This is a multi-part message in MIME format. ------=_NextPart_000_0002_01BF6F82.5725F440 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Mike, networks that I've configured I've put a SMTP relay server in the DMZ that will pass all incoming e-mail to the Exchange server and the exchange server will forward all e-mail destine for the internet to the smtp server to send out. I will suggest 3 nic cards, you should also use SPLIT DNS. Your web server that will be accessed from the internet should be placed in the DMZ with valid IP address. If you are using NAT you will need to configure an ARP file that will map the mac address of the external interface to the valid addresses that will be placed in your DMZ, you will also need to create routes since the OS will be doing the routing. If using NAT you will need to use Static NAT to map the private address to the legal address. In the ARP File you will have: Mac address ext. interface Valid IP addresses 00-A0-C9-A8-B6-28 address of Webserver 00-A0-C9-A8-B6-28 Address of SMTP relay server 00-A0-C9-A8-B6-28 Address of DNS Server ***Issues with ARP files is that it does not work consistently if you create 10 or more entries. The Arp file should be placed in the FW\state folder as ex:local.arp You can get an SMTP Relay server (Mimesweeper) that will also scan all incoming and out going e-mails for Viruses. I like using this functionality because it's your first line of defense against trojan horses, virus and other bad stuff out there on the internet. You will always have to keep the Virus software updated with the most recent patch. I have so much more information to help you. I don't have the time to spell it all out for you here tonight. Send me an e-mail if you would like my help and I'll forward you my number. Checkout www.checkpoint.com\~joe Omar -----Original Message----- From: owner-firewall-wizardsat_private [mailto:owner-firewall-wizardsat_private]On Behalf Of Michael Borkin Sent: Friday, February 04, 2000 5:53 AM To: firewall-wizardsat_private Subject: DMZ design - Exchange, SQL, & DCOM I have been called upon to re-design an existing network to allow the hosting of a web and e-mail server. It is a pure Microsoft network (95/98, NT, and W2K) that will incorporate a checkpoint FW-1 firewall (actually VPN-1) as part of the design. My main questions at this point have to do with the DMZ, what belongs there, and how to connect it to the firewall and the internet. The connection to the internet will come in over an SDSL router (brand unknown at this time), but from there I have gotten conflicting advice. Should all traffic be passed back to the firewall which will have 3-nic cards (1- Internet, 2- DMZ, 3- Internal network), or should the router itself have two ethernet ports (1- Firewall, 2- DMZ) and the firewall only have two nic cards (1- Internet, 2- Internal Network) as well? The argument for the 3-card configuration is that logging is better that way. Meanwhile, the 2+2 argument is to keep as little traffic from being able to flow into and through the firewall machine as possible for both overhead and security reasons. I am leaning towards the 3-card configuration based on the fact that it is the recommendation from Checkpoint (or at least their vendors), but I would like to know if anyone has any opinions before I decide. As for the machines in the DMZ, other than the web server itself (IIS 4.0) I am not sure which ones need to reside there and which need to be placed on the internal network for the best security configuration. Below is described the main services that I am concerned with at the moment. E-mail is currently handled by an Exchange Server, but is also used for services besides just internet e-mail such as public folders and internal company mail. One person therefore recommended setting up an SMTP box in the DMZ and having it dedicated to relaying internet based e-mail from the outside back through the firewall (and vice-versa) to protect the other information on the Exchange server. That sounded good to me, but later when I was discussing this with another person I got a totally different opinion. He said it was a bad idea to let another box handle the e-mail and that to have the Exchange box on the internal network would cause me to have to punch huge holes in the firewall to let certain services through. Therefore, the Exchange box needed to reside in the DMZ rather than behind it. What he said really didn't make sense to me, because I would think that it would be having the Exchange server in the DMZ that would cause me to have to punch holes rather than the other way around. But, just because I don't understand his reasoning doesn't mean he is incorrect especially since he knows a lot more about firewalling than I do, so I ask which is the better way to go? Next, is that the web server uses dynamic html for much of the website content. This leverages both a SQL server and DCOM programming built through Visual InterDev to deliver the content to the web server. This is where it really goes over my head at the moment, if it was just SQL server then I know to place it on the inside and let the calls from the web server come back through the firewall. However from what I have been told by a developer, DCOM uses dynamic port allocation when establishing a stateful connection (although from what I have read it uses udp, so I don't know why there should be a stateful connection). I honestly don't understand enough to know where the DCOM part of the process sits (although I am guessing it is on the web rather than the database server), and whether this means that I have to open up a port range for DCOM to work properly or to move the SQL server out to the DMZ (neither of which sounds like a good idea to me). Also, I am not sure about what ports or rules would need to be incorporated to get this to function as securely as possible if everything other than the web server resides behind the firewall. If anyone could either point me towards reference material and/or give me advice about how the DMZ portion of the network should be setup based on the factors explained above it will be greatly appreciated. If you need any further information before making a suggestion or recommendation, please feel free to contact me either on or off list and I will be more than glad to do what I can to fill in the gaps. Thanks, Mike ------=_NextPart_000_0002_01BF6F82.5725F440 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.00.2614.3500" name=3DGENERATOR></HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT color=3D#0000ff face=3DArial size=3D2> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D630240300-05022000>Mike,=20 </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630240300-05022000>networks that I've configured I've put a SMTP = relay=20 server in the DMZ that will pass all incoming e-mail to the Exchange = server and=20 the exchange server will forward all e-mail destine for the internet to = the smtp=20 server to send out. I will suggest 3 nic cards, you should also = use SPLIT=20 DNS. Your web server that will be accessed from the internet = should be=20 placed in the DMZ with valid IP address. If you are using NAT you will = need to=20 configure an ARP file that will map the mac address of the external = interface to the valid addresses that will be placed in your DMZ, you = will also=20 need to create routes since the OS will be doing the routing. If = using NAT=20 you will need to use Static NAT to map the private address to the legal=20 address.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D630240300-05022000>In the=20 ARP File you will have:</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D630240300-05022000>Mac=20 address ext. interface  = ; Valid=20 IP addresses</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630240300-05022000>00-A0-C9-A8-B6-28  = ; = address=20 of Webserver</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D630240300-05022000><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630240300-05022000>00-A0-C9-A8-B6-28  = ; = Address=20 of SMTP relay server</SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D630240300-05022000><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D630240300-05022000><FONT=20 color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630240300-05022000>00-A0-C9-A8-B6-28  = ; = Address=20 of DNS Server</SPAN></FONT></SPAN></FONT></SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630240300-05022000>***Issues with ARP files is that it does not = work=20 consistently if you create 10 or more entries. The Arp file should be = placed in=20 the FW\state folder as ex:local.arp </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630240300-05022000> </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D630240300-05022000>You=20 can get an SMTP Relay server (Mimesweeper) that will also scan all = incoming and=20 out going e-mails for Viruses. I like using this functionality = because=20 it's your first line of defense against trojan horses, virus and other = bad stuff=20 out there on the internet. You will always have to keep the Virus = software=20 updated with the most recent patch. </SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630240300-05022000></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN = class=3D630240300-05022000>I have=20 so much more information to help you. I don't have the time to = spell it=20 all out for you here tonight. Send me an e-mail if you would like = my help=20 and I'll forward you my number.</SPAN></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630240300-05022000>Checkout <A=20 href=3D"http://www.checkpoint.com/~joe">www.checkpoint.com\~joe</A></SPAN= ></FONT></DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630240300-05022000></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630240300-05022000></SPAN></FONT> </DIV> <DIV><FONT color=3D#0000ff face=3DArial size=3D2><SPAN=20 class=3D630240300-05022000>Omar</SPAN></FONT></DIV></FONT></DIV> <BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px"> <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT = face=3DTahoma=20 size=3D2>-----Original Message-----<BR><B>From:</B>=20 owner-firewall-wizardsat_private=20 [mailto:owner-firewall-wizardsat_private]<B>On Behalf Of = </B>Michael=20 Borkin<BR><B>Sent:</B> Friday, February 04, 2000 5:53 AM<BR><B>To:</B> = firewall-wizardsat_private<BR><B>Subject:</B> DMZ design - Exchange, = SQL, &=20 DCOM<BR><BR></DIV></FONT> <DIV><FONT size=3D2>I have been called upon to re-design an existing = network to=20 allow the hosting of a web and e-mail server. It is a pure = Microsoft=20 network (95/98, NT, and W2K) that will incorporate a checkpoint FW-1 = firewall=20 (actually VPN-1) as part of the design. My main questions at = this point=20 have to do with the DMZ, what belongs there, and how to connect it to = the=20 firewall and the internet. The connection to the internet will = come in=20 over an SDSL router (brand unknown at this time), but from there I = have gotten=20 conflicting advice. </FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>Should all traffic be passed back to the firewall = which will=20 have 3-nic cards (1- Internet, 2- DMZ, 3- Internal network), or should = the=20 router itself have two ethernet ports (1- Firewall, 2- DMZ) and the = firewall=20 only have two nic cards (1- Internet, 2- Internal Network) as = well? The=20 argument for the 3-card configuration is that logging is better that=20 way. Meanwhile, the 2+2 argument is to keep as little traffic = from being=20 able to flow into and through the firewall machine as possible for = both=20 overhead and security reasons. I am leaning towards the 3-card=20 configuration based on the fact that it is the recommendation from = Checkpoint=20 (or at least their vendors), but I would like to know if anyone has = any=20 opinions before I decide. </FONT><FONT size=3D2>As for the = machines in the=20 DMZ, other than the web server itself (IIS 4.0) I am not sure which = ones need=20 to reside there and which need to be placed on the internal network = for the=20 best security configuration. Below is described the main = services that I=20 am concerned with at the moment.</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>E-mail is currently handled by an Exchange Server, = but is=20 also used for services besides just internet e-mail such as public = folders and=20 internal company mail. One person therefore recommended setting = up an=20 SMTP box in the DMZ and having it dedicated to relaying internet based = e-mail=20 from the outside back through the firewall (and vice-versa) to protect = the=20 other information on the Exchange server. That sounded good to = me, but=20 later when I was discussing this with another person I got a totally = different=20 opinion. He said it was a bad idea to let another box handle the = e-mail=20 and that to have the Exchange box on the internal network would cause = me to=20 have to punch huge holes in the firewall to let certain services=20 through. Therefore, the Exchange box needed to reside in the DMZ = rather=20 than behind it. What he said really didn't make sense to me, = because I=20 would think that it would be having the Exchange server in the DMZ = that would=20 cause me to have to punch holes rather than the other way = around. But,=20 just because I don't understand his reasoning doesn't mean he is = incorrect=20 especially since he knows a lot more about firewalling than I do, so I = ask=20 which is the better way to go?</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>Next, is that the web server uses dynamic html for = much of=20 the website content. This leverages both a SQL server and DCOM=20 programming built through Visual InterDev to deliver the content to = the web=20 server. This is where it really goes over my head at the moment, = if it=20 was just SQL server then I know to place it on the inside and let the = calls=20 from the web server come back through the firewall. However from = what I=20 have been told by a developer, DCOM uses dynamic port allocation when=20 establishing a stateful connection (although from what I have read it = uses=20 udp, so I don't know why there should be a stateful connection). = I=20 honestly don't understand enough to know where the DCOM part of the = process=20 sits (although I am guessing it is on the web rather than the database = server), and whether this means that I have to open up a port range = for DCOM=20 to work properly or to move the SQL server out to the DMZ (neither of = which=20 sounds like a good idea to me). Also, I am not sure about what = ports or=20 rules would need to be incorporated to get this to function as = securely as=20 possible if everything other than the web server resides behind the=20 firewall.</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT color=3D#000000 size=3D2>If anyone could either point me = towards=20 reference material and/or give me advice about how the DMZ portion of = the=20 network should be setup based on the factors explained above it will = be=20 greatly appreciated. If you need any further information before = making a=20 suggestion or recommendation, please feel free to contact me either on = or off=20 list and I will be more than glad to do what I can to fill in the = gaps. =20 </FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>Thanks,</FONT></DIV> <DIV><FONT size=3D2></FONT> </DIV> <DIV><FONT size=3D2>Mike</FONT></DIV></BLOCKQUOTE></BODY></HTML> ------=_NextPart_000_0002_01BF6F82.5725F440--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:01:08 PDT