Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1595
Views
0
Helpful
4
Replies

Ironport placement in my network.

eramos
Level 1
Level 1

‎03-10-2010 09:55 AM

Greetings,

      I've been using a C100 for quite a while and I love it.

We've always had some trouble with one our public IP being blacklisted in DUL.

We contacted our ISP and after months of troubleshooting they resorted to giving us another IP that doesn't have the same problem.

With our current configuration we can assign the IP to the C100 but we got to put it outside in the wan link.

Is it safe to put the C100 in front of the firewall?

All management on the C100 is done from the inside, there is no FTP, Telnet, SSH, HTTP, HTTPS enabled on the public interface.

Thanks in advance for your time.

Ed

Labels:
0 Helpful
4 Replies 4

sspeerin
Level 1
Level 1

‎03-11-2010 01:05 PM

It is not recommended in putting the C100 in front of the firewall. Even though the appliance is hardened you should put the appliance behind the firewall and port forward port 25 to the appliance. Ensure your firewall is not terminating port 25 and is just forwarding it on cleanly.

0 Helpful

steven_geerts
Level 1
Level 1
In response to sspeerin

‎04-06-2010 03:32 PM

hello,

as Shane stated it is not recomended to place your device in an unprotected network. on the other had, the device is known as an "e-mail firewall" and penetration tests always showed me that the devices are really closed. (as long as you only enable SMTP on the interface)

let's put it like this:

  1. always make a proper security risk analises
  2. consider the strength of your firewall, if it's a Linux firewall, please feel free to place your C series "un protected" on the internet. if you have a heavy hardware firewall, try to find another solution.
  3. if you want, you can alwaysprotect your C series with a dedicated cheap firewall like smoothwall (that is at least giving you information about the attacks you are blocking)
  4. always make a proper security risk analises ;-)

Steven

0 Helpful

sspeerin
Level 1
Level 1
In response to steven_geerts

‎04-06-2010 05:11 PM

If you do deploy the appliance as a email firewall, ie on an unprotected network, ensure the management interface is on a protected network.

There are no application level security controls for Authentication, brute forcing the admin password as it is a know account is a matter of time.

Therefore ensure the management interface it protected.

Cheers

Shane

0 Helpful

eramos
Level 1
Level 1
In response to sspeerin

‎04-06-2010 05:58 PM

Thank you very much all for your replies.

I kept looking around and found a watchguard firewall that was removed from production. The unit is in great condition, I was told it had been replaced because they needed a better hardware.

What I'm going to do is place that firewall beside ours and use the other IP addresses to route email.

The configuration will pretty much be Data 1 connected to our internal network and Data 2 connected to the trusted interface on the firewall.

Since the firewall is going to be routing email I think we won't have performance issues.

Ed

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents