Re: External Network / Firewall Setup.

From: Greg Stiavetti (gstiavetti_at_rentoneonline.com)
Date: 09/08/05

  • Next message: Paul Day: "Re: Apples / osX"
    To: <mminyailov@runway.ru>, <security-basics@securityfocus.com>
    Date: Wed, 7 Sep 2005 17:20:44 -0700
    
    

    If cost is an issue you can do the firewall/router redundancy with statefull
    failover of router/firewall/vpn AND load-balancing, for much less with a
    pair of Nokia IP-VPN 10i's.

    The feature set is incredible for the price, and the support is fantastic.

    ----- Original Message -----
    From: "Mikhail Minyailov" <mminyailov@runway.ru>
    To: <security-basics@securityfocus.com>
    Sent: Wednesday, September 07, 2005 4:17 AM
    Subject: RE: External Network / Firewall Setup.

    >I can recommend you using 3-port firewalls (with outside, inside & dmz
    > interfaces)
    > Cisco PIX for example... or Checkpoint firewall or BSD boxes - doesn't
    > really matters
    >
    > the totally resilient design should be:
    >
    > ISP1 ISP2
    > | \ / |
    > crosslinks here (from each router two uplinks)
    > | / \ |
    > EdgeRouter1 EdgeRouter2 (HSRP)
    > | /
    > 2 PIXes (main + fail-over - that will save $$$ on licenses) --- server(s)
    > in DMZ
    > | /
    > LAN
    >
    >
    > about smtp relay in dmz - it's a good schema, but don't forget about
    > content
    > filtering(spam/antivirus)
    >
    > also you should always remember the purposes of DMZ
    > - if server in DMZ is hacked - it gotta be impossible to use it as a
    > platform to attack you LAN so the filters inside <-> dmz should be also
    > restrictive as possible as inside <-> outside & outside <-> dmz
    >
    >
    >> -----Original Message-----
    >> From: lists@ninjafriendly.com [mailto:lists@ninjafriendly.com]
    >> Sent: Monday, September 05, 2005 3:45 PM
    >> To: security-basics@securityfocus.com
    >> Subject: External Network / Firewall Setup.
    >>
    >> Hi all,
    >>
    >> Background: We're a .sch.uk with a currently county-managed
    >> firewall and webmail provision. We have a 2mb symmettric DSL
    >> connection with approx 30% use at any one time. Due to
    >> service and reliability issues with the county-managed
    >> solution we are looking to run our own mailserver, accessible
    >> from the internet. On balance, maintaining our own firewall
    >> setup is less hassle than keeping what we currently have.
    >>
    >> I'm currently in the process of working out the firewall
    >> requirements, what I have so far is this:
    >>
    >> Internet
    >> |
    >> Router
    >> |
    >> Firewall(1)
    >> |
    >> HUB---Snort(1)
    >> | |___Mailserver
    >> |
    >> Firewall(2)
    >> |
    >> HUB---Snort(2)
    >> |
    >> |
    >> LAN
    >>
    >> I suspect this setup may be overkill for the amount of
    >> traffic we receive, but I'm wary of a single point of
    >> failure. Hardware isn't a problem.
    >>
    >> Further info: The mailserver will be running Horde. I'm
    >> hoping to convince management to use a PIX or similar for the
    >> first firewall and then something *nix based for the second,
    >> otherwise it will be two *nix boxes (IPcop and something BSD based).
    >>
    >> Something I'm still unsure about is internal clients
    >> connecting to the mailserver in the DMZ - how much of a
    >> security issue is this? Should I use the DMZ mailserver
    >> simply as a relay for an internal mailserver?
    >>
    >> Would anyone mind looking this over and telling me if I've
    >> screwed up / overlooked something?
    >>
    >> Thanks
    >>
    >> Pete
    >>
    >>
    >>
    >
    >


  • Next message: Paul Day: "Re: Apples / osX"

    Relevant Pages

    • Re: 3 LAN, 2 WAN - 2 LAN use 1 WAN, last LAN uses other WAN
      ... Internet over different paths after that. ... With a single LAN Router for all the segments, ... Then each "business" uses the Firewall they are supposed to use for the ...
      (microsoft.public.windows.server.networking)
    • Re: AdAware, SpyBot S &D, etc. + leave PC connected to Internet
      ... >It will be a while I get the router and do that. ... >> labelling on the box to be sure it has firewall features. ... name, like Disconnect from Internet, and click Finish. ... generally talking only about "critical patches" that affect security. ...
      (comp.security.firewalls)
    • Re: Networking problems with router between 2 p.c.s
      ... >> router for internet access. ... >> disable the internet connection firewall in the LAN ... isn't suitable for use on a local area network. ...
      (microsoft.public.windowsxp.network_web)
    • Re: Is this a wise configuration?
      ... A have a single DSL connection to the internet at my house. ... connection goes through a router, ... With this many "test" servers running, however, there are many ... Generally referred to as "DMZ" when you search for firewall info ...
      (comp.os.linux.networking)
    • Re: MAJOR Hacking
      ... > efforts with router, personal firewalls, etc. Brand new computer ... > (AIM, internet expplorer, svchost.exe etc) accessing the internet ... > server whose IP seems to be masked to my firewall logs. ... Kerio Personal Firewall ...
      (microsoft.public.security)