DMZ Help

[Javy1]

Hey Guys,

I will like to give access to my users to POP3 now and I considering implementing a DMZ (Not sure if DMZ will be the right solution) I do not have much experience with firewalls but with good intruction I should manage. Any pointers or advice will be greatly appreciated.

My Hardware

Exchange member server 2NIC Cards, running Exchange 2K
Domain Controller server (W2K)
Terminal Services member Server (W2K)
Domain Controller backup server and test server (W2K)

Cisco PIX 506
Flash Point 2200 DSL MODEM/ROUTER
LINKSYS Cable ROUTER (BEFSR41)
A couple of old computers are also available

Thanks

Javy

 

[baddos]

Depends how serious you are about the security.

Here are two options:

Option #1

DSL Modem/Router
|
PIX
|
|---------| (Inside LAN with servers and workstations)
Only allow POP3 and SMTP inbound to you exchange server and deny every thing else.

The potential problem of this solution is that if someone was to hack your exchange server via port 25 or 110 (smtp and pop3), it is possible they could use the exchange server computer to launch attacks on computer on the inside network.

This is the easiest solution though, requiring less configuration and fewer points of failure. If you keep your exchange server up to date with all the latest security patches, you will only have a low to moderate security risk.

Option #2

DSL Modem/Router
|
PIX
|
|---------| (DMZ LAN with servers only)
|
Linksys Router
|
|---------| (Inside LAN workstations only)

This will place the servers to be protected by the PIX, but have your workstations protected behind the linksys. This creates a DMZ for the servers. This solution offers the best security yet, but requires more configuration. For a small environment, I would recommend option 1.

-Bad Dos