Best practices behind firewall

L

Lakshman

Hello,
What would be the best practice to setup, say a mail
server, web server, etc. behind a hardware firewall. I
guess the question I have is that if I want to setup say
MS Exchange server to host my company's email behind a
firewall, should I set up the mail server right after the
firewall and open the necessary ports on the firewall? Or
should I have a router and behind the router have say a
PIX firewall and then open the ports from the PIX to the
mail server.Are there are any resources out there that I
can read?Any help or pointers in the right direction would
be greatly appreciated.
Lakshman,
 
G

Guest

This would depend upon your internet connection. I think you are probably wondering about something like DSL or Cable. In this case the HW firewall may already have the appropriate internet connection. If not, then you will need some sort of first connection device, like a router. In any case, most FW mechanisms are also router by default and some routers can be FWs. After the firewall, the easy way to deploy like an exchange server behind a firewall is to use static port mappings. This, of course, would need to be delved into in more detail because of security concerns.
 
G

Guest

Common Enterprise-Level practice is to employ a 'Demilitarized Zone' whereby you have your firewall right at the front gates to the net, you have your servers directly behind the firewall, then you set up another firewall (or router) right behind the servers, with IPSec rules or IP Filtering.
__________________
| Demilitarized zone: |
-----| Firewall |-----| E-Mail and Web |-----| Firewall/Router |-----| Private Network |
| Servers |
==============

Using this setup your network is the most secure while still being fully functional - the firewall on the internet side only allows traffic through ports 25, 80, and 110 (SMTP, HTTP, and POP3 respectively) and even if someone uses one of the countless exploits in Exchange or IIS to hack your e-mail or web servers, the second firewall with the IPSec/IP Filtering makes it so the hackers only have access to your server boxes - all your private network resources are protected as they can only be accessed from your private subnet.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

INTERNET ACCESS AND CISCO PIX FIREWALL 4
RAS ports 1
2 IP Pool 1 Network Please help 2
Best way to setup remote access for my network 17
AD authentication through firewall 2
Windows 2000 RRAS and ipSEC /L2TP VPN 1
firewall ports and domain controller 2
Webserver in DMZ? 3

Top