I think you only replied to me here.
Anyway, the SMTP gateway in this case which performs content analysis on
inbound and outbound mail is put in the DMZ as a matter of best
practice. Yes the would be attacker would have to do more work ( which
in most cases is enough to disuade them). Secondly, you are assuming
that the SMTP gateway in the DMZ is a UNIX box running a sendmail SMTP
listener or the like.... this is not neccessarily the case. Further, if
you keep up to date with your patches and fixes and you are only
allowing SMTP in to this host then what is the real risk here? I think
it is negligible...
Using SMTP there is only one other method of breaking in and
that is using using malware within the mail itself which is where your
content analysis comes in. This gateway can also be used to protect the
internal network from Spam, being used as a Relay host (keep yourself
out of RBL) etc .... Plus, often the internal SMTP Exchange is also the
internal mail server. Thus a DOS attack would down the SMTP gateay in
the DMZ and protect the flow of internal e-mail... Thus, I disagree.
> ----------
> From: Michael J Lawrence
> Sent: 12 April 2000 16:46
> To: '[EMAIL PROTECTED]'
> Subject: RE: The best way to do smtp
>
> You know, I've always looked at the SMTP gateway just as you show it
> here, in the DMZ and relaying inbound to the main server.
>
> But recently, I've been wondering if that really makes any difference.
> Since the DMZ'a job is to isolate servers with security posture
> differentials, I don't really see the benefit of isolating the SMTP
> server. No matter how you slice or dice it, you have to let port 25
> hit the private network. Whether it's from a relay or directly from
> the Internet, the exposure is the same. The only real difference I
> can see is that hackist would have to hack twice if SMTP relay is in
> DMZ.
>
> I dunno. I think maybe SMTP in DMZ is providing negligible
> improvement in security compared to the added cost and complexity of a
> dedicated relay host.
>
> Thoughts anyone?
>
> Michael J Lawrence CCSE
> Fox Technology
>
> ----------
> From:
> [EMAIL PROTECTED][SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, April 12, 2000 1:47 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: The best way to do smtp
>
> Interesting question. I am going to waffle on a bit here as this is
> such
> a huge subject......
>
> SMTP is one of the only protocols that you have to allow in and out of
> your organisation. In addition, SMTP exchanges often have to hold a
> list
> of all the users of the system (MS Exchange for example). The host
> running the SMTP Exchange also has to have a specific record defined
> in
> DNS ... the MX record. Headers in SMTP mail can give away information
> about routing inside your network and to the internet, and internal
> network structure such as the IP range used for the internal LAN. So
> there is a lot a would be attacker could glean from your
> implementation
> of SMTP which could be usefull in attacking your internal LAN.
>
> My preffered implementation would be something like the
> following......
> Diagram.....
>
> INTERNET CLOUD -----------------ISP NS ( MX record for SMTP Relay
> using
> NAT IP address .. not real internal IP)
> |
> |
> ROUTER
> |
> |
> FIREWALL (NAT - Block everything inbound except SMTP - Outbound allow
> just what you need and only from relay host... i.e. use for www etc
> aswell)
> |
> |
> SMTP RELAY (Content Analysis .. AV scanning, blocking of undesireable
> content ... spam protection and anti relay .. i.e. only relay for mail
> to your domain etc)
> |
> |
> FIREWALL (NAT .... allow SMTP data only from SMTP Relay .... outbound
> from MAIL Exchange and other proxies for www etc)
> |
> |
> MAIL EXCHANGE (SMTP MAILSERVER)
>
> Then , once you have this up , but before you go live, find a good and
> reputable firm to perform a health check on the system to clear up any
> vulnerabilities which may have gone un-noticed and unchecked. The
> testing should comprise of both external testing ... i.e. illegal
> access
> to your LAN from outside ... and also internal testing to make sure
> your
> users can't get around the securities you have configured .... make
> sure
> the data flows allowed by your security policy are the only data flows
> possible.... so check your security policy first .....
>
> Have fun......
>
> Cheers,Liam.
>
> > ----------
> > From: Luiz Eduardo
> > Sent: 11 April 2000 17:16
> > To: '[EMAIL PROTECTED]'
> > Subject: Re: The best way to do smtp
> >
> > Please I would like to know which is more correct form of
> configuring
> > and or to
> > implement a smtp server. Should I place a smtp server in DMZ and
> other
> > inside of
> > my network interns?
> > How should I configure these servers, should I have all the users in
> > the two
> > servers?
> >
> > thank�s
> >
> > Luiz Eduardo
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
