Security perimeter white paper. Configuring a security perimeter around JEP(S) with IIS SMTP



Similar documents
To install the SMTP service:

Installing Policy Patrol on a separate machine

F-Secure Messaging Security Gateway. Deployment Guide

Installing GFI MailSecurity

Installing GFI MailEssentials

Setup Guide for Exchange Server

Installing GFI MailSecurity

Installing Policy Patrol with Lotus Domino

Serial Deployment Quick Start Guide

Installation Guide For Choic Enterprise Edition

Basic Exchange Setup Guide

Device Log Export ENGLISH

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Installing GFI MailEssentials

Configuration Guide for Exchange 2003, 2007 and 2010

GFI Product Manual. Getting Started Guide

This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources.

escan SBS 2008 Installation Guide

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Load Balancing Exchange 2007 SP1 Hub Transport Servers using Windows Network Load Balancing Technology

10 Configuring Packet Filtering and Routing Rules

V2.4. JEP(S) Administrator manual. Spam filter for Exchange and IIS SMTP

Configuring Security for SMTP Traffic

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Mail Server Scenarios and Configurations

NetSpective Global Proxy Configuration Guide

SETTING UP REMOTE ACCESS ON EYEMAX PC BASED DVR.

Kaseya Server Instal ation User Guide June 6, 2008

8.6. NET SatisFAXtion Gateway Installation Guide. For NET SatisFAXtion 8.6. Contents

Basic Exchange Setup Guide

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

Immotec Systems, Inc. SQL Server 2005 Installation Document

Implementing and using the NetSupport Connectivity Server

Integrating Citrix EasyCall Gateway with SwyxWare

Introduction. Application Versions. Installing Virtual SMTP Server. Tech Note 692 Using Virtual SMTP Server for SCADAlarm Notifications

Setup Guide. network support pc repairs web design graphic design Internet services spam filtering hosting sales programming

Preparing for GO!Enterprise MDM On-Demand Service

HoneyBOT User Guide A Windows based honeypot solution

To configure Outlook Express for your InfoMetrics address:

Payment Card Industry (PCI) Data Security Standard

Spam Marshall SpamWall Step-by-Step Installation Guide for Exchange 5.5

Chapter 4 Firewall Protection and Content Filtering

Proxy Server, Network Address Translator, Firewall. Proxy Server

Configuring SSL VPN on the Cisco ISA500 Security Appliance

Protecting the Home Network (Firewall)

Multi-Homing Gateway. User s Manual

allow all such packets? While outgoing communications request information from a

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

A D M I N I S T R A T O R V 1. 0

8.7. NET SatisFAXtion Gateway Installation Guide. For NET SatisFAXtion 8.7. Contents

Training module 2 Installing VMware View

Multi-Homing Dual WAN Firewall Router

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

How to configure Exchange Smart Host

700 Fox Glen Barrington, Illinois ph: [847] fx: [847]

ArcMail Technology Defender Mail Server Configuration Guide for Microsoft Exchange Server 2003 / 2000

How To Configure Virtual Host with Load Balancing and Health Checking

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

ORF ENTERPRISE EDITION 1. Installation Guide FOR ORF ENTERPRISE EDITION 4.4

Configuring Windows Server Clusters

5. For Display name, Your Full Name or the name you want to appear in the from box when writing or responding to click Next

Secure Web Appliance. Reverse Proxy

Set Up Setup with Microsoft Outlook 2007 using POP3

Lab Configuring Access Policies and DMZ Settings

Install MS SQL Server 2012 Express Edition

My FreeScan Vulnerabilities Report

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

How to Secure a Groove Manager Web Site

For paid computer support call

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Instructions for Microsoft Outlook 2003

How to set up popular firewalls to work with Web CEO

Lab Configuring Access Policies and DMZ Settings

Application Note - Using Tenor behind a Firewall/NAT

Chapter 4 Firewall Protection and Content Filtering

PCI Security Scan Procedures. Version 1.0 December 2004

About Firewall Protection

Information Security Practice II. Installation and set-up of Web Server and FTP accounts

Lepide Software. LepideAuditor for File Server [CONFIGURATION GUIDE] This guide informs How to configure settings for first time usage of the software

Deploy Remote Desktop Gateway on the AWS Cloud

How to install and use CrossTec Remote Control or SchoolVue in a Virtual and or Terminal Service environment

INSTALLATION AND CONFIGURATION GUIDE (THIS DOCUMENT RELATES TO MDAEMON v9.5.0 ONWARDS)

GFI Product Manual. GFI MailEssentials Administrator Guide

CMPT 471 Networking II

Setting up your own Computer as an outgoing SMTP Mail Server

7 6.2 Windows Vista / Windows IP Address Syntax Mobile Port Windows Vista / Windows Apply Rules To Your Device

Configuring Global Protect SSL VPN with a user-defined port

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Chapter 9 Monitoring System Performance

Configuring -to-Feed in MangoApps

Installing GFI MailEssentials

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

client configuration guide. Business

NETWORK SETUP INSTRUCTIONS

Elfiq Link Balancer (Link LB) Quick Web Configuration Guide

Hosted CanIt. Roaring Penguin Software Inc. 26 April 2011

Novar Database Mail Setup Guidelines

Technical Note. ISP Protection against BlackListing. FORTIMAIL Deployment for Outbound Spam Filtering. Rev 2.2

Transcription:

Security perimeter white paper Configuring a security perimeter around JEP(S) with IIS SMTP Document control Document name: JEP(S) Security perimeter Author: Proxmea, Proxmea Last update: March 23, 2008 Proxmea 2008 JEP(S) Security perimeter Page 1 of 11

Index Introduction... 2 The basics... 3 Setting up the basic environment... 4 The JEP(S) Server... 4 The mail gateway server... 4 The firewall... 7 Scenarios... 8 Redundant mail GW with DMZ... 8 Redundant mail gateway without DMZ... 9 Stand alone mail server setup... 10 Stand alone mail gateway... 11 Introduction Having your mail server directly connected to the internet creates a large security risk for your business. Not only do you risk to have your mail system penetrated by spammers and hackers, but you also run the risk of denial of service attacks (DoS) which can render your mail server or whole mail system unreachable for both external as internal users. By setting up a security perimeter based on IIS SMTP and JEP(S) which is disconnected from the rest of your network you will move the risk one step away from your critical mail systems. In the case of penetration or a DoS attack of the mail server you will only risk the mail gateway in question and though this will affect the mail flow it won t affect your mail servers. To set up JEP(S) and a security perimeter network you need: A internal server running JEP(S) Server, preferable on a SQL database. One or more physical or virtual servers which will be used a mail gateways. These servers can run Windows 2000/2003 or Windows XP. (XP comes with IIS SMTP) You need.net framework 2.0 installed on the mail gateway. A firewall with a DMZ. (Optional but recommended) In most cases you need a JEP(S) license as these connections involve more than one server. This white paper is intended as a guide into a couple of different setup scenarios for securing your mail network with JEP(S). You might require further knowledge about how firewalls and mail systems work to implement this. Proxmea 2008 JEP(S) Security perimeter Page 2 of 11

The basics Internet JEP(S) Server Internal mail system The above diagram explains the basics of setting up a security perimeter network. This is but one of the many different ways this can be setup and we ll go through many other scenarios later. The way a mail would be blocked or passed through: 1. A session is initiated from the internet to the firewall on port 25. This session is forwarded to the mail gateway on port 25. 2. JEP(S) intercepts the session and sends a query to the JEP(S) server through the firewall on port 9105. 3. The JEP(S) server inspects the session against its filers and known users (if address sources has been configured) and replies back to the mail gateway with either a pass or block. 4. If the mail gateway receives a block then the session is denied and otherwise the session is accepted. If the session is accepted then it gets delivered to the local mail gateway mail system (IIS SMTP). 5. When the mail has been received by the mail gateway then it delivers it to the internal mail system over port 25. Outgoing mail goes directly from the internal mail server as this allows us to install the outgoing JEP(S) sink to enable auto whitelisting. Proxmea 2008 JEP(S) Security perimeter Page 3 of 11

Setting up the basic environment The JEP(S) Server Install the JEP(S) server as described in the JEP(S) Administrator guide. You will need to enable listen on all interfaces for the server to accept traffic from the JEP(S) sink on the mail gateway. To facilitate proper filtration at the mail gateway the email address function of JEP(S) should be used. By using this you give the mail gateway the intelligence of not accepting email if the recipient doesn t exist in your organization. The mail gateway server You have the choice of running the mail gateway on either Windows 2000,2003 or Windows XP. The reason for XP being in this list is that it does come with the IIS and SMTP components. The only limitation running on XP is that you can only handle 10 concurrent session as default. Install the SMTP component by opening Add/Remove programs and selecting Add/Remove windows components. Depending on your version of operating system install the SMTP service by either A or B: a. Click (not select) Internet Information Services (IIS) and click details Select SMTP service and click ok. b. Click (not select) Application Server and click details. Click (not select) Internet Information Services (IIS) and click details Select SMTP service and click ok. 1. Open Start menu Administrative tools - Internet Information Services. 2. Right click Domains and select New Domain. 3. Select Remote and next. Proxmea 2008 JEP(S) Security perimeter Page 4 of 11

4. Fill in the domain name you want to receive mail on and press enter. 5. Right click your newly created domain name and select properties. 6. Select Allow incoming mail to be relayed to this domain and fill in the IP number of your internal mail server in the Forward all mail to smart host field. Note that you need to enclose the IP within brackets []. When finished press OK. 7. If necessary repeat the procedure 2 to 6 for other domain names. Your mail gateway is now ready to receive mail for your domain but is yet not protected by JEP(S). 8. Extract JEP(S) into a directory of your choice, copy your license file the same directory and then start JEP(S) Admin. Go to the Greylist Sink tab. Proxmea 2008 JEP(S) Security perimeter Page 5 of 11

9. Change the server IP to the IP of your JEP(S) Server and press Apply. 10. Click Enable in to install the JEP(S) Sink for incoming traffic. We won t enable the outgoing sink as this server only handles incoming traffic. 11. Change the following settings and then press Apply: a. Mode Enabled b. Disconnect blocked settings Unchecked c. Enable tarpit Enabled (optional) Proxmea 2008 JEP(S) Security perimeter Page 6 of 11

The firewall With the setup just described and assuming that the mail gateway is located in a DMZ you would use the following configuration: IP s: Mail gateway 10.0.0.100 Internal mail server 192.168.0.10 JEP(S) Server 192.168.0.20 Ports that need to be opened: Any to 10.0.0.100 Port 25 TCP Incoming mail from the internet to the mail gateway 10.0.0.100 to 192.168.0.10 Port 25 TCP Mail from the mail gateway to internal mail server 10.0.0.100 to 192.168.0.20 Port 9105 TCP JEP(S) queries from gateway to JEP(S) server 192.168.0.10 to Any Port 25 TCP Outgoing mail from internal mail server to the internet Proxmea 2008 JEP(S) Security perimeter Page 7 of 11

Scenarios Redundant mail GW with DMZ Internet ISP 1 ISP 2 Internal network JEP(S) Server Internal mail system This scenario is suitable if you have two or more internet connections. As both mail gateways are using the same JEP(S) server they can be located virtually anywhere, even across time zones. The benefit of this setup is that it s secure and redundant. If you have a failure on either a mail gateway or internet connection you will still receive mail through the other link. In addition to this you can cluster the JEP(S) Server and use multiple internal mail systems to increase availability. If you have multiple internal mail servers then you would configure the two different mail gateways to connect use different internal mail servers as smart hosts. Proxmea 2008 JEP(S) Security perimeter Page 8 of 11

Redundant mail gateway without DMZ Internet ISP 1 ISP 2 Internal network JEP(S) Server Internal mail system This scenario is suitable if you have two or more internet connections. As both mail gateways are using the same JEP(S) server they can be located virtually anywhere, even across time zones. The benefit of this setup is that it s relatively secure and redundant. It s still beneficial to place the mail gateways in a DMZ if possible. If you have a failure on either a mail gateway or internet connection you will still receive mail through the other link. In addition to this you can cluster the JEP(S) Server and use multiple internal mail systems to increase availability. If you have multiple internal mail servers then you would configure the two different mail gateways to connect use different internal mail servers as smart hosts. Proxmea 2008 JEP(S) Security perimeter Page 9 of 11

Stand alone mail server setup Internet Mail server with JEP(S) This is a common setup for small companies with Exchange, the JEP(S) server and the JEP(S) sink installed on the same server facing the internet. With a good firewall inspecting the SMTP packets the security achieved can be acceptable. With this setup you should consider to implement a separate mail gateway as described in the next section. This way you don t need to expose the Exchange server directly for incoming connections. This setup can be used with the free (unlicensed) version of JEP(S). Proxmea 2008 JEP(S) Security perimeter Page 10 of 11

Stand alone mail gateway Internet Internal network Mail server With this setup we achieve good security to a low cost. Both the JEP(S) Server and the JEP(S) sink are installed on the mail gateway. While its beneficial to place the mail gateway in a DMZ we do achieve a higher level of security and availability then with the single server setup. This setup will provide isolation between the incoming mail traffic from the internet and the mail server. In the case of the mail gateway becoming compromised it can be isolated or powered off without affecting the internal mail server. This setup can be used on the free version of JEP(S) but it s not recommended as the lack of email address filtering can have unwanted affects. Proxmea 2008 JEP(S) Security perimeter Page 11 of 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information