Advice About Network Design and Security

ifabrizio · ‎09-18-2008

Dear All,

I have the following network scenario:

An Internal Mail server that forward the mail messages to an external sendmail server that send/receive the mails from Internet.

Between the two mails servers starting from the inside, there are a L3Switch that act like bridge among the internal networks subnets 172.16.0.0/22 where is connected the internal mail server .161.

The L3Switch is connected to the first Pix on the inside interface, and it is connected to the second Pix inside interface by its Dmz interface.The second pix has connected on the outside interface the ISP router, and on its DMZ the sendmail server that has a public ip 84.184.164.83/29.

My question is:

From a security point of view, how is important that the internal and external mail server do not has routing informations about the external and internal networks ?I have configured the second pix to perform a port redirection in this way:

static (dmz,inside) tcp 172.16.243.1 smtp 84.184.164.83 smtp netmask 255.255.255.255

The internal mail server forward the mail to 172.16.243.1 the pix apply the static, perform the port redirection to 84.184.164.83.

Than I have added also:

static (dmz,inside) 172.26.243.1 84.184.164.83 netmask 255.255.255.255

In this way the pix perform the outside nat so the source address is changed from 84.184.164.83 to 172.26.243.1,so I have configured on the external mail server the 172.26.243.1 instead of the real ip.

cleidh_mor · ‎09-21-2008

Hi,

I'm not sure about best practice in this area, but I think it's safe to say that the less information that's available on your externally reachable devices, the better. I think your config is sound, but if possible, it's a good idea to retrict access to the smtp port of your external mail server to trusted hosts.

Cheers,