Ironport placement in my network.

Unanswered Question

Greetings,

      I've been using a C100 for quite a while and I love it.

We've always had some trouble with one our public IP being blacklisted in DUL.

We contacted our ISP and after months of troubleshooting they resorted to giving us another IP that doesn't have the same problem.

With our current configuration we can assign the IP to the C100 but we got to put it outside in the wan link.

Is it safe to put the C100 in front of the firewall?

All management on the C100 is done from the inside, there is no FTP, Telnet, SSH, HTTP, HTTPS enabled on the public interface.

Thanks in advance for your time.

Ed

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sspeerin Thu, 03/11/2010 - 13:05

It is not recommended in putting the C100 in front of the firewall. Even though the appliance is hardened you should put the appliance behind the firewall and port forward port 25 to the appliance. Ensure your firewall is not terminating port 25 and is just forwarding it on cleanly.

steven_geerts Tue, 04/06/2010 - 15:32

hello,

as Shane stated it is not recomended to place your device in an unprotected network. on the other had, the device is known as an "e-mail firewall" and penetration tests always showed me that the devices are really closed. (as long as you only enable SMTP on the interface)

let's put it like this:

  1. always make a proper security risk analises
  2. consider the strength of your firewall, if it's a Linux firewall, please feel free to place your C series "un protected" on the internet. if you have a heavy hardware firewall, try to find another solution.
  3. if you want, you can alwaysprotect your C series with a dedicated cheap firewall like smoothwall (that is at least giving you information about the attacks you are blocking)
  4. always make a proper security risk analises ;-)

Steven

sspeerin Tue, 04/06/2010 - 17:11

If you do deploy the appliance as a email firewall, ie on an unprotected network, ensure the management interface is on a protected network.

There are no application level security controls for Authentication, brute forcing the admin password as it is a know account is a matter of time.

Therefore ensure the management interface it protected.

Cheers

Shane

Thank you very much all for your replies.

I kept looking around and found a watchguard firewall that was removed from production. The unit is in great condition, I was told it had been replaced because they needed a better hardware.

What I'm going to do is place that firewall beside ours and use the other IP addresses to route email.

The configuration will pretty much be Data 1 connected to our internal network and Data 2 connected to the trusted interface on the firewall.

Since the firewall is going to be routing email I think we won't have performance issues.

Ed

Actions

This Discussion