Firewalls and PMDF

On Info-PMDF the following configuration was suggested for using PMDF inside of a fire wall.

My company is looking into Internet firewall solutions. We have weeded down the offerings to Compaq's Altavista and Checkpoint's Firewall1. We're looking at placing a PMDF-MTA node inside our DMZ and having this firewall be the front-end.

Joel Snyder's response we found very interesting.

I would not do this. Actually, both AVFW & FW1 are excellent products (see my reviews of them both in Network World). However, I would never let a firewall touch SMTP traffic as a relay. In years of testing these things, I have seen more firewalls stomp, crush, mutilate, and bang on mail than I care to count. Worse, I have seen extraordinarily bad attitudes by FW vendors on this. For example, I had a FW which would not allow some SMTP commands. Why not? "It's not secure." Why not? "It's not secure" and we went around in circles until I got to the chief technology officer who basically said that this was the way it was and they weren't going to change it because then ISS would flag them and their customers would go bonkers and they didn't want the support burden.

Basically, firewall vendors in general do a bad job of handling SMTP, for reasons which are mostly historical in nature and not relevant today. Having your mail system be disconnected from reality by an SMTP relay on a firewall is a bad idea.

There are two good architectures. The 'safer' one is to stick a baby PMDF box on the outside of the firewall and have it be a smart SMTP relay, doing what it does best---handle mail. I don't like that approach, for a variety of reasons, but mostly because a good mail system has to know a lot about your mail network, and moving that data outside the firewall is either (a) really painful because you did the security right or (b) really easy because you did the security wrong, in which case you wasted a lot of money.

The 'better' one is to poke a hole through the firewall and have it pass, completely unmolested, SMTP traffic into the network to a PMDF box (or whatever) which is your main SMTP relay. You may actually choose to have two boxes, one for incoming & one for outgoing, depending on things like load and what other information is on that SMTP box.

If you choose FW1, you can poke a hole for port 25 and life will be swell. Depending on what version & OS you choose for AVFW, you may or may not be able to do such a thing, and I would consider that a reason to NOT use that product.

jms

Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
jms@Opus1.COM http://www.opus1.com/jms Opus One

Search: