Topic: 6.0b3 firewall - nat only? stateful? hybrid/other?

[Jason Judge]

"If he is able to get controll or root controll over the one e-smith server, he will have controll over practically all resourses..."

Well yes, that's my point. If an e-smith server provides all the web-based services through port-forwarding from the firewall, then it makes no difference how the root access was obtained. Gaining access to the e-smith server should be just as easy through a firewall as it is direct - the firewall is going to have to forward all the ports that the e-smith server needs for supplying its web services, so it should be transparent to any hacker.

-- JJ

[Arne]

That is the very nice thing about the e-smith, you can use it as a "general building block" to build up any kind of network struckture. If you want to build up a network consisting of 1, 2 og 3 servers or what ever you want, it's just up to you.

PC-bokses cost very little today, and the e-smith does not require a lot of prosessor power.

So because of nice things like the e-smith and the smoothwall firewall you are free to design your network as you want, without having to send all your money away to mr Bill Gates.

Thats the very nice thing about open source programs, and open source programs that work right out the box in particular.

With programs like the e-smith and the smoothwall any nation, any organisation and almost any person can  build up the network they want.

[Paul]

If you leave ports open to provide services, Hackers can always get in.  You can minimize the effect by spreading your services over different servers.  In other words, place a hardware firewall on the internet then foreward the HTTP port to one server, SMTP to another and so on.  Also, put your private-server/gateway behind the firewall with no ports forewarded to it and all client machines hooked behind it.  Then put another machine somewhere to collect hourly backups and a daily tape then take it off site.

You could go on and on but it still wouldn't be hack proof.

By the way, what precious information do you have that a hacker would spend so much time trying to get?

Hackers do one of 2 things:

1-Make up some sort of code to infiltrate all machines (like nimda & code red) and hope it does some damage.  In this case, patches are released to stop them.

2-Find a target like NASA or BankAmerica and work like hell to crack through the firewalls.  In this case, the hacker wants something specific.

A hacker (or his program) is not going to poke around your system for more than a few seconds unless you are un-patched or you have something of HUGE value or you have pissed him/her off.

Moral of the story:

Keep your machines patched.
Don't be a government entity or a bank.
Don't make anybody too mad.

I've had my SME server hooked directly to the net for a couple of years and except for the 1000 or so nimda/CodeRed hits a month, nobody bothers me (so far).  I got nothing anybody wants.

[Arne]

If the hackers attach is directed trough trough port 22 or port 80 and theese ports have access from internet, and if theese are the only ports the hacker want to use this will be true.

On the other hand if the hacker want to start up an attack trough theese port and then the one way or the other open up for more attach/communication trough other ports, this will be more difficult trough/behind a bastion firewall in front of the server.

Also if the hacker want to use an attach based on packet spoofing or if he will try to "knock out" the "structure" of a statefull inspection firewall by some kind of memory overload or "buffer overflow" this will be more difficult on double firewall setup. While the outher firewall is heavily attacked this way, the inner firewall on the server itself normally will not take notice of this at all because this trafic is stopped by the outher firewall.

As/if the outher firewall is a Linux distributiun that is developed only for that singele purpose, like the smootwall, I thing it is possibly to build it more "robust and strong" compared with a linux distribution that is developed to serve all kind of use simular and at the same time. Firewall, fileserver, webserver, mailserver and everything in one package that can simply not be optimiced for one thing, this have to be a average of performance for it all.

By the way attacking trough one open port lets say port 80 or port 22 .. a paket firewall can do something or something about that if it is configured for that.

Blocking sertain ip adresses is no problem. You can also block on the trafick rate, so if the trafic suddenly reach up to a unnormal level the firewall can make a automatic blocking. It's also possible I think to check the length/size of the packets before they are forwardes to the server. Linux also had a project going on with some firewalling modules that can check the exact content of the data text string before dnatting to the server. I think this last project did not work very well, but i think it is still an option in iptables, even thoug it is not much used.  

I think, if you want more security than this, you need some thing like a reverse proxy firewall that make a temporary storage and inspection af all trafick in to the server on the oacket and application level. I believe the new Microsoft ISA server has such a reverse proxy function (?).

[Arne]

I think hacking PC-s in private homes to use them to spread out spam and to use them in ddos attach is a popular variant of hacking. You dont need to have anything on your PC but the fact is can be used to send out spam, for ddos attack or ather attach against other machines can allways maky your PC interesting. I think some hackers attack "bigger" targets this way. First find an relatively easy target to attack first and get controll over. Then the next phase, use this first target as the base for the next attack.

[Arne]

By the way.. I forgot .. This last planned ddos attach against Microsoft wasent it organized this way ?? (Except for that microsoft found it out in the last minute and changed their address.)

[Paul]

Another thing,

I would spend WAY MORE time worrying about what email you and your other users are opening.  How much you spend on Norton (or whatever AV software you use) and how often you check for MS patches/updates.  You will get more problems with MS machines than your SME box.

I admin a few systems and the worst (BY FAR) problem I have ever had to fix was a virus that spread aound the entire office of one of my clients.  I can't remember the name of it but I think it came in through an email.  Messed up every MS machine BUT it left the SME 5.6 box alone.  Spent 2 days fixing 8 MS machines.

Arne,

All this talk about HACKERS WANT to do this and HACKERS WANT to do that.  Your putting fears into peoples heads that hackers are constantly trying to get into their machines.  This is just NOT TRUE unless you have something High Profile.  A hacker is NOT giong to try my SME box for a 2 bit web site and some shared photos.  It just isn't worth the time to them.

Hackers getting into my SME box is of no real concern to me.  I've got nothing there of value and if they get in, I'll reload and restore.

Your last post pretty much says it, Microsoft.  Do you think the hackers will plan a dos attack against you or I in the near future....NO

If you are serving up critical or sensative data over the web, then you need to move up from this OS.  I wouldn't even recommend it for a small e-store that takes credit cards.  Let a large hosting company do that and take the responsibility for stolen CC numbers.

[Jason Judge]

Just to know all the bases are covered while you sleep at night brings some peace of mind. What the client does to break their own machines during the day is their own fault (putting it bluntly, though we do have an duty to educate them).

I think there is some very useful stuff in this thread, and speaking personally, it answers a lot of questions I have been asking elsewhere. Thanks all.

-- JJ

[Paul]

Jason,

You can NEVER cover all the bases.  You can build and install firewalls until you are blue in the face.  If someone wants in, they will get in.  It's been proven over and over again against the people that probably spend the most money on network security, Banks and the Governments.  If they can't stop a hacker with millions of dollars invested in network security then neither can you or I with a couple of firewalls.

Quit dwelling on the firewall issue.  If you have a client with sensative data, make sure that the data is totally secure and not connected to the rest of the world or get rid of the client.  You don't want the responsibility of something like thousands of credit card numbers on your head, it just isn't worth it.

On the other hand, that small business with nothing but a bunch of work orders and sales slips.  Keep them because nobody is after their data and won't put in the effort to crack an SME firewall for nothing.  Just back them up each night and the most they will loose is a day of data input work.

You know, when the client's secretary opens that dreaded email or website and the whole office gets infected, the boss will say these exact word to you:

But you told us the firewall had us protected against that, why didn't you tell us to keep an eye on MS updates?

OR

We keep up on all the updates and AV subscriptions, why didn't the firewall stop this??

In other words, YOU are going to get blamed for EVERY MISTAKE (including your own if you made any) that was made.  Just make it PERFECTLY CLEAR to the boss that the firewall only stops all but the BEST hackers and will not prevent email virus problems (even if you have A/V software on the server).

You can do all the A/V stuff you want, but when Ms. receptionist goes to another web based email service and pulls up and opens that infected email, or Joe Salesman is checking out his favorite porno site and clicks one button too many, then it's all over but the crying.  And YOU are going to get blamed at first.

Trust me, the firewall is the least of your (and the company owner's) worries.  And the more emphasis you put on the firewall, the more that business owner is going to try to blame you.

Just tell them it's better than any MS product and will stop all but the most presistant hacker.  Then ask them who might be interested in their info.  If they say no one, then say great, no one will waste very litle time trying to get in for nothing.  Boasting firewall over firewall will give them a false sense of security and make you more liable.

JMHO

[PeterG]

Jason Judge wrote:


> I think there is some very useful stuff in this thread, and
> speaking personally, it answers a lot of questions I have been
> asking elsewhere. Thanks all.
>
> -- JJ


Likewise, many thanks to all who have contributed on this thread, it is certainly very reasuring that there are other like minded people out there, who can come up with sensible debate without chucking toys around.

PeterG.

[Arne]

I think most machines that is attached to internet is attacked on regular basis some times every day and sometime once a week or something like that. On the other side I believe most of these attacks are automated attacks often from machines belonging to persons that knows nothing about that their machines is used to attach other machines.

The nature of a ddos attach as an exsample is to first find a number of not so well secured machines where it might be no interesting datas. Then you install the right kind of software on this machine manually or by automated procedures. So then your internettconnected PC is a time scheduled attach tool without your knowledge. So at the right syncronized time all the infected or hacked computers attach one common target to bring that target down. Such hackers are not attacking Microsoft or other big targets. They attach the easier targets and use those easier targets as the attacking tool against the main target. So when the main target goes down and they check their logs thei don't find the ip of the hacker. What they can se from their log is thay you did the attack against them, because your ip, not the hackers ip will be there.

A lot of the attacking mechanisms functions according to this basic prinsiple, its not only the ddos attach.

I belive that to use an old PC and Smoothwall as an aditional firewall can improve security a bit.

My personal point of view is that the most dangerous thing is to say that the things that hapens on regular and daily basis doesent hapen. If problems are well known neccesarry precautions can be made.

One thing right enough .. If you are using a Linux or a Unix machine you might be less exposed for these treats compared with a Windows machine with direct internett access, but abyhow a combined Linux firewall/webserver/fileserver with direct interntt connection is not the very safest installation that either. I belive an old PC and a 2 port smoothwall installation in front will be safer.

[ken]

We have 2 offices

In one office we have one SME Server going through a Router/Firewall

In the other using SME server with 2 networkcards,

Both go into an additional 24 port switch

Problem is when for whatever reason the internet isn't working, we reboot the router or SME server. Of course its a lot more convenient to simply reboot the router as then it is only the external connection being broke and the rest of the office can continue. Usually the outsideside service provider is down and the reboot does no good but one has to be able to say to the provider. Yes we rebooted our hardware.

I have seen the SMC barricade 7004vbr 4 port router on sale with rebates for as little as $20.00 Canadian which is cheaper than a 2nd network card, and it has stateful packet inspection, DMZ, dhcp etc.

Another potential advantage of the 4 port router would be if you wanted to run a SME mail server but a ASP based windows server from one IP as you can forward the appropriate ports out of the router.

Kind of makes me think I should watch out for the next sale and pick up another router.

Ken