Suggestions internet–PFS--UT--PFS

josey

i have problems with outgoing spam on my network, so i would put untangle behind pfs to filter port 25

this is just my idea, i would like to hear your suggestions

now i have PFS with 6 interfaces,
WAN
WAN 1
LAN 10.10.10.0/24
OPT1 10.10.20.0/24
OPT2 10.10.30.0/24
OPT3 10.10.40.0/24

and i would change that to this configuration

INTERNET –- PFS1 –- UNTANGLE –- PFS2

PFS1
WAN
WAN1
LAN 10.10.0.0/24 (10.10.0.1)

UNTANGLE
external in bridge with LAN 10.10.0.2

PFS2
WAN (NAT turned off) 10.10.0.3
LAN 10.10.10.0/24
OPT1 10.10.20.0/24
OPT2 10.10.30.0/24
OPT3 10.10.40.0/24 (DHCP and CP running on it)

static route in PFS1
LAN 10.10.10.0/24 GW 10.10.0.3
LAN 10.10.20.0/24 GW 10.10.0.3
LAN 10.10.30.0/24 GW 10.10.0.3
LAN 10.10.40.0/24 GW 10.10.0.3

what do you think?
is there some better option?

thanx

Guest

You would be much better served to block all outbound traffic destined to TCP 25 except from your approved mail servers.  Egress filtering at your mail server and proper firewall rules will fix this problem easily.  Then just use reporting from your spam filtering solution to identify problem clients and shut them down

josey

hm,
yes, but i asked for opinions not for solution of blocking port 25.
25 mustwork and be opened for all clients, because company have maybe 50 subcontractor, maybe more, and they use our network and internet resources for work. And they use SMTP of their domain: mail.company.com (where; www.company.com; xyz@company.com). And now, they are using notebooks, so i should walk around and check every notebook, yeah right :)

So you will suggest me to tell them to use web mail, no, it is not solution, they have to use mail clients (outlook, outlook express, thunderbird etc,) because mail data base is very important to them ;)

thanks mate i appreciate your advice, but it is not solution.

Bern

Your original post said:

"i have problems with outgoing spam on my network, so i would put untangle behind pfs to filter port 25"

Based on that very vague spec., SubMicron suggested exactly what I would have suggested - prevent outbound SMTP from anything except known-good machines on your LAN.

Then you changed the spec., contradicting yourself somewhat by saying:

"yes, but i asked for opinions not for solution of blocking port 25."

Selective blocking = filtering, IMHO.

"25 mustwork and be opened for all clients"

You have bigger problems than you think.

"thanks mate i appreciate your advice, but it is not solution."

It was a good solution based on the inadequate specification.

Eugene

Nowadays even some Internet providers block port 25 and I do not know any company (with decent IT support) which allows tcp port 25 from inside to outside (except mail servers of course).
Josey, with your approach your public IP(s) should be blocked very soon by all antispam-blacklists. I suspect that you do not run any mail-server behind your firewall, only this can explain why you are still not blocked.
And finally, why would you worry about spam you are sending and put (expensive) device to block outgoing spam? I mean what is the purpose? Who complains?

josey

sorry i should be more accurate when posting a question.
Now you know what problem is, and i think this is so far best solution (PFT - UT -PFS)

And, who complains ?
Lots of people :)

I really do appreciate your help, and asking now, what do you think about my solution, and if you have alternative solution.
And SMTP port must be open.

thanks guys

Cry Havok

Why must it be open?  Do users need to directly connect to remote mail servers?

josey

yes, as i already explain situation, there is more than 50 users/client comps of subcontractors, and they are using their outgoing mail servers.

Cry Havok

So, you have 3 choices:

1. Force them to use 587/TCP to connect to their organisations mail servers (this is how it is supposed to be done) and block port 25/TCP except from your mail server.  Spam problem goes away.

2. Block 25/TCP outbound except from your mail server, require contractors to use a VPN to connect to their organisations mail server.

3. Install spam blocker, cross fingers, spam problem doesn't completely go away ;)

Personally I'd suggest that you go with your current plan, and tell contractors that they have 3 months before you implement (1) or (2).

josey

thanks for advice

that is same thing that i was thinking about!

and there is always "but why"

but definitely im going to block port 25 for some time !
this is pain in the a*s :(

Guest

I'm not sure why I'm bothering to reply considering how you've conducted yourself in this thread, but what the hell, I'm bored.

The problem here is that you're trying to attack a problem and not being willing to take the steps necessary.  In every site I've ever worked, we have a site security policy and a TOS which all network users must adhere to.  You need to decide what is important based on your network's goals.  If you need to be wide open, then I hope you have lots of lube and are properly flexible.  However, if security is your goal, then you have a responsibility to locking things down.

I do not allow untrusted clients into my full production networks.  If you have contractors coming in which may be infected with trojans and such, they should be isolated to a separate network segment.  That segment should be heavily locked down and monitored.  Contractors who come into your network should understand that they don't have full run of your network and will have to adhere to your TOS and security policy.

On a side note, if you post asking for opinions, when people offer their opinion, it would be a good idea for you to be receptive and not condescending.

josey

Sorry, i didn want to fight anyone …
sorry if looks like i want :(
i was thinking about this, and as i said will block port 25, only i need some transition period.

thanks for advices ;)