Re: need advice on security scenarios

From: Joey Paisan (jpaisan@hotmail.com)
Date: 04/17/03 

From: "Joey Paisan" <jpaisan@hotmail.com>
Date: Wed, 16 Apr 2003 21:59:15 -0700

Oh yeah, I forgot to mention that if you're running esmtp on your mail
servers, you may have trouble until you disable smtp fixup on the PIX.

"Joey Paisan" <jpaisan@hotmail.com> wrote in message
news:b7lc8b$ifo$1@slb5.atl.mindspring.net...
> Using Microsoft for your security mechanisms is like driving without
> insurance - you can do it, but why would you want to?
>
> You can get a Watchguard or Sonicwall firewall with a dedicated DMZ
> interface for about $1500. You can also get a PIX (515e) or Netscreen
that
> will give you a dedicated DMZ interface for about $2,700. If you're
already
> comfortable with the PIX commands, it might be worth it to spend the extra
> dineros and go for a PIX, if for no other reason than a negligible
learning
> curve. There are pros and cons to each vendor's offering, but all four
are
> decent and debating the merits of firewalls is for those with way too much
> time on their hands.
>
> The best security scenario for placing the concentrator in relation to the
> PIX? That is a hotly debated topic and in my humble opinion, it depends
on
> your requirements. For example, if you were only doing site-to-site
> tunnels, I'd say you'd want to hang the public i/f of the concentrator off
> the DMZ of your firewall and the private i/f directly on your corporate
net.
> That way your ACL on your outside i/f could restrict access to just your
> peer sites. However, given the scenario you've presented in which you
need
> to do both site-to-site and remote access for users, you'd probably want
to
> have the public i/f of the concentrator on the dirty side of the firewall
> and bring the private i/f of the concentrator into the DMZ i/f of the
> firewall.
>
> Hope that helps. Best of luck.
>
> JP
>
> "Not Much" <imanidiot111@hotmail.com> wrote in message
> news:16b0ecc6.0304140907.56a95915@posting.google.com...
> > I'm currently migrating an exchange 5.5 on nt 4 box to exchange
> > 2000(on win 2000) in our windows 2000 domain. a pix 501 blocks all
> > traffic except SMTP, POP3, and HTTP(for OWA) to the exchange 5.5 box.
> > However, I am looking at a better security model for when i move to
> > exchange 2000. we have about 200 users.
> >
> > Here's what i've considered doing.
> >
> > 1) Purchasing a newer firewall with a DMZ interface. The 501 was great
> > for when my company was a lot smaller, and functionally it still works
> > preety well, but it has only an inside and outside interface.
> >
> > 2) purchasing ISA server for the DMZ. I also have need of a proxy to
> > track internet usage, so this would help there as well. I don't need
> > VPN though because I already have a Cisco 3000 series concentrator.
> >
> > I know I don't trust any microsoft product as my ONLY firewall. But
> > ISA seems to be geared to help with securing OWA and also i need a
> > proxy anyways.
> >
> > Is this a good way to go to secure exchange 2000/OWA? With the
> > exception of the VPN concentrator, we don't run any other servers(web
> > or otherwise) internally ,that require access from the outside, so
> > this is just about the only traffic that comes in right now(SMTP,
> > HTTP, and POP3). Should OWA be deployed in the DMZ? should SMTP/POP3
> > be relayed from FE in the DMZ to the BE?
> >
> > Also, on a seperate but related note, what's the best security
> > scenario for the VPN concentrator. The concentrator services a
> > handfull of clients, and also has one LAN to LAN connection for a
> > small branch office.
> >
> > Right now, the concentrator is internal, and i have the IPSEC ports
> > forwarded by the PIX to the concentrator. Authentication is done on
> > the VPN concentrator. If I go with the above scenario, I'm assuming i
> > should move the concentrator to the DMZ - this seems to be common
> > sense considering even though only a few people use VPN i am concerned
> > with their home pc's being compromised and having carte blance access
> > to the network. This way i can filter what the VPN clients have access
> > to, but i am concerned with how they can access resources in the
> > domain. Also, what are some recommended ways to authenticate? Should
> > authentication be tied into the 2000 domain?
> >
> > Also, in a final issue, the company purchased a software product that
> > uses MS SQL server 2000. With the product came a web based component
> > that can be added to our company web site, so that customers can
> > access some items on the SQL server. Because we don't host our web
> > site here(it's with an external web hosting company), this component
> > would require me to open and forward the SQL port to our internal SQL
> > server(i could, of course, block it so that only the external web
> > server IP has access to that port, but there's still the chance of
> > spoofing). I'm not too comfortable with doing this. Any ideas on a
> > way to secure this scenario? I've considered moving the web site to be
> > hosted here instead of the web hosting company. That might help
> > security-wise.
> >
> > My strengths are with TCP/IP filtering(ACL'S), but i'm a little green
> > when it comes to web serving/DMZ security. i know most TCP ports like
> > the back of my hand(i'm a CCNP and i'm best with routing/switching),
> > but i am quite confused when it comes to all this FE/BE DMZ stuff.
> >
> > Any advice or books you can recommend would be appreciated.
>
>

Relevant Pages

  • Re: need advice on security scenarios
    ... And if the bean counters at your place won't spring for a new firewall, ... > You can get a Watchguard or Sonicwall firewall with a dedicated DMZ ... > The best security scenario for placing the concentrator in relation to the ... >> exception of the VPN concentrator, we don't run any other servers(web ...
    (microsoft.public.win2000.security)
  • [fw-wiz] Cisco Concentrator - pix515 Lan-to-Lan
    ... I have a problem with configurin Lan-to-Lan on VPN concentrator 3000 ... I copied the pix conf from this site ... If I ping from central site (behind concentrator) to my network behind the ... I can see echo and eho-replay packets on my pix (debug icmp ...
    (Firewall-Wizards)
  • Re: PIX & VPN Concentrator LAN-to-LAN Tunnel Disconnected
    ... You may wish to investigate Troubleshooting on the VPN Concentrator: ... Found on Configuring the Cisco VPN 3000 Concentrator to the PIX ...
    (comp.dcom.sys.cisco)
  • Re: PIX & VPN Concentrator LAN-to-LAN Tunnel Disconnected
    ... You may wish to investigate Troubleshooting on the VPN Concentrator: ... Found on Configuring the Cisco VPN 3000 Concentrator to the PIX ... Firewall: ... Brad Reese ...
    (comp.dcom.sys.cisco)
  • Re: Kindly help me with this PIX problem
    ... If you have read the configuration that I posted, ... firewall configuration didn't change over many years and it did work ... PIX, our company cannot send or receive email. ... That command allows ssh to the PIX, ...
    (comp.dcom.sys.cisco)