Intel 9515 Routing Setup, DNS Setup, Mail Smtp Setup, FTP Setup, Http Setup, News Nntp Setup

Page 6

DMZ Firewall Solution for the Express Router

2.2Routing Setup

Do not use RIP on the WAN interface or the DMZ interface. This prevents intruders from corrupting the routing table.

If there is more than one internal network, the router must not be used as primary gateway because the router configuration only allows the router to forward packets to the DMZ network.

2.3DNS Setup

Some of the services on the DMZ network require external DNS queries. The most common mail solution is to have a domain with an "MX" record and an "A" record pointing to the SMTP server on the DMZ network. The DNS server is normally maintained and hosted by the ISP. The solutions provided in this document do not support a DNS server on the DMZ network.

For more details about DNS please refer to [2].

2.4E-mail (SMTP) Setup

Locate an SMTP server on the DMZ network to communicate with any host on the Internet and an internal E-mail server on the secure network. Configure the SMTP server to use an MX record in order to send the mail direct to the destination SMTP server.

2.5FTP Setup

An HTTP/FTP proxy server on the DMZ network must use passive FTP for connections to the Internet. Otherwise the filters will block the FTP data channel running on port 20. Because the HTTP/FTP is an application proxy, support for DNS is required to resolve fully qualified domain names into IP addresses.

2.6HTTP Setup

An HTTP/FTP proxy normally runs on port 80 or 8080. However, the filter settings for the following setups are based on port 80. Because the HTTP/FTP is an application proxy, support for DNS is required to resolve fully qualified domain names into IP addresses.

2.7News (NNTP) Setup

If you are using a News (NNTP) server on your secure network, it is required that you locate a News (proxy) server on the DMZ. With this setup, the News server on the secure network communicates with the News (proxy) server on the DMZ which, in turn, communicates with an external News server on the Internet. The advantage of this setup is that all private news groups are placed on the internal server, protected from the Internet.

2.8Management Access Setup

To ensure security, you must disable management access (SNMP, Telnet, and TFTP) on the WAN (Internet) link and the LAN2 (DMZ) link. For additional security, disable management access on the LAN1 link also. With this setup, all management tasks can only be performed from the console port.

07-12-99

Version 1.0

5

Page 5 Page 7
Image 6
Page 5 Page 7
Contents DMZ Firewall Solution Copyright 1999, Intel Corporation. All rights reserved Table of Contents About This Document What is a DMZIntroduction ReferencesGeneral Setup and Considerations IP Filters in the Express RouterIP Address Selection Mail Smtp Setup Routing SetupDNS Setup FTP SetupDMZ Single IP Address Solution Static Routing SetupNetwork Address Translation NAT Setup Entry Function IP Filters SetupSettings Receive Rx Filters on LAN1Filter Function Transmit Tx Filters on LAN1Src. address 10.2.0.2 Src. port Action Pass Protocol 2 LAN2 Filters Receive Rx Filters on LAN2Filter Function Settings RIPTransmit Tx filters on LAN2 Settings Internet Connection Filters Receive Rx Filters on the connection to the InternetAction Pass Protocol UDP Transmit Tx Filters on the Connection to the Internet DMZ Multiple IP Address Solution IP Address AssignmentNetwork Address Translation NAT Transmit Tx Filters on LAN1 Settings Src. port Action Pass Protocol Dest. address type All Dest port Src. address type All Src. port Action Discard Protocol Action Discard Protocol Transmit Tx filters on LAN2 Src. port 1023 Action Pass Protocol UDP Transmit Tx Filters on the Connection to the Internet
Top Page Image Contents