This is a multi-part message in MIME format. ------=_NextPart_000_00F7_01BF6ED4.20B94C80 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I have been called upon to re-design an existing network to allow the = hosting of a web and e-mail server. It is a pure Microsoft network = (95/98, NT, and W2K) that will incorporate a checkpoint FW-1 firewall = (actually VPN-1) as part of the design. My main questions at this point = have to do with the DMZ, what belongs there, and how to connect it to = the firewall and the internet. The connection to the internet will come = in over an SDSL router (brand unknown at this time), but from there I = have gotten conflicting advice. =20 Should all traffic be passed back to the firewall which will have 3-nic = cards (1- Internet, 2- DMZ, 3- Internal network), or should the router = itself have two ethernet ports (1- Firewall, 2- DMZ) and the firewall = only have two nic cards (1- Internet, 2- Internal Network) as well? The = argument for the 3-card configuration is that logging is better that = way. Meanwhile, the 2+2 argument is to keep as little traffic from = being able to flow into and through the firewall machine as possible for = both overhead and security reasons. I am leaning towards the 3-card = configuration based on the fact that it is the recommendation from = Checkpoint (or at least their vendors), but I would like to know if = anyone has any opinions before I decide. As for the machines in the = DMZ, other than the web server itself (IIS 4.0) I am not sure which ones = need to reside there and which need to be placed on the internal network = for the best security configuration. Below is described the main = services that I am concerned with at the moment. E-mail is currently handled by an Exchange Server, but is also used for = services besides just internet e-mail such as public folders and = internal company mail. One person therefore recommended setting up an = SMTP box in the DMZ and having it dedicated to relaying internet based = e-mail from the outside back through the firewall (and vice-versa) to = protect the other information on the Exchange server. That sounded good = to me, but later when I was discussing this with another person I got a = totally different opinion. He said it was a bad idea to let another box = handle the e-mail and that to have the Exchange box on the internal = network would cause me to have to punch huge holes in the firewall to = let certain services through. Therefore, the Exchange box needed to = reside in the DMZ rather than behind it. What he said really didn't = make sense to me, because I would think that it would be having the = Exchange server in the DMZ that would cause me to have to punch holes = rather than the other way around. But, just because I don't understand = his reasoning doesn't mean he is incorrect especially since he knows a = lot more about firewalling than I do, so I ask which is the better way = to go? Next, is that the web server uses dynamic html for much of the website = content. This leverages both a SQL server and DCOM programming built = through Visual InterDev to deliver the content to the web server. This = is where it really goes over my head at the moment, if it was just SQL = server then I know to place it on the inside and let the calls from the = web server come back through the firewall. However from what I have = been told by a developer, DCOM uses dynamic port allocation when = establishing a stateful connection (although from what I have read it = uses udp, so I don't know why there should be a stateful connection). I = honestly don't understand enough to know where the DCOM part of the = process sits (although I am guessing it is on the web rather than the = database server), and whether this means that I have to open up a port = range for DCOM to work properly or to move the SQL server out to the DMZ = (neither of which sounds like a good idea to me). Also, I am not sure = about what ports or rules would need to be incorporated to get this to = function as securely as possible if everything other than the web server = resides behind the firewall. If anyone could either point me towards reference material and/or give = me advice about how the DMZ portion of the network should be setup based = on the factors explained above it will be greatly appreciated. If you = need any further information before making a suggestion or = recommendation, please feel free to contact me either on or off list and = I will be more than glad to do what I can to fill in the gaps. =20 Thanks, Mike ------=_NextPart_000_00F7_01BF6ED4.20B94C80 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN"> <HTML> <HEAD> <META content=3Dtext/html;charset=3Diso-8859-1 = http-equiv=3DContent-Type> <META content=3D'"MSHTML 4.72.3110.7"' name=3DGENERATOR> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT size=3D2>I have been called upon to re-design an existing = network to=20 allow the hosting of a web and e-mail server. It is a pure = Microsoft=20 network (95/98, NT, and W2K) that will incorporate a checkpoint FW-1 = firewall=20 (actually VPN-1) as part of the design. My main questions at this = point=20 have to do with the DMZ, what belongs there, and how to connect it to = the=20 firewall and the internet. The connection to the internet will = come in=20 over an SDSL router (brand unknown at this time), but from there I have = gotten=20 conflicting advice. </FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>Should all traffic be passed back to the firewall = which will=20 have 3-nic cards (1- Internet, 2- DMZ, 3- Internal network), or should = the=20 router itself have two ethernet ports (1- Firewall, 2- DMZ) and the = firewall=20 only have two nic cards (1- Internet, 2- Internal Network) as = well? The=20 argument for the 3-card configuration is that logging is better that = way. =20 Meanwhile, the 2+2 argument is to keep as little traffic from being able = to flow=20 into and through the firewall machine as possible for both overhead and = security=20 reasons. I am leaning towards the 3-card configuration based on = the fact=20 that it is the recommendation from Checkpoint (or at least their = vendors), but I=20 would like to know if anyone has any opinions before I decide. =20 </FONT><FONT size=3D2>As for the machines in the DMZ, other than the web = server=20 itself (IIS 4.0) I am not sure which ones need to reside there and which = need to=20 be placed on the internal network for the best security = configuration. =20 Below is described the main services that I am concerned with at the=20 moment.</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>E-mail is currently handled by an Exchange Server, = but is also=20 used for services besides just internet e-mail such as public folders = and=20 internal company mail. One person therefore recommended setting up = an SMTP=20 box in the DMZ and having it dedicated to relaying internet based e-mail = from=20 the outside back through the firewall (and vice-versa) to protect the = other=20 information on the Exchange server. That sounded good to me, but = later=20 when I was discussing this with another person I got a totally different = opinion. He said it was a bad idea to let another box handle the = e-mail=20 and that to have the Exchange box on the internal network would cause me = to have=20 to punch huge holes in the firewall to let certain services = through. =20 Therefore, the Exchange box needed to reside in the DMZ rather than = behind=20 it. What he said really didn't make sense to me, because I would = think=20 that it would be having the Exchange server in the DMZ that would cause = me to=20 have to punch holes rather than the other way around. But, just = because I=20 don't understand his reasoning doesn't mean he is incorrect especially = since he=20 knows a lot more about firewalling than I do, so I ask which is the = better way=20 to go?</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>Next, is that the web server uses dynamic html for = much of the=20 website content. This leverages both a SQL server and DCOM = programming=20 built through Visual InterDev to deliver the content to the web = server. =20 This is where it really goes over my head at the moment, if it was just = SQL=20 server then I know to place it on the inside and let the calls from the = web=20 server come back through the firewall. However from what I have = been told=20 by a developer, DCOM uses dynamic port allocation when establishing a = stateful=20 connection (although from what I have read it uses udp, so I don't know = why=20 there should be a stateful connection). I honestly don't = understand enough=20 to know where the DCOM part of the process sits (although I am guessing = it is on=20 the web rather than the database server), and whether this means that I = have to=20 open up a port range for DCOM to work properly or to move the SQL server = out to=20 the DMZ (neither of which sounds like a good idea to me). Also, I = am not=20 sure about what ports or rules would need to be incorporated to get this = to=20 function as securely as possible if everything other than the web server = resides=20 behind the firewall.</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2>If anyone could either point me = towards=20 reference material and/or give me advice about how the DMZ portion of = the=20 network should be setup based on the factors explained above it will be = greatly=20 appreciated. If you need any further information before making a=20 suggestion or recommendation, please feel free to contact me either on = or off=20 list and I will be more than glad to do what I can to fill in the = gaps. =20 </FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>Thanks,</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>Mike</FONT></DIV></BODY></HTML> ------=_NextPart_000_00F7_01BF6ED4.20B94C80--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:41 PDT