Micro Enterprise Size Firewall Configuration practices.

 Large Rectangle (336 x 280)

From the Build Your Own section Micro Enterprise Size build design I used the Watchguard XTM Firewall series 330. You can be using any similar type of firewall and make adjustments to match or mirror the configurations I'll be offering you here. 

If you're using a firewall that does not allow the level of detailed tuning then buy one that will allow you. It's not as easy as it was back in the days of our Cisco 672 routers. Wait, bad example, they where nearly all hacked and used in DoS against Yahoo and eTrade, let's start with the 675 router, hold it, slow, NAT tables corrupted. You paid like I did, $200 to $300 when these came out and each time you had to upgrade you paid again. So face it, you've been paying yearly anyway. Time to buy a proper subscription based service with your firewall. 

As all my configurations I'll start with what I see as the most used. IIS, SMTP, HTTP. 

I'll get into the VPN, and RDP over SSL and IPSec later. Once you're completed you should have the following services up and running in your firewall. 

One note: You can build a Policy Rule and leave it disabled while you are setting up things. I want you to follow my "35 Second Rule" in that you can either disconnect, change, update, stop, unplug your network from the Internet in 35 seconds or less if you detect you have caused more harm than good. It's the time it took for a Windows Server 2000 connected directly to the internet to be infected with a Trojan virus. When you connect, you have to have everything ready to fight. 

Configuration Policy SMTP POP3

Congratulations!
Your TestSenderAssureTLS test was SUCCESSFUL.
TestSenderAssureTLS was unable to trick your mail sender into sending the test email insecurely.

From this day forward, Port 25 is just a little kiss when compared to the TLS connection on Port 587. 

Update: 3-31-2015: I'll be adding Certificates to the guide and how to cure the simple errors like Certificate Chain and HTTPS Client Certificate not available. It's all a simple process once you do it a couple of times. I've hacked my router and email server a couple of times during this process. Just follow closely and do your part of the reading. 

Update your CDO.Message code to include StartTLS = True and change the port from 25 to 587 that matches your Email Severs setup. Do the same to your Web.Config file as well.

TECH NOTE: Important that you read this. 

 Large Rectangle (336 x 280)

I have always attempted and made my best effort within budgets to keep things safe and up to date. I even schedule 6 to 8 hours every second Tuesday of every Month to update all the online frontend and backend servers and workstations here. It at times takes longer but on average all is well in about 6 hours.

With that said I have to note that if your server is old, un-patched, not offering basic security practices I'm not going to allow it to connect to my servers. I was very business during the Nimda Virus attacks on public servers that were not patched. We all, that is all IT servers admin's were told by Microsoft 22 days before the virus hit how to patch against it. I had my servers patched then started telling others to patch theirs.

Today it's more about communications and I'm slowing moving toward a fully encrypted communications process. From Client to Server, Server to Server and Server to Client all connections that are not internal to your personal device need to be encrypted.
It's very easy to understand, you had me a letter, I say I'll deliver it and wont let anyone read it while it is under my control. I do my part keeping your letter safe and secure.

But those that say "Sure, I'll deliver it but I'm not going to encrypt it, nor am I going to use a secured connection but I'll send it" should be shut down.

I had to work 6 hours extra today measuring the impact this might cause to my members and visitors. I found that out of 20 emails 3 were spam email servers and one corporate email server did not offer any type of secured connection.

It's 2015, all servers used drive encryption as standard practices.
It really is 2015, that's 16 years since my first self signed certificate for SSL connections.
It's the 3rd month of 2015 and MySmallCloud.Com networks are now sending ONLY TLS connected emails Client to Server, Server to Server, Encrypted between Servers.

This means, those of you that use my email sever will have a secured connection and encryption to your recipients email server. At that point it's all over for us, nothing more I can do. But, to make sure you know I'm not going to deliver to any server that does not allow TLS connections. Done, it's now corporate policy for  me.

Sorry, if you feel reading the tech note was a waste of time. But it's important to understand why some servers reget emails. My servers have been good for 16+ years and only now I'm I forcing your servers to at least reach my level. Even if you run with a Self Signed Certificate you still can have a secure TLS connection and encrypted delivery of email.  

Tech Resources: 

 

  • SMTP TLS Diagnostic log

    XTM 330 Fireware Diagnostic Log email between my SmarterMail server and Google Email . Google shows your TLS status when you click the down arrow next to your email address in the header. If you don't see any TLS information it means the message was not sent using TLS. I see this between my Hotmail and Gmail often. I also see it when using my cellular carriers text to email service. It's good to see some are using TLS but those that really need to use secured transmission need to do so soon. You'll also see that domain names have nothing to do with TLS. Don't confuse things

  • Static Blocking by FQDN

    You have been asking for it. Blocking by FQDN (Fully Qualified Domain Name). Now Watchguard XTM 11.10 has it and it really works. Now you can block those pesky scanning sites that seem to have more IP's than they are worth.

  • Fireware XTM Web UI BANNED

    Blocking External and Internal Access to your WatchGaurd Firewall is easier than you think. Just make sure you keep your networks in order. Admin networks Access to Firebox... How to Block, Deny, Ban connections Fireware XTM Web UI Watchguard Firewall Settings

  • SMTP TLS Certificate chain

    More setup information for you and your Watchguard XTM 330 11.9.4.x I wanted to share some of the headaches with you all. It's difficult at times working with different equipment vendors to get all to work together smoothly. I've been testing the settings and making changes to better serve my networks. I know you'll find this information valuable when you start setting up your TLS and Certificates. Remember, if you're only looking for TLS you do not need to purchase a Certificate, The TLS settings will encrypt the communications.

1 | 2 | 3

 

The complete setup, configuration, policy rules, ports, bans, blocks and more. Everything you should have and maybe more when you show me I missed something. Configuration of your firewall is most important. Protect your network, servers, desktops, mobile devices, smart devices and media devices.