Topic: HOW secure is an SME-box, running in private-server-gateway-

[Mathias Vestergaard]

I'm quite new to all this linux-stuff, but I find my new SME-server very usefull, and easy to handle, but I'm always concerned about security.

how secure is it as a firewall? A port-scan from sygate.com revealed severel unclosed ports, but the server is running in private-server-gateway-mode.

I know that my windows-based clients and simple passwords, probably are far the most concerning risk, but I know plenty of guys who help me with this task, so please don't reply with: "don't worry about the SME-box, it's the rest of.....".
Just tell me HOW secure the firewall in SME5.5 is, as a firewall. If some of you know MS ISA-server, then it would be nice with a little comparasion to this product.

--
Mathias
(17 years from Denmark, running my own IT-company, and small network. Excuse me for any mis-spelling! )

[David S. Helmuth]

You might want to read the following:

http://www.e-smith.org/docs/papers/smeserver-security.html

If you already have, I apologize.  But I think it will start to give you an idea that, bug aside:

http://www.e-smith.org/bugs.php3  (older bug about SMTP port staying open)

I think you should find that eSmith/Mitel has taken a VERY comprehensive approach to security.  As a matter of fact, you might point it out to those guys that help you with your security.  It might be helpful to them.

I hope this help.

[Boris]

As a firewall (in the default configuration) SME is pretty secure.
As you start offering services (VPN, WWW, FTP, etc.) or forwarding ports to internal servers you are loosening security in a favor of usability. Please note that good security practice is not only securing internal hosts and installing the firewall, but also monitoring your network for intrusions, developing backup/restore plans, monitoring security related resources for new threats and applying relevant patches. SME lacks out-of-the-box convenient way to monitor and interpret the logs and IDS, but thanks to a lot of rooms for expansion, customization and existence of contributed add-ons, tailored for SME, those gaps can be easily covered.
If you need full-featured FIREWALL ONLY solution, dispute good security of SME, other firewall-only solutions may fit your design better, but if you are looking for integrated multipurpose server, posing as secure firewall in addition to other services look no further.
I havent used recently MS ISA server, but previous MS attempt (MS Proxy) was a joke security wise. Since recent (last few years) general availability Linux, BSD and "hardware" based inexpensive firewall solutions I never even consider to connect any MS based server directly to Internet, much less as a security guard