Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I have a client that wants to save some money and would like to combine their e-mail server with squid/proxy server. I view that as a major security issue given that if the proxy server is comprised then then have access to their e-mail server as well. Can someone give me some feedback regarding the security risk in this type of setup.
Distribution: More are running on my datacenter depends on HW.
Posts: 12
Thanked: 0
Hello, yes I agree with you.
Normally the proxa server should be a part of the DMZ, the email server is to critical and should be protected by another firewall (for exemple put it in the normal server LAN).
To resume:
- for Proxy, one firewall level is enough;
- for e-mail, two firewall level should be used.
Distribution: Suse , Fedora, CentOS, Mandrake, Solaris 8-10, Ubuntu, Debian
Posts: 1,513
Thanked: 0
Original Poster
PHP Code:
T1/ISP Router
|
|
|
|
Cisco 2811 router--------------------------DSL/Router
| |
| |
| Dell Switch
| |
| |
3com Switch/Dell Switch VLAN 10/192.168.5.0
| |
| VLAN 2/192.168.3.0 |
| |
MS Mail Server MS Server
| |
| |
Web Server Guests
This is the network setup. you can clearly see that they dont have anything placed in a DMZ and just relying on VLANs. What would be the best way to secure this network with adding a proxy server?
You managed to answer one third of what I asked for (-access use, -security measures). VLAN's are Layer 2 "logic" while DMZ means (or should mean AFAIK) physical separation. However, clouding things over, in your OP you also stated that the client has money issues. Finally the question you ask here: ""secure" network utilising proxy?" is fundamentally different from your OP of "risk of combining proxy with MTA". So, all taken into account, if the (vulnerable) Mail Store must not be accessed from the outside then one suggestion could be to use a forwarding MTA in the DMZ. This forwarding MTA could be combined with a proxy since it only forwards e-mail and doesn't store anything. As an aside, maybe separating VLAN's by purpose (servers, users, guests) could make things more efficient (in terms of management) and help avoid mixing devices with disparate security postures.
Distribution: Suse , Fedora, CentOS, Mandrake, Solaris 8-10, Ubuntu, Debian
Posts: 1,513
Thanked: 0
Original Poster
PHP Code:
T1/ISP Router | | | | Cisco 2811 router--------------------------DSL/Router | | | | | Dell Switch | | | | 3com Switch/Dell Switch VLAN 10/192.168.5.0 | | | VLAN 2/192.168.3.0 | | | MS Mail Server MS Server | | | | Web Server Guests
So basically what you are trying to say is it would be better to place a forwarding e-mail server in the DMZ and configure the router/firewall to forward traffic appropriately. Would I place the proxy server in between the T1/ISP router and the Cisco 2811 or behind the 2811?
PHP Code:
T1/ISP Router | Proxy Server | | Cisco 2811 router/Firewall----------------DSL/Router | | | | |<<<<<<<<<<<<<<<<<<<<DMZ<<<<<< Dell Switch | | | | | | 3com Switch/Dell Switch Forwarding VLAN 10/192.168.5.0 | Email | | VLAN 2/192.168.3.0 Server | | | | MS Mail Server>>>>>>>>>>>>>>>>>>>| MS Server | | | | Web Server Guests
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
