Intel 9525 Saw User Manual


 
DMZ Firewall Solution for the Express Router
07-12-99 Version 1.0 5
2.2 Routing Setup
Do not use RIP on the WAN interface or the DMZ interface. This prevents intruders from
corrupting the routing table.
If there is more than one internal network, the router must not be used as primary gateway
because the router configuration only allows the router to forward packets to the DMZ network.
2.3 DNS Setup
Some of the services on the DMZ network require external DNS queries. The most common mail
solution is to have a domain with an "MX" record and an "A" record pointing to the SMTP server
on the DMZ network. The DNS server is normally maintained and hosted by the ISP. The
solutions provided in this document do not support a DNS server on the DMZ network.
For more details about DNS please refer to [2].
2.4 E-mail (SMTP) Setup
Locate an SMTP server on the DMZ network to communicate with any host on the Internet and
an internal E-mail server on the secure network. Configure the SMTP server to use an MX record
in order to send the mail direct to the destination SMTP server.
2.5 FTP Setup
An HTTP/FTP proxy server on the DMZ network must use passive FTP for connections to the
Internet. Otherwise the filters will block the FTP data channel running on port 20. Because the
HTTP/FTP is an application proxy, support for DNS is required to resolve fully qualified domain
names into IP addresses.
2.6 HTTP Setup
An HTTP/FTP proxy normally runs on port 80 or 8080. However, the filter settings for the
following setups are based on port 80. Because the HTTP/FTP is an application proxy, support
for DNS is required to resolve fully qualified domain names into IP addresses.
2.7 News (NNTP) Setup
If you are using a News (NNTP) server on your secure network, it is required that you locate a
News (proxy) server on the DMZ. With this setup, the News server on the secure network
communicates with the News (proxy) server on the DMZ which, in turn, communicates with an
external News server on the Internet. The advantage of this setup is that all private news groups
are placed on the internal server, protected from the Internet.
2.8 Management Access Setup
To ensure security, you must disable management access (SNMP, Telnet, and TFTP)
on the WAN (Internet) link and the LAN2 (DMZ) link. For additional security, disable
management access on the LAN1 link also. With this setup, all management tasks can
only be performed from the console port.