
>
>
> about smtp relay in dmz - it's a good schema, but don't forget about
> content
> filtering(spam/antivirus)
>
> also you should always remember the purposes of DMZ
> - if server in DMZ is hacked - it gotta be impossible to use it as a
> platform to attack you LAN so the filters inside <-> dmz should be also
> restrictive as possible as inside <-> outside & outside <-> dmz
>
>
>> -----Original Message-----
>> From: lists@ninjafriendly.com [mailto:lists@ninjafriendly.com]
>> Sent: Monday, September 05, 2005 3:45 PM
>> To: security-basics@securityfocus.com
>> Subject: External Network / Firewall Setup.
>>
>> Hi all,
>>
>> Background: We're a .sch.uk with a currently county-managed
>> firewall and webmail provision. We have a 2mb symmettric DSL
>> connection with approx 30% use at any one time. Due to
>> service and reliability issues with the county-managed
>> solution we are looking to run our own mailserver, accessible
>> from the internet. On balance, maintaining our own firewall
>> setup is less hassle than keeping what we currently have.
>>
>> I'm currently in the process of working out the firewall
>> requirements, what I have so far is this:
>>
>> Internet
>> |
>> Router
>> |
>> Firewall(1)
>> |
>> HUB---Snort(1)
>> | |___Mailserver
>> |
>> Firewall(2)
>> |
>> HUB---Snort(2)
>> |
>> |
>> LAN
>>
>> I suspect this setup may be overkill for the amount of
>> traffic we receive, but I'm wary of a single point of
>> failure. Hardware isn't a problem.
>>
>> Further info: The mailserver will be running Horde. I'm
>> hoping to convince management to use a PIX or similar for the
>> first firewall and then something *nix based for the second,
>> otherwise it will be two *nix boxes (IPcop and something BSD based).
>>
>> Something I'm still unsure about is internal clients
>> connecting to the mailserver in the DMZ - how much of a
>> security issue is this? Should I use the DMZ mailserver
>> simply as a relay for an internal mailserver?
>>
>> Would anyone mind looking this over and telling me if I've
>> screwed up / overlooked something?
>>
>> Thanks
>>
>> Pete
>>
>>
>>
>
>
- Previous message: McKinley, Jackson: "Apples / osX"
- In reply to: Mikhail Minyailov: "RE: External Network / Firewall Setup."
- Next in thread: Kelley Greenman: "Red Cross needs network security tech volunteers"
- Reply: Kelley Greenman: "Red Cross needs network security tech volunteers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
