firewall rules

[m_dolphina]

سلام
من از kerio6 براي firewall استفاده مي كنم.
براي يك isp كه از خط مخابرات و سرويس recive استفاده مي كنه. اين firewall در كجا بايد قرار بگيره كه بهترين پاسخگويي رو داشته باشه.

من يك web server و ras server و cache server و system dvb دارم كه فعلا روي همه سيستمها بصورت مجزا از kerio استفاده مي كنم.
براي استفاده از kerio در isp آيا rule خاصي پيشنهاد مي كنيد؟
ممنون و متشكر
موفق باشيد.

---

موضوعات مشابه:

• Configure ISA Server bandwidth rules
• RD Gateway deployment in a perimeter network & Firewall rules
• Publishing OWA Sites using ISA Firewall Web Publishing Rules (2004) Version 1.1
• network rules
• VUE Rules for iranian

---

[NetMaster]

Kerio is a Personal Firewall, what you need is a real firewall since you have those servers

You need to setup a DMZ and get your servers behind that Firewall in the DMZ zone

And then you need your firewall to manage traffic completly not partly

As far as i see now your servers are exposed to the internet and easy to be attacked

Good Luck

[a_arabbeigi]

علماي عزيز ميشه يكم بيشتر راجع به اين DMZ توضيح بديد؟
ممنون مي شم اگه يه توضيح كامل در موردش و يا راه اندازي اون و خواص اون بدين.

[NetMaster]

A DMZ - De-Militarised Zone, is a separate part of an organisation's network which is shielded and 'cut off ' from the main corporate network and its systems. The DMZ contains technical equipment to prevent access from external parties (say on the Internet) from gaining access to your main systems.

The term comes from the buffer zone that was set up between North Korea and South Korea following their war in the early 1950s. A DMZ is not a single security component; it signifies a capability. Within the DMZ will be found firewalls, choke and access routers, front-end and back-end servers. Essentially, the DMZ provides multi-layer filtering and screening to completely block off access to the corporate network and data. And, even where a legitimate and authorised external query requests corporate data, no direct connection will be permitted from the external client, only a back-end server will issue the request (which may require additional authentication) from the internal corporate network.

However, the extent to which you permit corporate data to be accessible from and by external sources will depend upon the value of the Business Assets which could be placed at (additional) risk by allowing access to (even) pre-specified data types.

You need a firewall with 3 network cards,

eth0 > Green ( Local Lan)

eth1 > Orange ( DMZ - Servers zone )

eth2 > Red ( WAN - Internet )

You need to drop all direct from red and orange, and masqurate connections on policy based from red to

orange, and allow whatever you need from green.

Good Luck