Security advice

[DGSO]

I've recently installed Zimbra 6.0 network edition on CentOS 5.4. Currently the server is sitting inside the network with an internal IP. However, I will be moving it to our DMZ, which sits between 2 firewalls and giving it a static public IP. Mail will be stored locally on the same box. Users will primarily access email via the web client, although there will be 20 or so (out of 150) users who will use Outlook and connect via IMAP.

I followed the install instructions for CentOS found on howtoforge. I'm concerned that I've got all security turned off on the box right now per those instructions. Does anyone have any advice on locking it down a bit more while on the DMZ?

Thanks in advance!

[uxbod]

Why not leave it on your Internet network and NAT through ?

[DGSO]

NAT isn't an option, unfortunately. We have certain restrictions set by the state as we are a law enforcement agency.

[rsw686]

You could configure iptables to setup a firewall on the box itself. However if you already have a firewall in front then this will only protect if from other servers in your dmz.

[blazeking]

Quote:

Originally Posted by DGSO

NAT isn't an option, unfortunately. We have certain restrictions set by the state as we are a law enforcement agency.

??? I'm having trouble understanding the reason for this? If anything, I would imagine policy with law enforcement would not allow you to place the mail store, MTA, and web front end into the DMZ? And yes, disabling security features required during the install will open it up more than you want. IPtables may help you out, but I just hate devoting system resources to an unnecessary task when I have a perfectly good ASA or other firewall waiting to do the job (more efficiently)! I'd be curious to understand the reason for the move to the DMZ in the first place.

EDIT: Sorry, I know that doesn't help with your question, but it's hard to recommend a solution without completely understanding the problem. :-)

[DGSO]

Welcome to local gov't computing... I'm tasked with replacing the old squirrelmail server the organization's been using for the last 8 years (I've only been here 15 months). As for why it was put on the dmz in the first place, I don't know and the person responsible for the initial setup is no longer with the agency. As for the firewall protecting this dmz, it's maintained by another agency, so I'm stuck using the same IP and network config as the old box for the most part. I can add some security to it but I don't want to inadvertently cut necessary services.

I understand what you're saying about system resources and the solution may be that I don't need to do anything extra due to the outside firewall. Mostly, I'm looking to see if there's anything obvious (or not) I may be missing.

[rsw686]

Quote:

Originally Posted by blazeking

IPtables may help you out, but I just hate devoting system resources to an unnecessary task when I have a perfectly good ASA or other firewall waiting to do the job (more efficiently)! )

iptables and selinux are the options that were disabled in the security settings step on howtoforge. Setting security level to enabled adds a default set of rules to iptables. Selinux is mainly to make sure processes running on the system are only accessing files that they should be. It shouldn't be much of a security risk since Zimbra is the only software on the server.

[LMStone]

FIPS 200 and the SP 800 series of guides from NIST should help provide some guidance and give you a little leverage with your firewall admin.

There's an overview document to help you decide what you should look at first: http://csrc.nist.gov/publications/CSD_DocsGuide.pdf

SP 800-123 covers general server security and SP 800-95 covers securing web services. If you are running BIND on your Zimbra server you'll want to take a look at SP 800-81 and the new draft revision as well.

Hope that helps,
Mark