Michael Borkin wrote: > > Mikael Olsson wrote: > > I'd recommend placing a mail forwarder with content screening > > capabilities in a SEPARATE DMZ, and the Exchange server on > > the internal network. > > Why do you recommend a seperate DMZ just for mail forwarding? I recommed separate segments for just about everything :-) The reason for the separate DMZ is that you don't want to expose your mail forwarder to your web server. The risk that someone will hack your web server through the firewall is much greater than the risk of someone hacking your mail forwarder through the firewall. However, with the two placed on the same LAN, hacking the mail forwarder most likely becomes a simple task. Also, by placing the mail forwarder in a separate DMZ, you can be reasonably sure that the SMTP traffic going into your exchange server is actually coming from the mail forwarder, and not from the web server doing some serious IP and/or MAC spoofing. Uhm.. That's it I guess :-) /Mike -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50 Mobile: +46-(0)70-248 00 33 WWW: http://www.enternet.se E-mail: mikael.olssonat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:15 PDT