Where and how should I place my SMTP gateway in the security infrastructure?
I saw this question going around in one of the mailing list I am subscribed and would like to share some thoughts about it. This is old school stuff since our IT security perimeters are being diluted from a well-defined structure to unclear points taken by the new mobility, apps and cloud ecosystem. Every day new threats are exploiting the border-less network and mobile platforms are a prime target. However, companies still need the old and traditional security perimeter and its always good to refresh the old network security infrastructure architecture and concepts.In addition SMTP is a popular vehicle of malware infection and distribution.
To answer this question, there is no right or wrong answer since it all depends on your organization size and risk appetite. Designing a specific network security solution for a business of any size its a engineering and creative task. However, there any plenty of industry guidelines and best practices that you should follow in order to have a layered security approach with defense in depth using redundant and overlapping security controls that mitigates or reduces the risk. Lets review 3 technical suggestions for deploying your perimeter SMTP gateway.
Single-arm deployment : You can have a single-arm configuration in your perimeter firewall. This is a simple solution and makes routing and switching easy. In this DMZ you will position your SMTP appliance. This appliance normally will be from one of the many SMTP GW products outhere like TrendMicro IMSS, Ironport ESA, eSafe Gateway, etc. This SMTP appliance will normally do Anti-Virus and Anti-Spam (both ingress and egress). With this solution you will have a single physical network interface. You will run all the services on this interface. This means the SMTP traffic to the internet and to the internal MTA such as Microsoft Exchange. You will also run all the management protocols like HTTPS, SSH for accessing the management interface, SNMP for monitoring, Syslog for logging and others like LDAP. This solution is very simple with almost no complexity and low maintenance costs. It wont need any special routing and switching and will be easy to troubleshoot. However, your security posture wont be the best and you wont have segregation of data, which means management and production/data traffic will run on the same interface. Plus you need to consider that running all these protocols on one interface it might consume significant amount of bandwidth from the physical interface.
Two-arm deployment : With this configuration you will have one interface connected to the outside, typically the external firewall and one interface connected to the inside, typically the internal firewall – Its also possible to create a two-arm solution with a single firewall – The appliance needs to have 2 physical interfaces each one in different subnets. Normally you call the external interface the frontend and the internal interface the backend. Management traffic will only be accessible trough the backend interface.
Three-arm deployment : If you must have management traffic separated from data/production traffic this is the best solution. Of course your security infrastructure framework should already support this kind of model in order to have proper routing and switching. This setup will require 3 physical interfaces each one on different subnets. Normally the management interface will be in the same subnet as other security infrastructure appliances management interfaces. With this solution you will have great control and flexibility over the data and management traffic which means better security. At the expense of routing and switching complexity you will gain great flexibility and control over the traffic . This solution is normally harder to troubleshoot.
Those three models are the ones typically seen in the enterprises from small, medium to large corporations.
In addition to the positioning you should also have defense in depth for the SMTP protocol. This means you should consider different layers of AV/Anti-Spam inspection. Normally, you will have inspection at gateway level, then at the MTA level and finally at the client level. You can further complement these levels with a layer 2 inspection gateway before or after your SMTP gateway. Do not forget to have IDS doing SMTP inspection trough the traffic path as part of robust network defense solution. Furthermore, you also need to address DNS concerns for SMTP to work properly. Apart of MX and A records for SMTP deliver you might need PTRs, SPF and others properly registered.
PS: If the time permits I will add some diagrams to illustrate each one of the deployment models.