Issues implementing a firewall

[EntilzaSte]

Hi,

We have just began to configure Smoothwall to segregate a section of our network (laptop users).

The laptops (within the segregated area) will connect to a windows 2k based DHCP server which will provide all info to allow them to connect to the lan (default gw being the smoothwall).

I have opened a port to allow http traffic to get to our ISA server. I have opened a port to allow SAP traffic through (using sap router). BUT im having a problem opening ports to allow exchange 2000 traffic through using outlook.

Ports 135, 137, 142 all seemingly need to be open but these are standard rpc ports which recent viruses have exploited.

Is there any quick fix that we can apply to allow exchange traffic through the firewall without opening up these common ports?

Many thanks

Steve

 

[WheeDoggy]

there are software firewalls that will only allow a specific application to use a service.

check out kerio personal firewall.

 

[EntilzaSte]

Hi,

A personal firewall is of no use to us as they sit on the OS it is possible to get around or under. Hence the hardware firewall put in place.

I could allow access to MSExchange webmail, yet they need to sync the laptops with the server....

Steve

 

[pagodapete]

Well,
Tough turkey is that you ultimately need a VPN to run a direct exchange connection like it sounds like you want to run. Check out MS RRAS or some other better VPNs out there.

Pete

 

[pansophic]

Are your Outlook clients running IMAP or POP? If you are supporting MAPI and IMAP, then I believe that you really need to run a VPN to allow the users in.

If you let the laptops run POP (which really makes more sense anyway) then you will only need to open port 110. And then the laptops will actually have their mail when they are disconnected from the network. You can run POPS (port 995), which uses TLS to tunnel the POP connection securely. That way you aren't passing the userid/password info in the clear.


pansophic

 

[EntilzaSte]

Pansophic, thanks for that. We took the view to turn off pop connection last year. All laptop users synch the post when log off, to give us a fallback should anything happen to the laptop.

If we do need to run a vpn then what are the issues with the passing of viruses? We are also now thinking of using a terminal server to get around this, however, this wouldnt make any sense for those laptop users that need their post elsewhere....

help

 

[pansophic]

Why not just use OWA for the laptop users? Then it just runs on your IIS server over standard web ports. It isn't as nice as Outlook, but it should suffice.

As far as passing viruses over the VPN, it shouldn't be any different than what you are doing now. Firewalls don't block the propogation of viruses, mail filters do. And you can run the VPN as a function of the firewall, and propogate a completely different set of ports from the external ruleset.

Worms will propgate over the VPN, but you can potentially solve that with a personal firewall on the laptop.


pansophic

 

[EntilzaSte]

Pansophic,

Sorry, I am currently suffering from "everyone else knows what im thinking"...

OWA is great as long as you dont need it off line... hence outlook.

When I said viruses I was thinking of the recent spate of worms (nachi killed us), and whilst a personal firewall will work, its not as cost effective as a smoothwall (free) firewall.....

Steve

 

[pansophic]

I understand that it isn't as cost effective, but if you can't access the services that you need through the firewall, then a personal firewall is a relatively good option. Plus, you keep the laptops from enjoying trojans, virii and worms while they are connected to other networks as well as protecting your network when they are there.

And I understand your OWA issue. I use it at the office because it was my recommendation for a web-based email that EVERYONE just had to have, but for my own company and my personal stuff, I am a laptop user and die-hard POP fan.


pansophic