Recommendations and experience required - Firewalls/*nix/M$ security combined!
Posted on 2004-04-24
Okay, this ones gonna cause some flak as I'm looking for peoples opinions and experiences, so might have to spread some points around. I realise that everyone is welcome tro their opinions, as long as they agree to mine *8-) This is almost an exact repeat of a question I've posted under networking/email as this question is relevant to both topics. I'll link the two later for anyone looking for similar info.
Therefore please don't get into flaming each other over better linux distro's, M$ vs *nix, etc..
Okay - I'm currently setting up a new environment in my office and I am fishing for ideas on the best security for the system. I have a number of servers and licenses for Exchange 2003 and Windows Server 2003 (enough for two installations and no more) and also a license for ISA server. I am a Windows support chap by profession so I'm going to use Exchange for the main office email system, outlook will be the preferred client and Windows 2003 will be used for general file serving, print serving and user authentication
The methods of securing the environment from the big bad internet is still up for grabs - I currently have an idea to install a copy of the Linux distro IPCop to provide a secure inner system for the FAPS/AD controller and a DMZ to house the webmail services (and therefore the Exchange server as far as I'm aware)
The email is currently being supplied by a variety of POP3 mailboxes so I will need to collect that mail and forward it to the Exchange server as SMTP traffic. My preference is to virus and spam filter that mail traffic before it even hits the mail server. Any ideas on fetchmail/spamassain/etc. for this work??
I would also like to keep my Exchange server as hidden as possible while still retaining a recognisable Exchange style webmail interface as we all know how the vunerabilities of any M$ system get published so frequently (note I'm not stating there are more or less of these, just they tend to get a lot of exposure on the net). I am not adverse to an opensource system to host webmail as long as the end users will feel as if they are still getting the full access to their exchange account (contacts, calendering as well as email).
So, my initial thoughts were:
Web traffic to the IPCop box that would only forward inbound connection requests on port 443 to the Exchange DMZ box for the webmail interface (also for remote Outlook 2003 clients) and refuse any other ports completely. I knew one guy once that had a firewall that captured the IP address of anyone trying to attach to definite blocked ports and then added them to the blacklist if they tried more than once to connect on them - i.e. automatic deny to any port scanners out there - seem a nice feature.
IpCop would also host the VPN connections for IPSec traffic from remote office staff. Any suggestions of how I can keep this completely tight as a ducks a*$£ are welcome.
An internal server (may well be a Linux box - Windows licenses do cost money after all) will repeatedly poll the pop3 mailboxes and feed through a decent virus and spam filtering system and then forward via SMTP to the Exchange server.
Out going mail will be delivered straight out to the internet from Exchange directly.
I could also double protect the Exchange server with ISA as I have a legal copy, but I have run out of Windows server license to host it! How much value would there be putting ISA on the Exchange server to be double protected?? overkill???
So - any suggestions for improvement, preferred packages for mail collect/spam/virus filter and forward. Or just recommendations/links to best methods of setups and examples of various products?
I'm open to anything really, just don't want my office to be! I'm also looking for the lower cost options (i know, time is money as well, but it can sometimes be easier to come by!)
I'm also currently mostly a Microsoft person, but I would like to understand a lot more about Unix so even though my proposal may seem excessively complex, I want to use it as a learning experience as well.
Many thanks in advance and apologies for the length of this post...