>
I am totally in synch with what Marc says, we use a rather similar network as
described by him, with TIS-FWTK and sendmail, squid, I second this opinion
>
> First sendmail and Squid should be treated independently. Squid will not
> use the masquerading because this is working as a proxy service on your
> firewall. I have strong doubts about this approach though because Squid is
> *NOT* a trusted application suitable for a firewall (although it is not
> easy to misuse it, it can be done). What you need to do if you want to
> support also SMTP is to add a SMTP tunnel or better a SMTP proxy in your
> firewall. Start looking at the TIS firewall toolkit. This has a good
> implementation of a trustworthy SMTP proxy. I suggest you also move Squid
> away from the firewall and install it on a separate machine and let the
> firewall be a firewall. Installing large beasts on a firewall is generally
> bad practice. If you look at genuine firewall proxies they are pretty slim.
> That means that it is easy(er) to prove that they are without security
> flaws. A large code-base (like Squid and Senmail) is difficult.
>
> I suggest you approach the firewall thing in a few steps:
>
> 1) Do any filtering on IP,UDP and TCP on the device that is best suited for
> this purpose. The router.
> 2) Maintain strict access controls to your servers.
> 3) Be very sure that your servers are secure. A firewall does not help much
> if the services on your servers can be mis-used. (I have an E-mail Trojan
> concept that will get access to systems trough almost all firewalls)
> 4) If you still have to, add a good firewall that you understand/trust.
> 5) Never forget to install logging tools on your router, firewall and
> servers that log on an isolated 99.999% safe server (read no other
> services) that stores the logs for a long time.
> 6) Read the logs and assess what is happening (build scripts to help you)
> 7) Finally assess your security policy regularly and update security if needed.
>
> >This mail may seam annoying to lot of you people but I have a difficult
> >situation to handle so I request the kind hearted people to help me out of
> >this situation. If there is any HOW TO pages for these kind of situations
> >please can u tell me ?
> >
> >
> >thanx in advance
> >
> >Senthil Marian
>
> --------------------------------------------------------------------
> Marc van Selm
> NATO C3 Agency
> Communication Systems Division, A-Branch
> Tel: +31 70 3142454
> E-mail: marc.van.selm@nc3a.nato.int (PGP capable)
> --------------------------------------------------------------------
> Private: selm@cistron.nl, selm@het.net, http://www.cistron.nl/~selm
-- ------------------------------------------------------------------------ Vishal Khanna Ampersand Info-Tech Pvt. Ltd phone: +91(0) 11 6826382 New Delhi, INDIA fax: +91(0) 11 6826383 http://www.aitpl.com email: vishal.khanna@aitpl.co.in ------------------------------------------------------------------------ The information contained in this message (including any attachments)is confidential and may be legally privileged. If you are not the intended recipient, please delete it from your system immediately - any disclosure, copying or distribution thereof or any action taken or omitted to be taken in reliance thereon is prohibited and may be unlawful. AITPL makes no warranty as to the accuracy or completeness of any information contained in this message and hereby excludes any liability of any kind for the information contained herein or for the transmission, reception, storage or use of such information in any way whatsoever. Any opinions expressed in this message are those of the author and do not necessarily reflect the opinions of AITPL. ------------------------------------------------------------------------ Postmaster@aitpl.co.in AITPL New Delhi, INDIA 110020, +91-11-6826797Received on Wed Apr 04 2001 - 03:12:06 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:08 MST