[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Some firewall suggestions
From:       "Rick" <Rick () UKSysops ! com>
Date:       2000-09-08 17:16:29
[Download RAW message or body]

Connecting to the internet through an NT box with no other security doesnt
even enter the effectiveness scale. No offence, but if that box is
compromised then whats left?

You _could_ place the bastion host on the internal net, and put a router
between the internal network and the internet. This would be a screened host
architecture. The hosts on the net would have to connect to the bastion host
to use the Internet. However, this is not a good idea. Bastion hosts are the
most vulnerable machines on the network, and on a screen host architecure,
the bastion host is a very tempting target. Someone that compromises the box
will have total access to the net. Its better than your previous idea, as I
understand it, but not the best.

Okay, you want to protect the servers in a perimiter network. This will also
allow scalability for the future in case you want to introduce further
servers, as suggested.

What I would suggest is that you have two mail servers, one behind the
firewall on the main net, and one on the perimiter net. The one on the main
net should be the main email server, and relay any outgoing emails to the
server in the perimiter network. Clients should not be allowed to access the
email server in the perimiter network. On the Internet side of the perimiter
net, you will want a router that will perform packet sniffing to remove bad
packets (internal source addy, overlapping, DoS attacks). Behind that is the
perimiter net with the relay mail server, bastion host with Proxy
capabilities, and any other servers you may have. Then between the internal
network and the perimiter network you need an internal router that will
check for outgoing packets with external source adresses, and perform the
same general packet sniffing as the external router.

The reason for the relay mail system is that internal mail never gets as far
as the firewall, it remains in the internal network. This means that
priveliged mail is harder for potential hackers to get out. The server can
relay mail based on whether it has a destination adress thats external. It
also means that the mail server on the perimiter net will be the focus of
all attacks because all incoming mail connections will connect to this
server. This means that, even if this box should be compromized or taken out
of action, mail services will not collapse completely, internal mail will
still be OK.

This is an extention of a screened subnet architecture with a mail relay. Im
sure some will disagree, but its pretty solid, and much better than what you
had previously suggested. On the other hand, they are difficult to
implement, and may be expensive to build and maintain.

Thoughts, comments, suggestions, flames?

Rick

Rick@UKSysops.com

----- Original Message -----
From: Tarquin <tarquin@cablenett.net>
To: Firewalls List <firewalls@Lists.GNAC.NET>
Sent: Friday, September 08, 2000 4:59 PM
Subject: Some firewall suggestions


> Hello everyone!
>
> We are planning on connecting our internal network to the internet.
>
> I already have a proxy server - an NT 4.0 machine running a little program
> called Winproxy 3.0 which has both a firewall and NAT - that I was going
to
> use for nfeed the network.  I say going because I've found out that my
> solution may be inadequate to say the least.
>
> We plan to put an internet server as well as a mail server in the future
> (all behind the firewall).
>
> Can anyone comment on the effectiveness of this and offer any suggestions
to
> increase the security to a more acceptable level.
>
> Thanks,
>
> Tarquin Joseph
> IT Department
> Trinidad and Tobago
>   Transcable Company Limited
> Tel: 868-625-1077
> Fax: 868-624-7767
> tarquin@cablenett.net
>
>
> -
> [To unsubscribe, send mail to majordomo@lists.gnac.net with
> "unsubscribe firewalls" in the body of the message.]
>

-
[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]

[prev in list] [next in list] [prev in thread] [next in thread]