IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
internal structure of the protected network is concealed. This function can be
assumed by the application gateway.
This configuration ensures that internal mail cannot enter the external network
and a unified address structure can be used..
net to be
protected
packet filter packet filter
internal
mail
internal
mail server
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Dual-homed
Application
Gateway
external
mail server
incomming mail outgoing mail
insecure
network
Figure 3: Configuration of the mail servers
Mail between computers in the network to be protected do not leave the
network as they are passed on by the internal mail server which also
manages the internal alias data base. Mail to external computers is sent via
the gateway to the external mail server and then passed on. For mail from
external computers, the MX entry (from the external DNS server, see Fig.
4) refers to the external mail server. The external mail server passes the
mail to the internal server. It may be possible for the function of the
external mail server to be assumed by the gateway.
Configuration of the DNS servers
Domain Name Service (DNS) is used to convert computer names into IP
numbers and vice versa and provides information on computer systems using
the network. DNS information should be concealed from the outside world,
i.e. Internet or other external networks. The most well-known method of doing
this is by a special configuration of two DNS servers (name servers). One
DNS server in the internal screened sub-net conceals the structure of the
network requiring protection and communicates with a DNS server in the
external screened sub-net, in order to transform names of external computers.
As DNS clients do not necessarily have to communicate with a DNS server on
the same computers, it is possible to have both processes run on different
computers.
The external DNS server must be configured in such a way that it claims to be
the authority for the domain of the protected network (primary server). Of
course, this system only knows what is intended to reach the outside world,
i.e. names and IP numbers of external mail servers, the application gateway
and the external information server. This is then a public DNS server.
The internal DNS server must also be configured in such a way that it claims
to be the authority for the domain of the protected network.. Unlike the
external DNS server, this private DNS server manages all internal DNS
information and passes on search enquiries from internal computers for
external hosts to the external DNS server.