Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Firewall Implimentation - Recomendations
Special Forums Cybersecurity Firewall Implimentation - Recomendations Post 302090093 by DraconianTimes on Friday 22nd of September 2006 10:55:14 AM
Old 09-22-2006
Quote:
Originally Posted by pathological
We use MS EXchange and Active Directory *Cries*. We have Norton 9 Pro on the exchange server which does active scans of workstations throughout the network as well as in coming e-mails ... Question... i am assuming that if OpenBSD 1 fails, signal is still coming from OpenBSD 2, which will allow the network to remain online. Obviously if Hardare firealla fails it all goes down, but nothing we can do about that at presant. And when you say switch 1 and 2 that is just generic names, since they are all on the 2 network right? No matter how we look at it, there is redundat signal coming in PAST the first hardware firewall point. (Looks good, nice and clean).
Windows/AD/Exchange does not have to be a security nightmare - provided you patch, configure and administer the boxes properly (and that advice goes for ALL systems). You would benefit from checking that you have a secure baseline build for your Win2k/2k3 boxes (maybe use the NSA SNAC hardening guides?) and a proper patching mechanism in place (e.g. SUS or SMS). Configuration change management and proper documentation should be order of the day across ALL corporate systems.

If you're sending/receiving mails to/from outside, you should be running an SMTP proxy in a firewalled DMZ - this allows you to trap mails and scan them for the nasties, before they reach your exchange server. Again, OpenBSD running Postfix, ClamAV and SpamAssasin would be well placed here. Same goes for your web traffic - setup Squid on another box in the DMZ and inspect all traffic - ban your prohibited file types there. Log mails/web traffic which violates policy and set the systems to mail your admin team.

The diagram I attached above was how I saw what you described. It isn't necessarily the best way to go. Personally, I would remove the "hardware firewall" and let the OpenBSD boxes be your firewalls/routers to the outside world, then configure some DMZs for the semi-public services such as web servers and mail/web proxies. If you're on dialup, attach a modem to each OpenBSD firewall yourself and let it handle the dialup needs during failover. If you have DSL/leased line, speak to your ISP and see if they can supply you with some sort of redundancy at that point (maybe even an ISDN backup for your fixed link) with an upgraded device. Also consider two separate ISPs to provide services, in case one goes belly up.

Nick
 

9 More Discussions You Might Find Interesting

1. Cybersecurity

What Firewall do you use?

Just out of curiosity, I see a lot of people here use Linux IPTables as their firewall. Anyone here use something else like OpenBSD PF or *BSD IPF, IPFW? I'm quite fond of OpenBSD and their Packet Filters. I find their syntax much easier to manage and from my personal experience, I find them... (5 Replies)
Discussion started by: tarballed
5 Replies

2. Cybersecurity

Looking Out from Behind a Firewall

Would it be possible to restrict access to internet pages in the following way? A machine: IP = 128.1.17.123 Only pages from domains of the type "go.jp" and "ne.jp" are viewable. All others are not viewable or only partly viewable. B machine: IP = 128.1.17.146 Regardless of the domain... (4 Replies)
Discussion started by: mntamago
4 Replies

3. UNIX for Dummies Questions & Answers

Firewall Box

I am a novice to linux and unix and command line, I am willing to jump in head first. I have a couple older computers, one is a dell XPS with a P2 Proccessor and th other is a old old sony VIAO. I have a small home network 3 computers...i have my DSL modem then thats connected to my wireless... (2 Replies)
Discussion started by: Tabryan07
2 Replies

4. Shell Programming and Scripting

crone job implimentation

I wanted to enable one shell script in the cronetab,how to do crone tabe enabling pl help me:( regards, ramesh (1 Reply)
Discussion started by: Ramesh Vellanki
1 Replies

5. Cybersecurity

help with firewall

hi everyone I am a newbee to firewall scripting. cannot understand how to write rules per host. in ip6tables. anyone plz:( (2 Replies)
Discussion started by: xecutioner
2 Replies

6. AIX

Firewall

:b:Hi,, How do configure firewall in aix.. similar to linux iptable. Rgards, k.sumathi. (3 Replies)
Discussion started by: sumathi.k
3 Replies

7. SuSE

Firewall

Is there a command line interface to the firewall? (4 Replies)
Discussion started by: jgt
4 Replies

8. Linux

Firewall?

Dear All I have put my windows machine behind my centos firewall server with just one NIC. At now, the windows machine can ping 192.9.9.3 but cannot resolve valid url (like www.google.com). I have set DNS for it as well. Can you please let me know what is the missing step? Thank you (6 Replies)
Discussion started by: hadimotamedi
6 Replies

9. Cybersecurity

Firewall

Hey Guys, I am looking for a good firewall software to implement in medium/large office, with at least 150 users. I was hopping you guys could help me on this one. Regards, (4 Replies)
Discussion started by: andrevicente
4 Replies

LEARN ABOUT SUNOS

tc-fw

Firewall mark classifier in tc(8)				       Linux					 Firewall mark classifier in tc(8)

NAME

       fw - fwmark traffic control filter

SYNOPSIS

       tc filter ... fw [ classid CLASSID ] [ action ACTION_SPEC ]

DESCRIPTION

       the fw filter allows to classify packets based on a previously set fwmark by iptables.  If it is identical to the filter's handle, the fil-
       ter matches.  iptables allows to mark single packets with the MARK target, or whole connections using CONNMARK.	The benefit of using  this
       filter  instead of doing the heavy-lifting with tc itself is that on one hand it might be convenient to keep packet filtering and classifi-
       cation in one place, possibly having to match a packet just once, and on the other users familiar with iptables but not tc will have a less
       hard time adding QoS to their setups.

OPTIONS

       classid CLASSID
	      Push matching packets to the class identified by CLASSID.

       action ACTION_SPEC
	      Apply an action from the generic actions framework on matching packets.

EXAMPLES

       Take e.g. the following tc filter statement:

	      tc filter add ... handle 6 fw classid 1:1

       will match if the packet's fwmark value is 6.  This is a sample iptables statement marking packets coming in on eth0:

	      iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 6

SEE ALSO

       tc(8), iptables(8), iptables-extensions(8)

iproute2							    21 Oct 2015 				 Firewall mark classifier in tc(8)
All times are GMT -4. The time now is 04:40 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy