[ previous ] [ next ] [ threads ]
 
 From:  Hilton Travis <Hilton at QuarkAV dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Mail Server Behind 1.0
 Date:  Wed, 18 Feb 2004 08:55:41 +1000
Hi John,

On Wed, 2004-02-18 at 08:41, John Voigt wrote:
> ----- Original Message ----- 
> From: "Hilton Travis" <Hilton at QuarkAV dot com>
> Sent: Tuesday, February 17, 2004 5:23 PM
> 
> 
> > Hi John,
> >
> > DMX?  You been doing some stage lighting lately?  :)
> 
> How'd you guess?  :-)

I've been known to mix up TLAs when changing from the entertainment to
computer industries and back.  :)

> > OK, why is placing a server (that is often serving Internet users) in
> > the DMZ a bad idea.  The DMZ is designed for exactly this sort of things
> > - servers used for Internet users.
> 
> Well, it leaves your server to fend for itself, attack-wise.  Isn't that
> really what the firewall is for?  I mean you still need to worry about
> what's behind the ports you're forwarding but you no longer have to be as
> concerned about other open ports on the server.

Exactly my point.  If the firewall is doing its job, then this is only a
single (or minimal number of) port that is open.  Even then, you MUST
ensure that the software running on that machine is up to date and
secure.  Any vulnerabilities that this machine has can affect the entire
network that this machine is on.  Hence leaving all Internet-accessible
machines in a DMZ.

Don't forget that m0n0wall won't forward initiating packets to any
machine, LAN or DMZ, unless you make a rule to allow it.

So, personally, I would leave the mail server in the DMZ where possible,
only running it on the internal LAN where you KNOW that the machine will
be administered regularly by a competent person(s).

Also, if running *any* Internet services on a LAN, I'd be sure to have a
machine running snort (or a similar IDS) just to check for "spurious"
traffic.

-- 

Regards,

Hilton Travis                   Phone: +61-(0)7-3343-3889
Manager, Quark AudioVisual      Phone: +61-(0)419-792-394
         Quark Computers         http://www.QuarkAV.com/
(Brisbane, Australia)            http://www.QuarkAV.net/

Open Source Projects:		http://www.ares-desktop.org/
				http://www.mamboband.org/

Non Linear Video Editing Solutions & Digital Audio Workstations
 Network Administration, SmoothWall Firewalls, NOD32 AntiVirus
  Conference and Seminar AudioVisual Production and Recording

War doesn't determine who is right. War determines who is left.