This material is copyright and is licensed for the sole use by Kliwon Klimis on 28th October 2008 425 cilce, , frood, grradt, 525254
Securing Zimbra
Most operating systems, most flavors of Linux included, offer a means to download the latest updates with very few clicks of the mouse. In fact, most distributions include the ability to download updates automatically and at a time you, as the systems administrator determine. Although, I do recommend you schedule updates to download automatically, I would be cautious in applying updates in that manner.
The Zimbra server is a mission critical server in your environment. Therefore patch and updating the server must be a top priority. But making sure that the patches will not cause down time is also imperative. In an ideal situation, having a mirror image of the Zimbra server to be used as a development and/or sandbox would offer the administrator the ability to test the patches before rolling it out to the production server. I am well aware, that a mirrored server is a luxury most administrators do not have. All that being said, patching should be done after hours, or when the least amount of people are accessing the system in a 24/7 environment, and a full back-up of the system should be made prior to applying patches. Zimbra and Linux both offer some very good built-in backup and restore functionality that makes this a fairly easy and straightforward task. We will be discussing disaster recovery fully in a later chapter, but for now just remember to please back up the server before applying any operating system patch.
Zimbra does a very good job providing maintenance updates for the Zimbra server.
These maintenance updates are very easy to apply; in fact, all one needs to do is download the patch from Zimbra.com and unzip the patch and install it just like you would in a fresh install. All of your settings will remain intact. Again, I must caution you that a backup of the /opt directory and of Zimbra itself is a must before running any Zimbra updates. Also, an upgrade of Zimbra usually requires at least 5 GB of free space on the drive containing the /opt directory. Therefore, make sure the space is available, prior to running the install.sh program (the install/upgrade script will check the available space anyway).
Securing the Network
As mentioned earlier, the Zimbra server is an internet facing host and as such it could be used as a means of malicious attacks to your Local Area Network (LAN). Due to this fact, it is important that you do not only take precautions on the server itself, but on building a strong and secure network perimeter. This section will describe three tools you could use to immediately secure your network. Keep in mind, that you are depending on the structure and organization of your Information Technology group, you may need to enlist the help of a network engineer to implement these tools.
[ 128 ]
This material is copyright and is licensed for the sole use by Kliwon Klimis on 28th October 2008 425 cilce, , frood, grradt, 525254
Chapter 5
Creating a Demilitarized Zone
The first item is to create a demilitarized zone (DMZ) that will be used to segment, or subnet, the Zimbra server from the rest of the LAN. This way the Zimbra server does not have access to the internal/corporate network so that if by any chance an attacker is able to compromise the Zimbra server, they will not have any access to the internal network and thus the damage will be mitigated only to that server.
The DMZ can be created by placing a firewall between the internet, local area network, and the DMZ. Usually a port is configured for each area therefore keeping the networks separated. Any server that is accessed publicly from the internet, whether it be DNS servers, web servers, or email servers, should all be kept away from the internal network via the DMZ.
Firewalls
We have already discussed the use of firewalls both on the host and for use in creating a DMZ. The firewall, in most cases, is your last line of defence between your internal network and the outside world.
Firewalls monitor incoming (ingress) and outgoing (egress) traffic by examining each packet and checks to make sure that the traffic should be approved or denied based on rules that are set up by the network administrator. Rules may be created based on particular ports, services, or destination and source IP addresses. These rules need to be up-to-date and configured properly, as a firewall is only as good as the rules that it has defined. If no rule exists, some firewalls are configured to automatically let traffic through. Therefore, it is important to know what traffic is necessary to be coming in and out of your network and turn off access to all other traffic.
Also, do not get stuck in the trap of thinking there is no reason why an attacker would want to target your network so why go through all of this trouble of configuring firewalls and closing ports. More often than not, attackers begin gathering potential targets by scanning full classes of internet addresses and look for particular ports that are listening so they know they have an attack that will compromise a known vulnerability on that port. So, in a lot of cases, those people that are victim to attack may not have been targeted because of who they are, they were target because of what ports they had listening and open. A firewall is key to any network, no matter the size, and in this author's humble opinion not optional.
Virtual Private Networks
One of the key selling points of Zimbra, and most collaboration suites nowadays, is the ability to check your email from anywhere. Although, Zimbra does use
TLS/SSL technology to encrypt and secure the user's email from sniffers and
[ 129 ]