network segmentation

This is no trivial task and involves a good router/firewall capable of proxy and subnet functions
Like a Cisco 515e and a SmartNet contract. Maintaining a Mailserver and
subnets is a full time job and employers dont often understand this. I
reccomend a cheaper method and a much lower frustration level (that takes
care of spam as well) which is to purchase mail services from a big company
like MCI and have them worry about encrypted mail services, viruses and
spam. Then beef up security & virus software on your accounting/ntdomain side.
It saves you time and the company money that is spent on equipment and manhours maintaining it.
It also saves you the headaches of dealing with mailtool incompatibility and user complaints.

But if youre a glutton for punishment:

-put the mailserver on its own subnet. (usually the lowest security level)
-put the accounting server and the rest of the clients on thier own subnet (highest security level)
purchase virus software for all clients and restrict all users from turning it off
[they will turn it off which defeats the whole purpose.]
-prescan all inbound email @ the mailserver for viruses, quarantine and non deliver all messages
that contain them. allow only the required port connections through the
firewall from the LAN side (unless wan access is required).

mail ports
POP3 port: 110
SMTP port: 25
IMAP port: 143
IMAP w/ TLS port: 993
POP: 995
enable http/s port: 80/443 if you use a webbased mailclient.

-disallow connections from the MAIL subnet to the ACCOUNTING/NTDOMAIN subnet
-allow all connections from the ACCOUNTING/NTDOMAIN to the MAIL subnet and WAN
-allow all inbound (mail port) connections from the WAN side to the MAIL subnet
-disallow all WAN traffic inbound to the ACCOUNTING/NTDOMAIN subnet
-you would also put DNS on the MAIL subnet and allow outbound connections to the WAN side from there

setup VPN services to allow access to the accounting server for those
working from home/WAN side via the internet. ...and this is the short short
version.

you may want to draw a diagram of this to get your head around it.
this costs money and time.. lots of it if you dont know what youre doing.
you're going to have to explain it to an idiot to convince him/her of why its a
good thing.

I like the simple version better. Its cheaper and more cost effective too..
What youre inquiring about is an entire infrastructure rework. No trivial task
for a novice.

Enjoy & good luck,
Cain

Thank you Cain for the thoughtful reply. Like you said, it's not a trivial project. But I think I need to study it carefully and plan it well before I decide which way to go. That's why I'm seeking advice from geeks who are familiar with this issue;-)

a/t

you'll learn alot doing this for the first time.. this is quite involved.
dont forget your low cost soloutions though. they can make a difference in quality
service and anguish level on a small budget. managed mail service will cost probably
$160-300 a month or so for 40 clients.. vs a Cisco Pix w/ smartnet contract for $3500+
for your first year.. (cost of equipment + contract) ..not to mention the cost for you
to maintain it. also, noone will be able to point a finger at you for spam. ;)

but if you're still gung-ho:
i would first start by segmenting dns & then mail off onto thier own subnet. just vary
the ip(s) and update dns and pointers on clients where appropriate (see below).

so if everybody is on 10.1.1.x subnet currently.. make mail and dns
on 10.1.2.x and leave everyone else where they are.

they can all be on the same network device initally. and the clinets know where dns
has moved to and it has been updated. you can take advantage of windows client
settings by setting the "new ip" as a secondary dns server and then resolving outside
dns from your internal dns server. (note: this is just the ip change. no security)
for linux/unix machines update dns source (all clients) /etc/resolv.conf and /etc/hosts
(if dns or mail) then restart newtworking via the following method:
/etc/init.d/networking restart dont forget to update dns in your router if thats where
your clients send the dns server request..

this will make tracking external dns requests a snap and lay a good foundation for the
future segmentation of your subdomain(s)

dont forget that you will have to allow tcp/udp traffic for dns in your firewall.. I think
its port 531 but i am not certain.

enjoy,
Cain

Thanks a lot for your input. You're giving precious help, especially that it's going to be the first time I do it. Unfortunately, the management prefer that we do everything in house. So, I guess I have to do this. I'm actually going to add layers to the network like by using internal firewalls and proxy servers.

By the way, congratulations on the Sys Admin appreciation day (July 29th;-)

hahahaahhahahahahahahha..

oh I am almost in tears. man, thats funny. ive never known a manager that would listen to a
sytems admin let alone show appreciation. I have only known endless toil and a love-hate
relationship towards the sys-ad staff. know-it-all management is the end of any noble
project or company. after all, sys-ads are an unwanted expence and are tolerated.

when you fail its your fault and you are to blame. when you succeed its your manager's
doing and none of yours. that is how the world turns.

some free advise: dont tell them anything they dont absoloutely need to understand.
then they sound like morons when they try to take credit for others work and ideas.
leave no passwords, no architectural notes & no documentation of any
kind. if theyre so smart they can figure it out when you're gone.
leave backdoors into everything. keep no mail on the mailserver, keep
paper transactions of timecards/paystubs. keep dated, detailed daily
notes of who you talk to, about what, what tickets you handle, what
issues persist etc, retire them to a filing cabinet at home monthly.

failing idiot companies tend to sue and 'randomly' fire in times of
desperation. Detailed, notes protect a sysad & printed timecards
prevent timecard fraud on the part of the company with leave, etc.

good luck and watch your back;
tks for the sentiment,
Cain

You know Cain, I decided not to segment the network now. I think I'm going with different path. But now, I have a different problem related to what I have posted before.

I have a sonicwall TZ170 firewall with intrusion prevention, email attachment filtering and gateway antivirus. It's been working just fine in my network for about 8 months.

recently, the LAN indicator of the firewall started blinking very fast in an unusual manner. after a little while, all light indicators on the network of all the devices (switches, hubs, NIC's) did the same blinking behavior in the same fashion. I have noticed that when the firewall is disconnected, the behavior of the network is usual and peaceful. But, bringing back the firewall into the network would cause everything to blink so wierd and some times it even causes the network printers not to print and some client-server applications to fail some tasks.

I use Norton Antivirus Corporate edition which detects all the viruses usually and cleans them up. I used it in addition to AVG and stinger and made sure all the computers are virus-clean. However, the weird behavior of the network/firewall still persists. Sonicwall sent me a replacement unit of the firewall which worked fine for one hour only, and then started that weird light indicator behavior. I'm about to have a heart attack here because of this mystery. It's so confusing and unpleasant. I don't know exactly what's causing this problem. Especially that I disconnected all the computers from the network but the firewall light doesn't want to stop blinking like crazy anymore.

Does anyone have any useful comment/suggestion/knowledge of this issue? Help is highly appreciated.

Hello. This is a duplicate post (about the LAN indicator). Please keep this topic on the network segmentation, and go with the other one for the firewall. I have already posted some suggestions on sniffing.

Christian

Thank you for the great suggestions. I tried Ethereal and I found out that the firewall was looking for the reporting server. For some reason it wasn't able to find it on the LAN, so, it kept sending packets like "who has 192.168.168.126?". Stopping this feature on Sonicwall fixed the problem. I need to worry about the reporting server later... Thank you!