If you really want your firewall to accept only outbound connections, take a
look at this product: http://www.netsecure.qc.ca/en/
The implementation of the product is:
INTERNET CLOUD -----------------ISP NS ( MX record for SMTP Relay using
NAT IP address .. not real internal IP)
|
|
ROUTER
|
|
FIREWALL ---------SMTP RELAY (with content analysis...) AND the EXTERNAL AGENT
|
|
|
MAIL EXCHANGE (SMTP MAILSERVER) AND the INTERNAL AGENT
The Firewall is configured to block EVERY INBOUND CONNECTIONS
External an Internal Agents are both products from NetsecureMail. The Internal
Agent
downloads periodically via FTP the mails stored on the SMTP RELAY thanks the
External
Agent.
This is very simple to implement.
Bertrand
>Date: Wed, 12 Apr 2000 08:47:49 +0100
>From: [EMAIL PROTECTED]
>Subject: RE: The best way to do smtp
>Interesting question. I am going to waffle on a bit here as this is such
>a huge subject......
>SMTP is one of the only protocols that you have to allow in and out of
>your organisation. In addition, SMTP exchanges often have to hold a list
>of all the users of the system (MS Exchange for example). The host
>running the SMTP Exchange also has to have a specific record defined in
>DNS ... the MX record. Headers in SMTP mail can give away information
>about routing inside your network and to the internet, and internal
>network structure such as the IP range used for the internal LAN. So
>there is a lot a would be attacker could glean from your implementation
>of SMTP which could be usefull in attacking your internal LAN.
>My preffered implementation would be something like the following......
>Diagram.....
>INTERNET CLOUD -----------------ISP NS ( MX record for SMTP Relay using
>NAT IP address .. not real internal IP)
> |
> |
>ROUTER
> |
> |
>FIREWALL (NAT - Block everything inbound except SMTP - Outbound allow
>just what you need and only from relay host... i.e. use for www etc
>aswell)
> |
> |
>SMTP RELAY (Content Analysis .. AV scanning, blocking of undesireable
>content ... spam protection and anti relay .. i.e. only relay for mail
>to your domain etc)
> |
> |
>FIREWALL (NAT .... allow SMTP data only from SMTP Relay .... outbound
>from MAIL Exchange and other proxies for www etc)
> |
> |
>MAIL EXCHANGE (SMTP MAILSERVER)
>
>Then , once you have this up , but before you go live, find a good and
>reputable firm to perform a health check on the system to clear up any
>vulnerabilities which may have gone un-noticed and unchecked. The
>testing should comprise of both external testing ... i.e. illegal access
>to your LAN from outside ... and also internal testing to make sure your
>users can't get around the securities you have configured .... make sure
>the data flows allowed by your security policy are the only data flows
>possible.... so check your security policy first .....
>Have fun......
>Cheers,Liam.
> ----------
> From: Luiz Eduardo
> Sent: 11 April 2000 17:16
> To: '[EMAIL PROTECTED]'
> Subject: Re: The best way to do smtp
>
> Please I would like to know which is more correct form of configuring
> and or to
> implement a smtp server. Should I place a smtp server in DMZ and other
> inside of
> my network interns?
> How should I configure these servers, should I have all the users in
> the two
> servers?
>
> thank�s
>
> Luiz Eduardo
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
