At 03:23 PM 2/17/2004, Hilton Travis wrote:
>I can also understand that a number of businesses have sensitive email on
>their mail server, so want it in the more protected LAN network. But
>these users also need to realize that running a mail server on the LAN
>will result in Internet traffic making connections directly to a device on
>your LAN, therefore weakening the security that your firewall
>provides. Especially if it is a Microsoft mail server.
Our solution:
{Internet}---/outer firewall/----[DMZ]----/inner firewall/----[LAN]---
The mail server lives on the DMZ, and the outer firewall allows access to
its SMTP port. The server spools, but does not deliver, mail to machines
on the LAN. A cron job uses SCP to fetch the contents of the spool
directory to a machine on the LAN which then does the delivery. (Ugly
locking tricks elided.)
This allows us to keep intact one of our fundamental rules: No connections
between the DMZ and the LAN may be initiated from the DMZ.
You =must= treat machines in a DMZ as potentially hostile. Any machine
visible to the great unwashed internet is subject to compromise (especially
if running Microsoft software :->). The whole purpose of a DMZ is to limit
the damage a compromised machine can do.
-crl
--
Chad R. Larson (CRL22) chad at eldocomp dot com
Eldorado Computing, Inc. 602-604-3100
5353 North 16th Street, Suite 400
Phoenix, Arizona 85016-3228
-- CONFIDENTIALITY NOTICE --
This message is intended for the sole use of the individual and entity to whom it is addressed, and
may contain information that is privileged, confidential and exempt from disclosure under applicable
law. If you are not the intended addressee, nor authorized to receive for the intended addressee,
you are hereby notified that you may not use, copy, disclose or distribute to anyone the message or
any information contained in the message. If you have received this message in error, please
immediately advise the sender by reply email, and delete the message. Thank you. | 