arcascomp
asked on
Recommendations and experience required - Firewalls/*nix/M$ security combined!
Okay, this ones gonna cause some flak as I'm looking for peoples opinions and experiences, so might have to spread some points around. I realise that everyone is welcome tro their opinions, as long as they agree to mine *8-) This is almost an exact repeat of a question I've posted under networking/email as this question is relevant to both topics. I'll link the two later for anyone looking for similar info.
Therefore please don't get into flaming each other over better linux distro's, M$ vs *nix, etc..
Okay - I'm currently setting up a new environment in my office and I am fishing for ideas on the best security for the system. I have a number of servers and licenses for Exchange 2003 and Windows Server 2003 (enough for two installations and no more) and also a license for ISA server. I am a Windows support chap by profession so I'm going to use Exchange for the main office email system, outlook will be the preferred client and Windows 2003 will be used for general file serving, print serving and user authentication
The methods of securing the environment from the big bad internet is still up for grabs - I currently have an idea to install a copy of the Linux distro IPCop to provide a secure inner system for the FAPS/AD controller and a DMZ to house the webmail services (and therefore the Exchange server as far as I'm aware)
The email is currently being supplied by a variety of POP3 mailboxes so I will need to collect that mail and forward it to the Exchange server as SMTP traffic. My preference is to virus and spam filter that mail traffic before it even hits the mail server. Any ideas on fetchmail/spamassain/etc. for this work??
I would also like to keep my Exchange server as hidden as possible while still retaining a recognisable Exchange style webmail interface as we all know how the vunerabilities of any M$ system get published so frequently (note I'm not stating there are more or less of these, just they tend to get a lot of exposure on the net). I am not adverse to an opensource system to host webmail as long as the end users will feel as if they are still getting the full access to their exchange account (contacts, calendering as well as email).
So, my initial thoughts were:
Web traffic to the IPCop box that would only forward inbound connection requests on port 443 to the Exchange DMZ box for the webmail interface (also for remote Outlook 2003 clients) and refuse any other ports completely. I knew one guy once that had a firewall that captured the IP address of anyone trying to attach to definite blocked ports and then added them to the blacklist if they tried more than once to connect on them - i.e. automatic deny to any port scanners out there - seem a nice feature.
IpCop would also host the VPN connections for IPSec traffic from remote office staff. Any suggestions of how I can keep this completely tight as a ducks a*$£ are welcome.
An internal server (may well be a Linux box - Windows licenses do cost money after all) will repeatedly poll the pop3 mailboxes and feed through a decent virus and spam filtering system and then forward via SMTP to the Exchange server.
Out going mail will be delivered straight out to the internet from Exchange directly.
I could also double protect the Exchange server with ISA as I have a legal copy, but I have run out of Windows server license to host it! How much value would there be putting ISA on the Exchange server to be double protected?? overkill???
So - any suggestions for improvement, preferred packages for mail collect/spam/virus filter and forward. Or just recommendations/links to best methods of setups and examples of various products?
I'm open to anything really, just don't want my office to be! I'm also looking for the lower cost options (i know, time is money as well, but it can sometimes be easier to come by!)
I'm also currently mostly a Microsoft person, but I would like to understand a lot more about Unix so even though my proposal may seem excessively complex, I want to use it as a learning experience as well.
Many thanks in advance and apologies for the length of this post...
Therefore please don't get into flaming each other over better linux distro's, M$ vs *nix, etc..
Okay - I'm currently setting up a new environment in my office and I am fishing for ideas on the best security for the system. I have a number of servers and licenses for Exchange 2003 and Windows Server 2003 (enough for two installations and no more) and also a license for ISA server. I am a Windows support chap by profession so I'm going to use Exchange for the main office email system, outlook will be the preferred client and Windows 2003 will be used for general file serving, print serving and user authentication
The methods of securing the environment from the big bad internet is still up for grabs - I currently have an idea to install a copy of the Linux distro IPCop to provide a secure inner system for the FAPS/AD controller and a DMZ to house the webmail services (and therefore the Exchange server as far as I'm aware)
The email is currently being supplied by a variety of POP3 mailboxes so I will need to collect that mail and forward it to the Exchange server as SMTP traffic. My preference is to virus and spam filter that mail traffic before it even hits the mail server. Any ideas on fetchmail/spamassain/etc. for this work??
I would also like to keep my Exchange server as hidden as possible while still retaining a recognisable Exchange style webmail interface as we all know how the vunerabilities of any M$ system get published so frequently (note I'm not stating there are more or less of these, just they tend to get a lot of exposure on the net). I am not adverse to an opensource system to host webmail as long as the end users will feel as if they are still getting the full access to their exchange account (contacts, calendering as well as email).
So, my initial thoughts were:
Web traffic to the IPCop box that would only forward inbound connection requests on port 443 to the Exchange DMZ box for the webmail interface (also for remote Outlook 2003 clients) and refuse any other ports completely. I knew one guy once that had a firewall that captured the IP address of anyone trying to attach to definite blocked ports and then added them to the blacklist if they tried more than once to connect on them - i.e. automatic deny to any port scanners out there - seem a nice feature.
IpCop would also host the VPN connections for IPSec traffic from remote office staff. Any suggestions of how I can keep this completely tight as a ducks a*$£ are welcome.
An internal server (may well be a Linux box - Windows licenses do cost money after all) will repeatedly poll the pop3 mailboxes and feed through a decent virus and spam filtering system and then forward via SMTP to the Exchange server.
Out going mail will be delivered straight out to the internet from Exchange directly.
I could also double protect the Exchange server with ISA as I have a legal copy, but I have run out of Windows server license to host it! How much value would there be putting ISA on the Exchange server to be double protected?? overkill???
So - any suggestions for improvement, preferred packages for mail collect/spam/virus filter and forward. Or just recommendations/links to best methods of setups and examples of various products?
I'm open to anything really, just don't want my office to be! I'm also looking for the lower cost options (i know, time is money as well, but it can sometimes be easier to come by!)
I'm also currently mostly a Microsoft person, but I would like to understand a lot more about Unix so even though my proposal may seem excessively complex, I want to use it as a learning experience as well.
Many thanks in advance and apologies for the length of this post...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Use ISA server to publish Outlook Web Access. There's a built-in wizard for doing this.
ASKER
Tim,
I'd heard this about ISA - I was a bit concerned about running both on the same box, normally I'd advocate firewalls being firewalls and mail servers being mail servers. As I'm thinking of sticking IPCop or likewise (sharial - will look into the fortinet range, thanks - not your company is it ;-) in front, my concerns about exposing the mail server/weakening the firewall features by combining are reduced. Will they actually coexist on the same box anyway?
Anyone got any views on popmail retrieval like fetchmail spam/virus killers?
Ta
I'd heard this about ISA - I was a bit concerned about running both on the same box, normally I'd advocate firewalls being firewalls and mail servers being mail servers. As I'm thinking of sticking IPCop or likewise (sharial - will look into the fortinet range, thanks - not your company is it ;-) in front, my concerns about exposing the mail server/weakening the firewall features by combining are reduced. Will they actually coexist on the same box anyway?
Anyone got any views on popmail retrieval like fetchmail spam/virus killers?
Ta
No, it not mine, not selling it either. I just found it to be a great product. Deployed a few of these, cheaper than any other AV gateway products, with good features and performance. Did i mentioned that it's a firewall product...;-) I used it to protect my HTTP mail server too...
ASKER
Shahrial,
I presume these AV gateway/firewalls, will still need a pop3 colecter software running inside the system to create the mail traffic to scan. Any suggestions on good systems to collect the pop3 mail and forward onto Exchange?
Also, what's the normal going rate for one of these boxes?
Cheers,
Craig.
I presume these AV gateway/firewalls, will still need a pop3 colecter software running inside the system to create the mail traffic to scan. Any suggestions on good systems to collect the pop3 mail and forward onto Exchange?
Also, what's the normal going rate for one of these boxes?
Cheers,
Craig.
Why not host your own mail server, instead of POP3 ?
Alternatively, there is a POP3 'collector' in Exchange I think ?
Alternatively, there is a POP3 'collector' in Exchange I think ?
ASKER
Tim,
I could, and probably will at some stage host my own email, but at the moment the office is shared and therefore there is email coming in for various email accounts across several domains. I want to leave it as POP3 just now so theres a good backup if I screw up :-)
Exchange unfotuneately doesn't have a POP3 collection facility. It's only available with the modified small business server versions. I have the full version so no joy there. I also like the idea of keeping the virus/smap filtering away from the actual exchange server.
Does the ISA server wizard assume Exchange webmail is on a seprate box or on the same machine as the ISA software?
I could, and probably will at some stage host my own email, but at the moment the office is shared and therefore there is email coming in for various email accounts across several domains. I want to leave it as POP3 just now so theres a good backup if I screw up :-)
Exchange unfotuneately doesn't have a POP3 collection facility. It's only available with the modified small business server versions. I have the full version so no joy there. I also like the idea of keeping the virus/smap filtering away from the actual exchange server.
Does the ISA server wizard assume Exchange webmail is on a seprate box or on the same machine as the ISA software?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hmmm, already got licenses for Exchange and ISA, not going to buy more licenses!
Exchange 2003 needs to be on the webmail server if I use the MS OWA stuff. Therefore the Exchange server would have to end up in the DMZ. Other option would be to use a.n.other webmail facility, but I want it to look and feel like an outlook client, including the functionality of a full outlook client, not just email access.
IPCop should do the VPN serving for me as I want to VPN to the green network, not the orange one. I'm guessing I'll need a setup like:
Internet
|
Firewall (VPN) -------Exchange/IIS/Webmai
|
AD, Pop Collector, mail virus/spam filter, FAPS.
I realise that putting extra services on a firewall can open vunerabilities, but I'm wondering if it would be better to kill SPAM and Viruses at the firewall rather than letting that rubbish into the Green (or maybe Orange) network.
Any ideas on what ports I'll need open between the AD and the Exchange servers? I know it's possible for outlook 2003 to connect via port 443 so I could open that for the clients but it might be better for MAPI traffic to be allowed. Not sure which is more secure.
Exchange 2003 needs to be on the webmail server if I use the MS OWA stuff. Therefore the Exchange server would have to end up in the DMZ. Other option would be to use a.n.other webmail facility, but I want it to look and feel like an outlook client, including the functionality of a full outlook client, not just email access.
IPCop should do the VPN serving for me as I want to VPN to the green network, not the orange one. I'm guessing I'll need a setup like:
Internet
|
Firewall (VPN) -------Exchange/IIS/Webmai
|
AD, Pop Collector, mail virus/spam filter, FAPS.
I realise that putting extra services on a firewall can open vunerabilities, but I'm wondering if it would be better to kill SPAM and Viruses at the firewall rather than letting that rubbish into the Green (or maybe Orange) network.
Any ideas on what ports I'll need open between the AD and the Exchange servers? I know it's possible for outlook 2003 to connect via port 443 so I could open that for the clients but it might be better for MAPI traffic to be allowed. Not sure which is more secure.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
arcascomp,
> I presume these AV gateway/firewalls, will still need a pop3 collector software running inside the system to create the mail
> traffic to scan. Any suggestions on good systems to collect the pop3 mail and forward onto Exchange?
Not really...you put the Fortigate just behind your firewall. Working in 'transparent mode', you do not need to modify your routes.
It will inspect all incoming and outgoing packets depending on your configurations and rule sets.
Currently I do not use a POP3 collector nor Exchange. Using Lotus iNotes webmail. All web connections are handled via an ISA server on the DMZ which will forward the traffic to an internal Lotus Domino Mail server.
> Also, what's the normal going rate for one of these boxes?
1.) Annual subscription for the box which includes (AV definitions, IDS, firmware...etc.).
> I presume these AV gateway/firewalls, will still need a pop3 collector software running inside the system to create the mail
> traffic to scan. Any suggestions on good systems to collect the pop3 mail and forward onto Exchange?
Not really...you put the Fortigate just behind your firewall. Working in 'transparent mode', you do not need to modify your routes.
It will inspect all incoming and outgoing packets depending on your configurations and rule sets.
Currently I do not use a POP3 collector nor Exchange. Using Lotus iNotes webmail. All web connections are handled via an ISA server on the DMZ which will forward the traffic to an internal Lotus Domino Mail server.
> Also, what's the normal going rate for one of these boxes?
1.) Annual subscription for the box which includes (AV definitions, IDS, firmware...etc.).
ASKER
Thanks to all for your comments. I'm gonna try the GeG's approach so I've accepted his answer, but Tim's points are also very helpful so I've given him as many points.
Shahrial's comments are also correct, just not going in the general direction I'm heading (so far anyway). I feel that there was a bit more info from the other two posters so gave them the lions share.
Sorry for taking so long to close this - can't believe so much time has gone by already!
Shahrial's comments are also correct, just not going in the general direction I'm heading (so far anyway). I feel that there was a bit more info from the other two posters so gave them the lions share.
Sorry for taking so long to close this - can't believe so much time has gone by already!
Hi arcascomp,
I just received a mail that I got points :D. And because of that I reread the posts again. There is a mistake in my post:
[quote from you]Exchange 2003 needs to be on the webmail server if I use the MS OWA stuff. Therefore the Exchange server would have to end up in the DMZ. Other option would be to use a.n.other webmail facility, but I want it to look and feel like an outlook client, including the functionality of a full outlook client, not just email access.[endquote]
I missed that you need to have access to the exchange server from outside. So please don't put it into the internal network. Make a second DMZ.
Internet
|
Firewall_______
| | |
| | DMZ1 (smtpbox)
| DMZ2 (exchange)
Intranet
with those rules:
25 on firewall goes to 25 DMZ1
25 from DMZ1 goes to 25 DMZ2
80 on firewall to 80 DMZ2
And the rest like planned before.
I just received a mail that I got points :D. And because of that I reread the posts again. There is a mistake in my post:
[quote from you]Exchange 2003 needs to be on the webmail server if I use the MS OWA stuff. Therefore the Exchange server would have to end up in the DMZ. Other option would be to use a.n.other webmail facility, but I want it to look and feel like an outlook client, including the functionality of a full outlook client, not just email access.[endquote]
I missed that you need to have access to the exchange server from outside. So please don't put it into the internal network. Make a second DMZ.
Internet
|
Firewall_______
| | |
| | DMZ1 (smtpbox)
| DMZ2 (exchange)
Intranet
with those rules:
25 on firewall goes to 25 DMZ1
25 from DMZ1 goes to 25 DMZ2
80 on firewall to 80 DMZ2
And the rest like planned before.
ASKER
Thanks dude!
oppss!...sorry wrong website in previous comment.