[SunHELP] Configuration advice...

Sandwich Maker adh at an.bradford.ma.us
Wed Oct 13 14:00:46 CDT 2004 

" From: Marvin Cummings <MarvinC at gmail.com>
" 
" Wondering if I can solicit some advice from the list on a setup I'm
" thinking about implementing? My network is currently configured as
" follows:
" BellSouth DSL service
" Linksys 4-port DSL router
" Windows 2003 Active Directory w/AD an Integrated DNS zone
" ISA 2000 firewall server
" Windows 2003 web server 
" Exchange 2003 mail server
" I have a Solaris Ultra Sparc 10 workstation and an intel box that I'd
" like to also install Solaris 8 on.
" The plan is to install and configure sendmail on one of these solaris
" systems and place it in front of my exchange server. This would allow
" me to remove the linksys router and possibly use Solaris as my sole
" firewall/router and sendmail as a relay for my exchange server.
" What I'd like to know is what others may think of using Solaris as a
" firewall/router with a DSL connection? I'm sure it can be used for
" other things but I'd like to know how effective it is as a router?
" Right now I have the ISA server acting as a firewall with the linksys
" in front of it. I'm not too happy about this configuration but can't
" afford a hardware firewall solution.
" If anyone has any documentation on configuring Solaris 8 as a
" firewall/router and sendamil on Solaris 8 as a relay for Exchange I'd
" really appreciate it. I'm using the Mastering Solaris 8 book published
" by Sybex to gather some solid info on this but welcomes any responses
" or direction.

in addition to sunscreen there's also the very good but strictly
command-line ipfilter firewall/nat.  http://coombs.anu.edu.au/ipfilter/

it's generally very bad form to do anything but firewalling - and
maybe proxying - on your firewall.  the more it does, the more doors
you leave open for attack and infiltration; the less it does, the
easier it is to lock down.  don't run sendmail on your firewall or do
firewalling on your sendmail box.

if you have the hardware --
two private nets, one public facing, one private.
on the public one:
1 mail server
1 web server
1 ftp server
public dns server[s]
etc.
on the private one:
desktops
internal servers
	home directories
	tools
	internal web
	internal dns
	internal mail, using the public mailsrv as relay
	etc
both nets firewalled from the internet -and- from each other.  all
connection attempts from outside are either blocked or directed to
machines on the public-facing net; those machines cannot originate
connections into your private net.

why?  even attackers can get into your web server for legitimate
queries.  but they can't use ftp [for example] to break into it, and
if they do crack it they don't also get your mail or mailer and they
still face a firewall protecting your private data.
________________________________________________________________________
Andrew Hay                                  the genius nature
internet rambler                            is to see what all have seen
adh at an.bradford.ma.us                       and think what none thought

More information about the SunHELP mailing list