OK, everyone, Use a firewall with three network cards in it, one going to DMZ, one going to lan, and one going to internet, allow traffic such as smtp to dmz, don't allow any traffic to internally. Store all your smtp messages in the dmz. Use an internal program on the lan to go out and grab the mail from the dmz and reroute it internally to your lan mailsystem.
That's all case closed. Noone will be able to sniff the dmz ports for passwords if everything is locked up and hardened down. In my experience of consulting and being on site, the majority of vulnerabilities in firewalls is two firewalls and misconfiguration. The configuration that Zach stated below can be accomplished by one firewall. All it is is different legs on the firewall. PS use a stateful packet inspection firewall only! That way it keeps all the connections in a state table Dave -----Original Message----- From: Erik Vincent [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 10, 2003 2:04 PM To: Zach Crowell Cc: Chris Berry; [EMAIL PROTECTED] Not realy, becouse they are configured differently. The outer Firewall let traffic from the internet inside the DMZ ie: SMTP, HTTP etc...) But the Inner firewall wont accept any connection from the DMZ to LAN, ie: internet <-> Outer Firewall <-> DMZ <- Inner Firewall <- LAN The Inner firewall will be configured to acept traffic only from the LAN. So all NEW connection from the DMZ to the LAN are DROP/REFUSE. This is not the case with the Outer Firewall ie : must forward SMTP, HTTP etc.. If your are running no services on the Inner Firewall (not event sshd) and use a read-only media (read LRP). In my point of view, it is a good setup...(On course if you have the money to afford CISCO or other thing may be different...) Zach Crowell wrote: > > > Erik Vincent wrote: > >> I think there is a major difference between: >> >> 1: internet --> Outer Firewall --> DMZ --> Inner >> Firewall --> LAN >> If your Outer Firewall is crack, only the >> DMZ computer will be unprotected >> but the LAN portion still protected. > > > Under what conditions would these firewalls be configured any > differently from a vulnerability-assessment view point? i.e., if > someone was able to crack the outer firewall, is it not likely they > would crack the inner firewall as well? > > Zach > ------------------------------------------------------------------------ --- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ------------------------------------------------------------------------ ---- ************************************************************************************************** ** eSafe-portsmouth scanned this email for viruses, vandals and malicious content ** ************************************************************************************************** --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------