Topic: How many are running SME Server as a Firewall?

[danielrm26]

Greetings,

I am wondering how many here are using SME primarily as a firewall, and how many are using it primarily as a server.

I personally use mine as an email and FTP server, and I don't understand why (other than a COMPLETE lack of other machine availability) anyone would use this as a firewall AND a public server.  

There are Linux based firewall products that, in my opinion, far surpass the abilities of SME Server, e.g., Astaro, Smoothwall, etc. I thought the idea of SME Server was the secure services, not the firewalling features, but it seems that many here are asking all kinds of questions about how to close off this port or open that port using this product.  Well, at the risk of being less than respectful in this product's own forum, the answer is to use a real firewall.  This product for a firewall if you have NO OTHER OPTION, but if you can get a hold of another box, do yourself a favor and put up a real firewall and then run your SME server behind it.  As I said, I think that is where SME's strength lies.

Comments?

[nmollring@cennecs.org]

I guess it depends on how 'robust' of a firewall you need.  I've used smoothwall and other firewall only products.  I have yet to find anything my SME boxes(home and personal) can't do firewall wise, that I can do with what you call a 'real' firewall.  I port forward and open ports etc... without a problem.  I could easily set up another computer as a firewall, but what would I gain?  I should do myself a favor and get a real firewall--I don't think so.  Oh, and SME is a firewall--what exactly makes a firewall a 'real' firewall anyway.  You say you don't understand why someone would use sme as the firewall.  To answer that you need to tell me why I shouldn't.  Give some examples of what a 'real' firewall can do that my SME box can't, and I'll see if I need those features.  All of the above is based on my decision to not use a second firewall box--I seriously considered it and did some testing with smoothwall and others.  Yes you are being less than respectful.  You seem to be saying don't use SME as a firewall--get a 'real' firewall.  When, I'm saying SME has a fine firewall for most applications--if you need a more robust firewall, go get one.  The only reason I even posted all this stuff(instead of  disregarding your post) was because I didn't want the more novice SME users thinking they needed another firewall when they probably don't.

[danielrm26]

>You say you don't understand why someone would use sme as the firewall. To >answer that you need to tell me why I shouldn't.

You want a reason not to run your firewall and your main public server on the same machine?  IT ISN'T SMART.  Anyone who is into security knows this.  Go into any respectable security forum and ask if you should run a mail, ftp, and samba server on a firewall and see what they say.  It is common knowledge in the security community that you run the least amount of services (if any) on a box that is acting as a firewall.

>Oh, and SME is a firewall--what exactly makes a firewall a 'real' firewall anyway?

Hmm.  So Microsoft ICS and Zone Alarm and Checkpoint are all the same because they are all firewalls?  Just because something 'is' a firewall doesn't make it a good one.

>Yes you are being less than respectful. You seem to be saying don't use SME >as a firewall--get a 'real' firewall. When, I'm saying SME has a fine firewall for >most applications--if you need a more robust firewall, go get one.

The reason I mentioned the respect issue is because it is customary to not talk about a products potential weaknesses in that product's own forum, but to take it to the extreme is stupid.  All I am doing is pointing out that SME is, in my opinion, best as a 'server'.  The firewall features are added on so that you don't have to have one separately, but the server seems to be the main product.

In case you didn't notice, my post was a question about how people were using their SME Server.  I followed up my question with my opinion about what SME's strong point was, and my view that a separate firewall in conjunction with SME is ideal.  This should not have offended you.

Also, just for the record, I presented an opinion - nothing more, nothing less.  The opinion I expressed also happens to coincide completely with the entire security community.  EVERYONE knows it's not a good idea to run services on your firewall machine.  So, instead of dutifully protecting novices from my post you should be doing some studying in the areas of forum ettiquette and security philosophy.

The bottom line is this.  SME is a great server product, and if you don't have a firewall, it's full implementation of ipchains gets the job done.  But in my opinion, if you have another Pentium II machine lying around, you would be better served by using it as a dedicated firewall.  This way, in the event of a root compromise of one of the services running on your SME machine (which would be very difficult of course), you wouldn't lose your entire network's firewall at the same time.  This is a well known security concept.

[allan]

easy folks .. easy ....

true enough, a firewall should be just that, a firewall, nothing more, nothing less, it is _generally_ regarded as the correct way to do things.

Having said that, have you actually ever hacked your SME server ?  

I think there are plenty of wicrosoft boxes connected with many more weaknesses than a linux box of any flavour, read, far easier targets.

For a small business, home user, intranet ( as a server only ) I love and highly recommend e-smith.

As a large corporate, I'd feel more comfortable with a dedicated hardware box than plain software .. I guess it all comes down to what your comfortable with and what your protecting !

al.

[danielrm26]

> true enough, a firewall should be just that, a firewall, nothing more, nothing less, it is _generally_ regarded as the correct way to do things.

Indeed.

> Having said that, have you actually ever hacked your SME server ?

No, and I am sure it would be nearly impossible, but that doesn't make it a good idea to run services on your firewall.

> I think there are plenty of wicrosoft boxes connected with many more weaknesses than a linux box of any flavour, read, far easier targets.

Again, also true.  But the issue isn't about whether or not someone is 'probably' going to get hacked using SME Server as a firewall.  It is simply not an ideal situation to have your public server and your firewall integrated.

> For a small business, home user, intranet ( as a server only ) I love and highly recommend e-smith.

Definitely; it's a top-notch product.  I recommend it constantly.

> As a large corporate, I'd feel more comfortable with a dedicated hardware box than plain software .. I guess it all comes down to what your comfortable with and what your protecting !

Right, but if you have an extra box, it is ALWAYS better to have your firewall separate.  It's not like there are certain situations where your security is improved by having your public services on your firewall.  All I am saying is that if you don't have another box then SME is a great solution, but if you do, you should go ahead and separate the roles.

As for your calling for us to calm down, I guess I shouldn't have gotten so upset.  I just can't stand it when people have the audacity to get high and mighty while utterly wrong about something.  If my initial post sounded inconsiderate then I apologize.  My intention was for it to be much more friendly in tone.

[Scott Smith]

> My intention was for it to be much more friendly in tone.

Unfortunately, most of us do not have sufficient mastery of the written word to convey tone via what is an essentially tone-free medium. Writing is free of nuances such as emphasis, inflection, intonation, physical cues, &c., which render it almost useless in conveying opinion and emotion, but well suited for transferring facts and figures.

Consider the classic case of "I didn't say he stole money." In the spoken medium this sentence can have six distinct meanings simply by repeating the sentence six times and placing the emphasis on each word, beginning with the first, "I", and ending with the last, "money." With the spoken emphasis, the meaning is clearly discernable in each variation. In written form, especially without added punctuation and enhanced presentation, it is lifeless and its meaning can be derived only from context and through the influence of the reader's subjective mode of interpretation.

In other words, when dealing with the written word, especially in an environment such as a forum where people are not professional writers and are often not writing in their native tongue, which is to say they lack the time and/or skills to convey tone through the pen, electronic though it might be, it is the well-advised soul who gives careful consideration to their interpretation, tending to favor diminishing rather than magnifying perceived threats and slanders and malignments of all sorts.

That said, in a practical sense, experts in most subject areas, and notably those in highly specialized fields, and most notably those in newly developing disciplines, are prone to examine truth from the perspective of the worst case scenario and to espouse good and proper solutions in the context of the best case environment. To wit, I was once in the employ of a large company who fell prey to designing products and solutions only for their premiere customers, that 10% who generated 50% of the revenue. While their solutions were appropriate for the few who deployed systems across dozens or hundreds of sites and hundreds or thousands of users, they were grossly inappropriate for the 90% of the customer population who had one or two locations and a small cadre of users.

SME is directed towards the 90%, where the employment of separate servers for application services and firewall features is impractical for various and sundry reasons. The risks associated with the merged solution are acceptable, and therefore the "textbook" application of security, typically that bit of truth established to define how a best case environment should deal with a worst case scenario, does not apply. Outside of the speculative realm of theoretical application and hypothetical projection lies an area known as the real world, where compromises are mandated and risks are accepted, often for reasons seemingly inappropriate in the view of the experts. Often these experts, when moved from the infinite expanse of the theoretical universe and placed into the finite confines of the practical world, find their truths and solutions to be just so much time and paper.

To the 10% who can afford the everything-and-then-some approach I say, "More power to you."

Everyone else must find the solution that is appropriate for their needs, even if it is lesser by comparison.

[dave]

I know a FW should be just that and nothing else but I personally run SME on my home network as a firewall/email/web server.  In this situation, a small SOHO setup, I believe SME to be perfect.  It's almost a hands off setup.  I do have some junk boxes lying around that I could have used as a FW only but that's one more box sitting in my family room with fans and harddrive(s) running making even more noise - as my Wife says anyway - personally, I kinda like the noise a computer makes...  

Yes, I could have picked up a DSL router to use but I also wanted to pick up some Linux knowledge.  Much of the custom configuration of SME is unique to SME's inplementation but it is still a good way to learn.  Plus it's template processes create an excellent way of backing out a mod if I do it wrong.

BTW:  I'm certainly no expert but I believe it's possible to use SME as a dedicated FW only device.  Just don't enable email, DNS, web services (for external access) etc.  Is this true?  The only thing it can't do with it's default settings (at least I haven't found how) is to use a 3rd NIC to create a DMZ.

I certainly don't take offense to any comments made, everyone is entitled to their own opinion and as far as I'm concerned, the opinions/comments made are valid.  I'm a huge fan of SME and have recommended it a number of times, it does have it's down sides but I believe it does what it's designed to do exceptionally well.

[Nate]

"Everyone else must find the solution that is appropriate for their needs"  Probably the best statement in this whole topic.  My production e-smith install is purely email and a gateway to the internet for my LAN users.  I would gladly install another firewall computer if I needed it--maybe someday I'll install a firewall box.  I apologize if anyone was upset by my post--that was the last thing I was trying to accoplish and I'm far from upset.  I'm just trying to point out that quite a few installs don't 'require' another firewall computer.  SME is the perfect server for non-profit companies that have to conserve money.  When I get tired of my old NT server(only reboots when we have an extended power outage), I'll probably install another SME server for file sharing on the LAN.
Nate

[Ray]

Hi.

I think the problem is solved and everything concearning is said.
About the initial question: At home i have now SME as Server and Firewall.
Before i was using IP-COP as a pure Firewall and believe me; its really a great one ( GPL too ). But the need of a Server for sharing data, made me changing my setup to SME. The only thing i have a problem with is the non existing dialondemand option for DSL.

At work i use a TOSHIBA SG-20 with a RedHat Linux on it as Server and an old P200 computer with IP-COP on it as a firewall.

So. Thats ist.

[Charlie Brady]

dave wrote:

> I know a FW should be just that and nothing else but I
> personally run SME on my home network as a firewall/email/web
> server.  In this situation, a small SOHO setup, I believe SME
> to be perfect.

The principal advantage that a "real" firewall has over a hardened server/gateway is resistance against attack from the internal network, especially attacks by authorized users.

> Yes, I could have picked up a DSL router to use ...

A few minutes searching these boards will reveal many frustrated users with problems related to using DSL/cable routers, rather the server in servergateway mode. With a separate gateway, you have multiple devices to configure, and the configuration settings all need to be correctly co-ordinated.

[I noticed someone recently referred to a "hardware firewall". AFAIK, all firewalls comprise both software and hardware.]

Charlie

[danielrm26]

Hmm.  Thanks for the posts, guys.

Let me just say that I think there is some sort of misconception about how difficult or major it is to configure a dedicated firewall.  Many here have  mentioned the resources and effort involved in doing so, but there really isn't much of a requirement for either.

The networks being discussed here are most likely all small to medium sized. (hence, SME), and given that specification, an old PII with 128MB of memory is all that is really needed to make an oustanding IPTABLES based standalone firewall.  Using one of the premade firewall products you can use a GUI interface to assign all your forwarding, do proxying, mail filtering, etc, while having your SME box sitting safely behind it doing what it is so good at doing.

So, to me, running SME as a firewall is a solution ONLY if you just don't have another machine.  The idea of separating roles is a concept that is very important in the *nix world and in security.  You don't want your gatway machine doing your database work and backups and file sharing, etc.  You want to separate roles so that if one system goes down you only lose the function that that machine was serving, and not EVERYTHING.

But, that having been said, the fact of the matter is that a solid IPCHAINS implementation is going to stop most attacks that anyone here will see, and the odds of an SME box completely pooping itself aren't good.  So having it all on one machine isn't a big deal or anything.  I was just wondering how many were doing it, and wanted to offer that they may be happier with the roles separated and SME as a server only.

--danielrm26

[Cyrus Bharda]

I have only been using SME for a very short time, and in that time I have tryed an array of different types of attack over several days to see exactly how robust it really is and I could not get in, although it only took me several hours to get through my dsl router with built in firewall, fancy that

Cyrus Bharda

[Mathias Vestergaard]

I use SME as both firewall and server, because my network is too small to have dedicatede boxes for everything.
I also find the tight integration between PPTP and the DC very usefull, when I connect remotely from my iPAQ. I've tested Smoothwall, but I wasn't able to make PPTP-connections, and I don't want't to use IPsec.

I haven't tried to hack it, but I had a symantec-online-tool to do some portscanning. The only result was that port 113 was open.

Mathias Vestergaard
MT Productions
www.mtproductions.dk

[Mathias Vestergaard]

hi

I'm quite new to linux and sme, however I'm quite experienced with MS-based stuff.

You write:
I have yet to find anything my SME boxes(home and personal) can't do firewall wise, that I can do with what you call a 'real' firewall. I port forward and open ports etc... without a problem.

I say: How? How can you manage ports, and what about intrusion detection?
I reaaly want to know!

--
Mathias

[Christopher]

Search this list for ids and ports there are several contribs available that let you do this.