Results 1 to 8 of 8

Thread: Security advice

  1. #1
    DGSO is offline Junior Member
    Join Date
    Jul 2009
    Location
    Lawrence, KS
    Posts
    8
    Rep Power
    6

    Default Security advice

    I've recently installed Zimbra 6.0 network edition on CentOS 5.4. Currently the server is sitting inside the network with an internal IP. However, I will be moving it to our DMZ, which sits between 2 firewalls and giving it a static public IP. Mail will be stored locally on the same box. Users will primarily access email via the web client, although there will be 20 or so (out of 150) users who will use Outlook and connect via IMAP.

    I followed the install instructions for CentOS found on howtoforge. I'm concerned that I've got all security turned off on the box right now per those instructions. Does anyone have any advice on locking it down a bit more while on the DMZ?

    Thanks in advance!

  2. #2
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Why not leave it on your Internet network and NAT through ?

  3. #3
    DGSO is offline Junior Member
    Join Date
    Jul 2009
    Location
    Lawrence, KS
    Posts
    8
    Rep Power
    6

    Default

    NAT isn't an option, unfortunately. We have certain restrictions set by the state as we are a law enforcement agency.

  4. #4
    rsw686 is offline Active Member
    Join Date
    Feb 2009
    Posts
    41
    Rep Power
    6

    Default

    You could configure iptables to setup a firewall on the box itself. However if you already have a firewall in front then this will only protect if from other servers in your dmz.

  5. #5
    blazeking is offline Advanced Member
    Join Date
    May 2008
    Location
    California!
    Posts
    226
    Rep Power
    7

    Default

    Quote Originally Posted by DGSO View Post
    NAT isn't an option, unfortunately. We have certain restrictions set by the state as we are a law enforcement agency.
    ??? I'm having trouble understanding the reason for this? If anything, I would imagine policy with law enforcement would not allow you to place the mail store, MTA, and web front end into the DMZ? And yes, disabling security features required during the install will open it up more than you want. IPtables may help you out, but I just hate devoting system resources to an unnecessary task when I have a perfectly good ASA or other firewall waiting to do the job (more efficiently)! I'd be curious to understand the reason for the move to the DMZ in the first place.

    EDIT: Sorry, I know that doesn't help with your question, but it's hard to recommend a solution without completely understanding the problem. :-)

  6. #6
    DGSO is offline Junior Member
    Join Date
    Jul 2009
    Location
    Lawrence, KS
    Posts
    8
    Rep Power
    6

    Default

    Welcome to local gov't computing... I'm tasked with replacing the old squirrelmail server the organization's been using for the last 8 years (I've only been here 15 months). As for why it was put on the dmz in the first place, I don't know and the person responsible for the initial setup is no longer with the agency. As for the firewall protecting this dmz, it's maintained by another agency, so I'm stuck using the same IP and network config as the old box for the most part. I can add some security to it but I don't want to inadvertently cut necessary services.

    I understand what you're saying about system resources and the solution may be that I don't need to do anything extra due to the outside firewall. Mostly, I'm looking to see if there's anything obvious (or not) I may be missing.

  7. #7
    rsw686 is offline Active Member
    Join Date
    Feb 2009
    Posts
    41
    Rep Power
    6

    Default

    Quote Originally Posted by blazeking View Post
    IPtables may help you out, but I just hate devoting system resources to an unnecessary task when I have a perfectly good ASA or other firewall waiting to do the job (more efficiently)! )
    iptables and selinux are the options that were disabled in the security settings step on howtoforge. Setting security level to enabled adds a default set of rules to iptables. Selinux is mainly to make sure processes running on the system are only accessing files that they should be. It shouldn't be much of a security risk since Zimbra is the only software on the server.

  8. #8
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,373
    Rep Power
    10

    Default

    FIPS 200 and the SP 800 series of guides from NIST should help provide some guidance and give you a little leverage with your firewall admin.

    There's an overview document to help you decide what you should look at first: http://csrc.nist.gov/publications/CSD_DocsGuide.pdf

    SP 800-123 covers general server security and SP 800-95 covers securing web services. If you are running BIND on your Zimbra server you'll want to take a look at SP 800-81 and the new draft revision as well.

    Hope that helps,
    Mark

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] security security security
    By Bart Hostens in forum Administrators
    Replies: 8
    Last Post: 12-15-2009, 01:30 AM
  2. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 04:42 PM
  3. DelegateAuth in audit.log
    By Krishopper in forum Administrators
    Replies: 2
    Last Post: 05-17-2007, 05:08 AM
  4. Security Vulnerability Alert
    By jholder in forum Announcements
    Replies: 0
    Last Post: 04-21-2007, 01:34 PM
  5. High Performance, Security, Redundancy
    By gjhorne in forum Installation
    Replies: 1
    Last Post: 03-30-2007, 11:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •