Intel 9515 Routing Setup, DNS Setup, Mail Smtp Setup, FTP Setup, Http Setup, News Nntp Setup

DMZ Firewall Solution for the Express Router

2.2Routing Setup

Do not use RIP on the WAN interface or the DMZ interface. This prevents intruders from corrupting the routing table.

If there is more than one internal network, the router must not be used as primary gateway because the router configuration only allows the router to forward packets to the DMZ network.

2.3DNS Setup

Some of the services on the DMZ network require external DNS queries. The most common mail solution is to have a domain with an "MX" record and an "A" record pointing to the SMTP server on the DMZ network. The DNS server is normally maintained and hosted by the ISP. The solutions provided in this document do not support a DNS server on the DMZ network.

For more details about DNS please refer to [2].

2.4E-mail (SMTP) Setup

Locate an SMTP server on the DMZ network to communicate with any host on the Internet and an internal E-mail server on the secure network. Configure the SMTP server to use an MX record in order to send the mail direct to the destination SMTP server.

2.5FTP Setup

An HTTP/FTP proxy server on the DMZ network must use passive FTP for connections to the Internet. Otherwise the filters will block the FTP data channel running on port 20. Because the HTTP/FTP is an application proxy, support for DNS is required to resolve fully qualified domain names into IP addresses.

2.6HTTP Setup

An HTTP/FTP proxy normally runs on port 80 or 8080. However, the filter settings for the following setups are based on port 80. Because the HTTP/FTP is an application proxy, support for DNS is required to resolve fully qualified domain names into IP addresses.

2.7News (NNTP) Setup

If you are using a News (NNTP) server on your secure network, it is required that you locate a News (proxy) server on the DMZ. With this setup, the News server on the secure network communicates with the News (proxy) server on the DMZ which, in turn, communicates with an external News server on the Internet. The advantage of this setup is that all private news groups are placed on the internal server, protected from the Internet.

2.8Management Access Setup

To ensure security, you must disable management access (SNMP, Telnet, and TFTP) on the WAN (Internet) link and the LAN2 (DMZ) link. For additional security, disable management access on the LAN1 link also. With this setup, all management tasks can only be performed from the console port.