3

I have a block of 5 static IP's, and am going to be running a exchange and web server on-site. I am wondering if I should separate the web server IP, Mail IP, and internal network IP. What would the best practices for separation of the internal and external networks be?

The servers are going to be in a DMZ and behind our firewall.

Reid
  • 411
  • 6
  • 17
  • I have no experience with exchange but you want it to face internet directly? If you need exchange for your internal purpose, then put a mail server in front of that (postfix) and then fetch from internal network mails from postfix to your exchange. Keep in mind that purpose of DMZ is to prevent servers in DMZ to initiate connection inside internal network! Some people run uucp to fetch mails kept on the mail server located in DMZ from internal network, this keeps DMZ design. – jirib Mar 10 '12 at 20:26

2 Answers2

4

I'd separate all these services. It's more secure in different ways:

  • One machine breaks doesn't shut down all your services
  • One machine gets compromised doesn't shut down your services

What I do not understand is what you mean with internal IP? Is it for NAT? If so you should indeed separate that one as well.

Also take care of your firewall rules depending on the service. Always white list instead of blacklist. If one service needn't see another, then block it.

Lucas Kauffman
  • 16,880
  • 9
  • 58
  • 93
3

The bestest of best practices (see also: most paranoid) uses a separate DMZ for each function. In your case, that would be a separate DMZ for the Webserver and another one for the Exchange infrastructure. Each device only gets a limited view of the internal network and importantly can't see the other DMZ devices as well.

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300