Solved

Recommendations and experience required - Firewalls/*nix/M$ security combined!

Posted on 2004-04-24
15
2,233 Views
Last Modified: 2013-11-16
Okay, this ones gonna cause some flak as I'm looking for peoples opinions and experiences, so might have to spread some points around. I realise that everyone is welcome tro their opinions, as long as they agree to mine *8-) This is almost an exact repeat of a question I've posted under networking/email as this question is relevant to both topics. I'll link the two later for anyone looking for similar info.

Therefore please don't get into flaming each other over better linux distro's, M$ vs *nix, etc..

Okay - I'm currently setting up a new environment in my office and I am fishing for ideas on the best security for the system. I have a number of servers and licenses for Exchange 2003 and Windows Server 2003 (enough for two installations and no more) and also a license for ISA server. I am a Windows support chap by profession so I'm going to use Exchange for the main office email system, outlook will be the preferred client and Windows 2003 will be used for general file serving, print serving and user authentication

The methods of securing the environment from the big bad internet is still up for grabs - I currently have an idea to install a copy of the Linux distro IPCop to provide a secure inner system for the FAPS/AD controller and a DMZ to house the webmail services (and therefore the Exchange server as far as I'm aware)

The email is currently being supplied by a variety of POP3 mailboxes so I will need to collect that mail and forward it to the Exchange server as SMTP traffic. My preference is to virus and spam filter that mail traffic before it even hits the mail server. Any ideas on fetchmail/spamassain/etc. for this work??

I would also like to keep my Exchange server as hidden as possible while still retaining a recognisable Exchange style webmail interface as we all know how the vunerabilities of any M$ system get published so frequently (note I'm not stating there are more or less of these, just they tend to get a lot of exposure on the net). I am not adverse to an opensource system to host webmail as long as the end users will feel as if they are still getting the full access to their exchange account (contacts, calendering as well as email).

So, my initial thoughts were:

Web traffic to the IPCop box that would only forward inbound connection requests on port 443 to the Exchange DMZ box for the webmail interface (also for remote Outlook 2003 clients) and refuse any other ports completely. I knew one guy once that had a firewall that captured the IP address of anyone trying to attach to definite blocked ports and then added them to the blacklist if they tried more than once to connect on them - i.e. automatic deny to any port scanners out there - seem a nice feature.

IpCop would also host the VPN connections for IPSec traffic from remote office staff. Any suggestions of how I can keep this completely tight as a ducks a*$£ are welcome.

An internal server (may well be a Linux box - Windows licenses do cost money after all) will repeatedly poll the pop3 mailboxes and feed through a decent virus and spam filtering system and then forward via SMTP to the Exchange server.

Out going mail will be delivered straight out to the internet from Exchange directly.

I could also double protect the Exchange server with ISA as I have a legal copy, but I have run out of Windows server license to host it! How much value would there be putting ISA on the Exchange server to be double protected?? overkill???

So - any suggestions for improvement, preferred packages for mail collect/spam/virus filter and forward. Or just recommendations/links to best methods of setups and examples of various products?

I'm open to anything really, just don't want my office to be! I'm also looking for the lower cost options (i know, time is money as well, but it can sometimes be easier to come by!)

I'm also currently mostly a Microsoft person, but I would like to understand a lot more about Unix so even though my proposal may seem excessively complex, I want to use it as a learning experience as well.

Many thanks in advance and apologies for the length of this post...
0
Comment
Question by:arcascomp
  • 6
  • 4
  • 3
  • +1
15 Comments
 
LVL 7

Assisted Solution

by:shahrial
shahrial earned 100 total points
ID: 10917199
You may consider using FortiNet FortiGate products...feature-rich...and cost-effective to manage. ;-)

http://www.fortigate.com
Fortinet’s award-winning FortiGate™ series of ASIC-accelerated Antivirus Firewalls are the new generation of real-time network protection systems. They detect and eliminate the most damaging, content-based threats from email and Web traffic such as viruses, worms, intrusions, inappropriate Web content and more in real time — without degrading network performance. In addition to providing application level protection, the FortiGate systems deliver a full range of network-level services — firewall, VPN, intrusion detection and traffic shaping — delivering a complete network protection services in dedicated, easily managed platforms.

0
 
LVL 7

Expert Comment

by:shahrial
ID: 10917211
http://www.fortinet.com/
oppss!...sorry wrong website in previous comment.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10917265
Use ISA server to publish Outlook Web Access.  There's a built-in wizard for doing this.
0
 

Author Comment

by:arcascomp
ID: 10918329
Tim,

I'd heard this about ISA - I was a bit concerned about running both on the same box, normally I'd advocate firewalls being firewalls and mail servers being mail servers. As I'm thinking of sticking IPCop or likewise (sharial - will look into the fortinet range, thanks - not your company is it ;-) in front, my concerns about exposing the mail server/weakening the firewall features by combining are reduced. Will they actually coexist on the same box anyway?

Anyone got any views on popmail retrieval like fetchmail spam/virus killers?

Ta
0
 
LVL 7

Expert Comment

by:shahrial
ID: 10918481
No, it not mine, not selling it either. I just found it to be a great product. Deployed a few of these, cheaper than any other AV gateway products, with good features and performance. Did i mentioned that it's a firewall product...;-) I used it to protect my HTTP mail server too...
0
 

Author Comment

by:arcascomp
ID: 10926775
Shahrial,

I presume these AV gateway/firewalls, will still need a pop3 colecter software running inside the system to create the mail traffic to scan. Any suggestions on good systems to collect the pop3 mail and forward onto Exchange?

Also, what's the normal going rate for one of these boxes?

Cheers,

Craig.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10950277
Why not host your own mail server, instead of POP3 ?  
Alternatively, there is a POP3 'collector' in Exchange I think ?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:arcascomp
ID: 10953266
Tim,

I could, and probably will at some stage host my own email, but at the moment the office is shared and therefore there is email coming in for various email accounts across several domains. I want to leave it as POP3 just now so theres a good backup if I screw up :-)

Exchange unfotuneately doesn't have a POP3 collection facility. It's only available with the modified small business server versions. I have the full version so no joy there. I also like the idea of keeping the virus/smap filtering away from the actual exchange server.

Does the ISA server wizard assume Exchange webmail is on a seprate box or on the same machine as the ISA software?
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 200 total points
ID: 10957451
The ISA server wizard will do either.

Something like this would be a good start:

Internet
|
Firewall---------- Webmail server/IIS, VPN server, SMTP gateway
|
Inside
AD
Exchange 2003
ISA Server

There are some POP3 connectors here:

http://www.msexchange.org/software/POP3_Downloaders/

Plus the connector for SBS 4.5 that we've discussed above (for reference...)

http://www.microsoft.com/technet/prodtechnol/sbs/45/downloads/pop3sbs.mspx

Maybe SBS 4.5 would be a better way to go ?  Comes with ISA and the POP3 software ?

0
 

Author Comment

by:arcascomp
ID: 10958336
Hmmm, already got licenses for Exchange and ISA, not going to buy more licenses!

Exchange 2003 needs to be on the webmail server if I use the MS OWA stuff. Therefore the Exchange server would have to end up in the DMZ. Other option would be to use a.n.other webmail facility, but I want it to look and feel like an outlook client, including the functionality of a full outlook client, not just email access.

IPCop should do the VPN serving for me as I want to VPN to the green network, not the orange one. I'm guessing I'll need a setup like:

Internet
|
Firewall (VPN) -------Exchange/IIS/Webmail/ISA
|
AD, Pop Collector, mail virus/spam filter, FAPS.

I realise that putting extra services on a firewall can open vunerabilities, but I'm wondering if it would be better to kill SPAM and Viruses at the firewall rather than letting that rubbish into the Green (or maybe Orange) network.

Any ideas on what ports I'll need open between the AD and the Exchange servers? I know it's possible for outlook 2003 to connect via port 443 so I could open that for the clients but it might be better for MAPI traffic to be allowed. Not sure which is more secure.
0
 
LVL 9

Accepted Solution

by:
_GeG_ earned 200 total points
ID: 11022973
Hi,

I think the easiest would be to forward your external emails to your DMZ SMTP server,
ie: you have a mailbox at provider xyp: office@yourdomain.com
Now create a dns entry internal.yourdomain.com, let it point to your firewall.
Tell xyp to forward all email to office@yourdomain.com -> office@internal.yourdomain.com. So you don't have to run a pop collector, but the email is coming via SMTP to your firewall. No let the firewall do it's thing (inspection, whatever...) and forward port 25 to a linux box (smtpbox) in the DMZ.

internet
|
firewall--DMZ(smtpbox)
|
exchange, internal net

The smtpbox runs postfix (my choice ;)) on linux. Here you have amavisd_new with  spamassasin as antispam and with f-prot as antvirus, and also a few postfix built-in anti-uce features(my choice ;)). If the mail is no spam and no virus, send it to the internal net exchange server (again SMTP). So all the emails are processed in the DMZ, and only sanitized mails get into the internal net.
Also I recommend to use the smtpbox for outgoing traffic as the smtp outgoing server. I have heard that sometimes in ms networks there happens to be a virus. This setup prevents it to spread to external network, a feature that every network should have.
Ok, when using this setup please pay attention that the postfix server on smtpbox has the actual userlist of the exchange server and only accepts mail for known users. This is to prevent a security problem, which can be used to flood unsuspecting victims (see http://www.techzoom.net/paper-mailbomb.asp).
You can do this by using http://www.unixwiz.net/techtips/postfix-exchange-users.html.
Every occurence of (my choice ;)) can be replaced by (your choice ;)).
More useful urls:
postfix: http://www.postfix.org
spamassasin: http://www.spamassasin.org
amavisd_new: http://www.ijs.si/software/amavisd/
f-prot: http://www.f-prot.com/products/corporate_users/unix/
0
 
LVL 7

Expert Comment

by:shahrial
ID: 11024607
arcascomp,
> I presume these AV gateway/firewalls, will still need a pop3 collector software running inside the system to create the mail
> traffic to scan. Any suggestions on good systems to collect the pop3 mail and forward onto Exchange?

Not really...you put the Fortigate just behind your firewall. Working in 'transparent mode', you do not need to modify your routes.
It will inspect all incoming and outgoing packets depending on your configurations and rule sets.
Currently I do not use a POP3 collector nor Exchange. Using Lotus iNotes webmail. All web connections are handled via an ISA server on the DMZ which will forward the traffic to an internal Lotus Domino Mail server.
 
> Also, what's the normal going rate for one of these boxes?
1.) Annual subscription for the box which includes (AV definitions, IDS, firmware...etc.).



0
 

Author Comment

by:arcascomp
ID: 11161439
Thanks to all for your comments. I'm gonna try the GeG's approach so I've accepted his answer, but Tim's points are also very helpful so I've given him as many points.

Shahrial's comments are also correct, just not going in the general direction I'm heading (so far anyway). I feel that there was a bit more info from the other two posters so gave them the lions share.

Sorry for taking so long to close this - can't believe so much time has gone by already!
0
 
LVL 9

Expert Comment

by:_GeG_
ID: 11180211
Hi arcascomp,

I just received a mail that I got points :D. And because of that I reread the posts again. There is a mistake in my post:
[quote from you]Exchange 2003 needs to be on the webmail server if I use the MS OWA stuff. Therefore the Exchange server would have to end up in the DMZ. Other option would be to use a.n.other webmail facility, but I want it to look and feel like an outlook client, including the functionality of a full outlook client, not just email access.[endquote]

I missed that you need to have access to the exchange server from outside. So please don't put it into the internal network. Make a second DMZ.

Internet
|
Firewall_______
|            |         |
|            |      DMZ1 (smtpbox)
|     DMZ2 (exchange)
Intranet

with those rules:
25 on firewall goes to 25 DMZ1
25 from DMZ1 goes to 25 DMZ2
80 on firewall to 80 DMZ2
And the rest like planned before.
0
 

Author Comment

by:arcascomp
ID: 11180660
Thanks dude!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now