Our Pal Roy wrote:
>I have a customer who's E-Mail department requested a seperate dedicated
>SMTP
>only FW. I can think of no reason to deny this request, but also am
>having difficulty finding reasons to allow it. I put it to the list, is
>there benefits or risk in allowing this type of configuration?
>
>Thanks
Risks:
- Another box to administer/lock down/worry about (will you get
the additional personnel to admin. this box, or will your resources
be spread thinner?).
- Power/Admin. issues - is this the turf of the "E-Mail department"
and will the power lusers in that department want access to the box.
Benefits:
- I can block all but SMTP needed traffic with router access lists.
- inetd.conf will be really short.
- The performance should be reasonable. (Do they want virus scanning
of incoming email also ?)
- If they break into the box itself, they can only dick with
mail stuff (it has no trust relationship with anything else as far
as non-mail stuff right ?) HOWEVER - they can download a sniffer
such as tcpdump and listen to the local ethernet segment (if this is
not on a dedicated switch port).
So, would I do this and sleep well at night ?
I would say to management - "This is the cost - hardware, install
and ongoing personnel time, an IP address slot. I need control of
the box."
If management says do it and spend the money, then I would sleep well.
- Randy
-
Received on Sep 07 1999
Intro
