Messaging Gateway

 View Only

  • 1.  Symantec 8240 appliance placement

    Posted Nov 16, 2007 04:18 PM
    According to the documentation, Symantec recommends placing the appliance between a firewall and the mails server.
     
    I don't understand how you can leverage the TCP throttling, directory harvesting attack prevention, etc features if the appliance isn't directly exposed to the internet.
     
    If there is a firewall between it and the internet as far as it's concerned all traffic is coming from the firewall.  And even if it knows the actual IP of the mail server sending the spam it can't throttle the traffic if the first point of contact the spammer has with your network is the SMTP proxy on the firewall.
     
    Am I mis-understanding something?
     
    Thanks.


  • 2.  RE: Symantec 8240 appliance placement

    Posted Nov 16, 2007 04:57 PM
    Idea is to place SMS behind firewall to protect it from usual types of attacks. What you'll have to do is just make static port mapping (TCP/25) on firewall to SMS. You won't lose any of the features SMS provide plus you can implement first level of protection on firewall with packet inspection on IPS module etc.


  • 3.  RE: Symantec 8240 appliance placement

    Posted Nov 16, 2007 06:23 PM
    Thanks for the reply.
     
    I still don't understand how the TCP throttling is going to work if the only incoming connections the appliance ever sees are from the firewall.  The connections are always going to hit the firewall first and if you are receiving a very high volume of spam like us the firewall takes the brunt of it since it is what is actually proxying the mail connections to the appliance. 
     
    Our MX record points to our firewall, not the gateway.
     


  • 4.  RE: Symantec 8240 appliance placement

    Posted Dec 20, 2007 04:12 PM
    Jay,

    Depending on the firewall you have, it may be configured to act as a proxy, in which case connections would appear to becoming from the (proxy) firewall.  This would prevent many of the SPAM controls from working properly.

    If your firewall is set up to NAT connections, then the connections should appear to originate from the original mail server.  (I believe it may be possible to have the connections appear as though they were coming from the firewall, but that's the definition of a proxy.)

    That said, our SMS appliances are behind our Cisco PIX firewall in a DMZ subnet.  The PIX accepts traffic for our public IP address, then using a one-to-one NAT routes the traffic to the SMS appliances in our DMZ.  To the SMS, the connection is coming from the originating MX server.

    The firewall is just there to limit the attack surface of the entire network, including the appliances.  The Appliances are based on Linux and have a pretty good firewall and configuration in them, so I wouldn't be too nervous about putting it directly on the Internet, but having our entire attack surface listed and managed in one device (the PIX) is simpler to maintain than multiple systems with public IPs.

    It does mean that you really need to stay on top of updates and logs for your firewall as it becomes a single point of failure.