RE: Firewall / Security Design Question

From: Driessens.Hans (hans.driessens@siemens.com)
Date: Thu Dec 11 2003 - 12:17:43 GMT-3

• Next message: Barman, Partha: "RE: CallManager w/6608 gateway & disconnect cause 80E5"
• Previous message: Aaron Daubman: "Re: Backing up config"
• Maybe in reply to: Kenneth Wygand: "Firewall / Security Design Question"
• Next in thread: Anthony Macaluso: "RE: Firewall / Security Design Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Kenneth

I think I would go for the dmz solution. I have several reasons for that

1) If the mailserver is compromised and admin access is available for an
attacker (via port 25) that attacker would have complete access to the
entire network. that means not only the AD but the rest as well. this is the
main reason for using a service-net.
2) If it is possible to access the internet via the inside, long live the
worms.....
3) using mailguard will protect the mailserver (this goes for the dmz AND
for the inside solution)

if all of this isn't secure enough, use two nics in the mailserver and setup
a second pix:

internet---pix---mailserver---pix---

however thinking about this last scenario, i don't really think it will
elevate security to a much higher level

cheers
Hans D

-----Oorspronkelijk bericht-----
Van: Kenneth Wygand [mailto:KWygand@customonline.com]
Verzonden: Thursday, December 11, 2003 3:47 PM
Aan: ccielab@groupstudy.com
Onderwerp: Firewall / Security Design Question

All you security buffs out there!!!

This design relates to a Pix 515 with three interfaces b 1 outside, 1
inside, 1 DMZ.

I am looking for opinions and bbest practiceb sources on where to place a
mail server when there is no "front end / back end" considerations (where
the front-end server would go in the DMZ and the back-end server would go
internally). When a single mail server (say, Exchange 2000) is placed in
the DMZ that needs to integrate with AD, several (between 8 and 12, I
believe) ports need to be opened to allow AD communication to take place.

The implications of putting the mail server in the DMZ includes allowing
SMTP and HTTP traffic from anyone on the outside to that particular server
(DMZ). Additionally, all 8 to 12 AD-related ports (depending on the role of
the server) must be opened from the mail server in the DMZ to the AD
server(s) internally.

The implications of putting the mail server internally include allowing SMTP
and HTTP traffic from anyone on the outside to that particular server
(internal).

Is putting the mail server in the DMZ is a more secure solution, thinking
like a hacker? Some feel that leaving all the AD ports open from the DMZ to
the inside leaves a more insecure solution. I have searched for
Microsoftbs and NSAbs bBest Practicesb but havenbt been able to find
anything just yet.

Any and all suggestions are welcome!

Thanks!

Ken

• Next message: Barman, Partha: "RE: CallManager w/6608 gateway & disconnect cause 80E5"
• Previous message: Aaron Daubman: "Re: Backing up config"
• Maybe in reply to: Kenneth Wygand: "Firewall / Security Design Question"
• Next in thread: Anthony Macaluso: "RE: Firewall / Security Design Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jan 03 2004 - 08:25:39 GMT-3