--------------4B72DCC801E6BDD18AB5605E Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable > Just my .02.... > Michael Borkin wrote: > > I have been called upon to re-design an existing network to allow the h= osting of a web and e-mail server. It is a pure Microsoft network (95/98= , NT, and W2K) that will incorporate a checkpoint FW-1 firewall (actually= VPN-1) as part of the design. My main questions at this point have to d= o with the DMZ, what belongs there, and how to connect it to the firewall= and the internet. The connection to the internet will come in over an S= DSL router (brand unknown at this time), but from there I have gotten con= flicting advice. > > Should all traffic be passed back to the firewall which will have 3-nic= cards (1- Internet, 2- DMZ, 3- Internal network), or should the router i= tself have two ethernet ports (1- Firewall, 2- DMZ) and the firewall only= have two nic cards (1- Internet, 2- Internal Network) as well? The argu= ment for the 3-card configuration is that logging is better that way. Me= anwhile, the 2+2 argument is to keep as little traffic from being able to= flow into and through the firewall machine as possible for both overhead= and security reasons. I am leaning towards the 3-card configuration bas= ed on the fact that it is the recommendation from Checkpoint (or at least= their vendors), but I would like to know if anyone has any opinions befo= re I decide. As for the machines in the DMZ, other than the web server i= tself (IIS 4.0) I am not sure which ones need to reside there and which n= eed to be placed on the internal network for the best security configurat= ion. Below is described the main services that I > am concerned with at the moment. 3 nics is the way to go for the highest degree of security. Most SDSL rou= ters I have seen are a little weak when it comes to filtering, and even t= hen it is just port filtering which is good but not perfect as far as a s= ecurity stradigy goes. I don't understand a lot of your comments about th= e 2+2 config. You want all traffic inbound to flow through your firewall.= This is commonly refered to as a choke point. If you only have a single = point of entry to your network it is easier to build up defenses. > > > E-mail is currently handled by an Exchange Server, but is also used for= services besides just internet e-mail such as public folders and interna= l company mail. One person therefore recommended setting up an SMTP box = in the DMZ and having it dedicated to relaying internet based e-mail from= the outside back through the firewall (and vice-versa) to protect the ot= her information on the Exchange server. That sounded good to me, but lat= er when I was discussing this with another person I got a totally differe= nt opinion. He said it was a bad idea to let another box handle the e-ma= il and that to have the Exchange box on the internal network would cause = me to have to punch huge holes in the firewall to let certain services th= rough. Therefore, the Exchange box needed to reside in the DMZ rather th= an behind it. What he said really didn't make sense to me, because I wou= ld think that it would be having the Exchange server in the DMZ that woul= d cause me to have to punch holes rather than the > other way around. But, just because I don't understand his reasoning d= oesn't mean he is incorrect especially since he knows a lot more about fi= rewalling than I do, so I ask which is the better way to go? Get a linux box put sendmail on it ans place it in the DMZ. Allow anyone = to establish an SMTP connection to it from the outside. Then put a hole f= rom the DMZ to your internal exchange server for SMTP traffic only. I thi= nk the other person you where speaking with is confused about big holes i= n your firewall. If you are using SMTP to pass mail then you only need to= open up port 25 SMTP. If you are trying to do the full blown Exchange si= te using the Exchange MTA, then yes it gets ugly. You don't need to do th= at though. > > > Next, is that the web server uses dynamic html for much of the website = content. This leverages both a SQL server and DCOM programming built thr= ough Visual InterDev to deliver the content to the web server. This is w= here it really goes over my head at the moment, if it was just SQL server= then I know to place it on the inside and let the calls from the web ser= ver come back through the firewall. However from what I have been told b= y a developer, DCOM uses dynamic port allocation when establishing a stat= eful connection (although from what I have read it uses udp, so I don't k= now why there should be a stateful connection). I honestly don't underst= and enough to know where the DCOM part of the process sits (although I am= guessing it is on the web rather than the database server), and whether = this means that I have to open up a port range for DCOM to work properly = or to move the SQL server out to the DMZ (neither of which sounds like a = good idea to me). Also, I am not sure about what > ports or rules would need to be incorporated to get this to function as= securely as possible if everything other than the web server resides beh= ind the firewall. The web server should be in the DMZ as should the SQL sever IMHO. The SQL= server should NOT be accessable from the outside at all. It should only = talk to the web server and internal clients. Then open a hole from the in= side to the SQL server for the SQL server traffic (port escapes at the mo= ment). Add of course open up HTTP and HTTPS from the inside to the DMZ. A couple of issues you should keep in mind.... 1. Every box should be behind a firewall period. 2. Do whatever port filtering you can at your router. 3. Find the Checkpoint FW-1 install checklist. (I think you might be able= to get it at www.securityfocus.com but I am not sure) 4. Get an stand alone backup solution for servers in your DMZ. 5. Try to keep DMZ>Inside holes to a minimum. 6. Get "Building Internet Firewalls" by Chesowick (sp?) and Bellovan (sp?= ). It has lots of good theory and examples. 7. Watch your logs! > > > If anyone could either point me towards reference material and/or give = me advice about how the DMZ portion of the network should be setup based = on the factors explained above it will be greatly appreciated. If you ne= ed any further information before making a suggestion or recommendation, = please feel free to contact me either on or off list and I will be more t= han glad to do what I can to fill in the gaps. > > Thanks, > > Mike -- Bill Pennington IT Manager Rocketcash billpat_private http://www.rocketcash.com --------------4B72DCC801E6BDD18AB5605E Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit <!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> <blockquote TYPE=CITE> </blockquote> Just my .02.... <br> <blockquote TYPE=CITE>Michael Borkin wrote: <p>I have been called upon to re-design an existing network to allow the hosting of a web and e-mail server. It is a pure Microsoft network (95/98, NT, and W2K) that will incorporate a checkpoint FW-1 firewall (actually VPN-1) as part of the design. My main questions at this point have to do with the DMZ, what belongs there, and how to connect it to the firewall and the internet. The connection to the internet will come in over an SDSL router (brand unknown at this time), but from there I have gotten conflicting advice. <p>Should all traffic be passed back to the firewall which will have 3-nic cards (1- Internet, 2- DMZ, 3- Internal network), or should the router itself have two ethernet ports (1- Firewall, 2- DMZ) and the firewall only have two nic cards (1- Internet, 2- Internal Network) as well? The argument for the 3-card configuration is that logging is better that way. Meanwhile, the 2+2 argument is to keep as little traffic from being able to flow into and through the firewall machine as possible for both overhead and security reasons. I am leaning towards the 3-card configuration based on the fact that it is the recommendation from Checkpoint (or at least their vendors), but I would like to know if anyone has any opinions before I decide. As for the machines in the DMZ, other than the web server itself (IIS 4.0) I am not sure which ones need to reside there and which need to be placed on the internal network for the best security configuration. Below is described the main services that I <br>am concerned with at the moment.</blockquote> <p><br>3 nics is the way to go for the highest degree of security. Most SDSL routers I have seen are a little weak when it comes to filtering, and even then it is just port filtering which is good but not perfect as far as a security stradigy goes. I don't understand a lot of your comments about the 2+2 config. You want all traffic inbound to flow through your firewall. This is commonly refered to as a choke point. If you only have a single point of entry to your network it is easier to build up defenses. <br> <blockquote TYPE=CITE> <p>E-mail is currently handled by an Exchange Server, but is also used for services besides just internet e-mail such as public folders and internal company mail. One person therefore recommended setting up an SMTP box in the DMZ and having it dedicated to relaying internet based e-mail from the outside back through the firewall (and vice-versa) to protect the other information on the Exchange server. That sounded good to me, but later when I was discussing this with another person I got a totally different opinion. He said it was a bad idea to let another box handle the e-mail and that to have the Exchange box on the internal network would cause me to have to punch huge holes in the firewall to let certain services through. Therefore, the Exchange box needed to reside in the DMZ rather than behind it. What he said really didn't make sense to me, because I would think that it would be having the Exchange server in the DMZ that would cause me to have to punch holes rather than the <br>other way around. But, just because I don't understand his reasoning doesn't mean he is incorrect especially since he knows a lot more about firewalling than I do, so I ask which is the better way to go?</blockquote> <p><br>Get a linux box put sendmail on it ans place it in the DMZ. Allow anyone to establish an SMTP connection to it from the outside. Then put a hole from the DMZ to your internal exchange server for SMTP traffic only. I think the other person you where speaking with is confused about big holes in your firewall. If you are using SMTP to pass mail then you only need to open up port 25 SMTP. If you are trying to do the full blown Exchange site using the Exchange MTA, then yes it gets ugly. You don't need to do that though. <blockquote TYPE=CITE> <p>Next, is that the web server uses dynamic html for much of the website content. This leverages both a SQL server and DCOM programming built through Visual InterDev to deliver the content to the web server. This is where it really goes over my head at the moment, if it was just SQL server then I know to place it on the inside and let the calls from the web server come back through the firewall. However from what I have been told by a developer, DCOM uses dynamic port allocation when establishing a stateful connection (although from what I have read it uses udp, so I don't know why there should be a stateful connection). I honestly don't understand enough to know where the DCOM part of the process sits (although I am guessing it is on the web rather than the database server), and whether this means that I have to open up a port range for DCOM to work properly or to move the SQL server out to the DMZ (neither of which sounds like a good idea to me). Also, I am not sure about what <br>ports or rules would need to be incorporated to get this to function as securely as possible if everything other than the web server resides behind the firewall.</blockquote> The web server should be in the DMZ as should the SQL sever IMHO. The SQL server should NOT be accessable from the outside at all. It should only talk to the web server and internal clients. Then open a hole from the inside to the SQL server for the SQL server traffic (port escapes at the moment). Add of course open up HTTP and HTTPS from the inside to the DMZ. <p>A couple of issues you should keep in mind.... <p>1. Every box should be behind a firewall period. <p>2. Do whatever port filtering you can at your router. <p>3. Find the Checkpoint FW-1 install checklist. (I think you might be able to get it at www.securityfocus.com but I am not sure) <p>4. Get an stand alone backup solution for servers in your DMZ. <p>5. Try to keep DMZ>Inside holes to a minimum. <p>6. Get "Building Internet Firewalls" by Chesowick (sp?) and Bellovan (sp?). It has lots of good theory and examples. <p>7. Watch your logs! <br> <br> <blockquote TYPE=CITE> <p>If anyone could either point me towards reference material and/or give me advice about how the DMZ portion of the network should be setup based on the factors explained above it will be greatly appreciated. If you need any further information before making a suggestion or recommendation, please feel free to contact me either on or off list and I will be more than glad to do what I can to fill in the gaps. <p>Thanks, <p>Mike</blockquote> <pre>-- Bill Pennington IT Manager Rocketcash billpat_private <A HREF="http://www.rocketcash.com">http://www.rocketcash.com></pre> </html> --------------4B72DCC801E6BDD18AB5605E--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:01:13 PDT