Topic: 6.0b3 firewall - nat only? stateful? hybrid/other?

[Jim Danvers]

...just curious.  I learned aot a little thing called "m0n0wall" "http://m0n0.ch/wall/" that is a really slick freebsd based firewall.  Doesn't require a hard disk - just a cdrom and floppy.  Long story short, it requires a machine that will boot from cd (bios setting) and it stores it cfg data on the floppy.  Pair the machine down to a slow processor (no fan req'd for cooling) and after bootup one basically have a very secure firewall up and running (quick boot time too!) with no moving parts.  It's kinda neat.  Haven't figured out if/where I'll use it, but I have been reading around the web and got to thinking... what exactly is the firewall capability of sme anyway.  I believe it to be iptables based, yes (vs. older ipchains)?  Is it a "secure" fw?  Stateful?  I have sort of toyed with the idea of placing the monowall box infront of my sme and then re-cfg'ing it as req'd...  This would require some cfg'ing of the monowall in order for stuff to continue to work @my sme box (I'd have to setup some port fwds for mail, http, etc...)

Question is:  Do I need to?  Is it worth the effort?  Is the SME box secure as it is?

The questions above are NOT a troll...  just curious.  

Thanks!

-=- jd -=-

( PS )  Whats the deal with the 'final' version of SME 6.0?  I saw a thread on it where an .iso was released, then pulled because it was wacked, then placed back on the ftp servers, (apparently) lots of complaints about it still being buggy, webmail interfaces not working right, etc.  As the subject of this post says - I'm still running (and quite happy with ) the 'beta' version of it..

Thanks ( take II ) again...

[Arne]

About firewalls: The Linux kernel 2.4.x in e-smith 5.6/6.0 does support statefull inspection. It can be run as a static firewall and it can be runned like a statfull inspection/dynamic firewall. I don't know for shore if e-smith activate the statefull inspection part, but I will guess it does. Personally I use to set up the e-smith withouth a firewall and then I make the proper firewall script myself that givs the exact configuration I want. When I do this I use to activate the statefull inspection part of the firewall functions.

The firewall of e-smith is based at "netfilter" that is included as a part of the Linux 2.4.x (and 2.6.x also i believe) kernel.

http://www.netfilter.org

I think there is some contribs that givs some filtering capabilities to the squid proxy. If you include such functions, I think you will also have a "application level" firewall running on the top of the packet filtering firewall. (I havent tried that e-smit contribution but have made some testing on such "manual" configuration of squid.") (I believe that the Microsoft ISA server works much the same way, a basic packet filtering function with a filtering proxy running on top of that.)

About small firewalls:  I have also tried a wery small Linux firewall based on one floppy only. It has basicly the same kernel as e-smith, and can do the same when it comes to packet filtering. If you want to make some firewall script training it works in the same way as any LInux including e-smith. I think it is a very good firewall because it is allmost impossible to hack as there is allmost none "demons" running exept for the basic kernel prosesses. I will recomend it at least for a try and for testing.

http://www.zelow.no/floppyfw/

About: e-smith 6.0 pre3 and 6.0 final release: I just made some testing on those two. 6.0 pre 3 with all upgrades worked ok and with no problems as far as I could see. After I made a upgrade to 6.0 final release (a fresh new installation), there were no problems with the basic functions. But it apeared that all the contribs did not work with the 6.0 final release. For me: No problems with 6.0 pre 3, some problems with 6.0 final release.

[Arne]

By the way I forget to mention one thing ..

I think it is in many ways a basic principle in all firewall design that a firewall machine should have as few processes or demons that can be hacked or cominicated to as possibe. Every opening into the firewall machine and every prosess that a hacker can comunicate to is basicly a security risk.

In this way the design of the e-smith (with the setup as a gateway server) is "not so good" if mximum security and "imposibly to hach" is a main target. (On the other hand you save mony, you got only one box and for many kind of use it is just secure enough.)

If you want to improve security, I think a good idea will be to use a firewall with 3 connections in front of the e-smith, and then just use e-smith in "server" only mode.
This 3 commetiond will be WAN, DMZ and LAN.

There is one Linux firewall for this purpose that is rather easy to set up and it is also free for download. I have tested the last "issue" Smotthwall 2. I see they has renamed it "Smoothwall 2.0 express", but I guess it is still basicly the same.

http://www.smoothwall.org

There is some limitation for the Smoothwall, at least the one I tested: It is only a NAT routing firewall. It does not support bridging or things like that and it can only have one external ip at the external (WAN) connection.

There is one other Linux based firewall that I have been told can handle multible external ip's ant tis is ipcop, but I have not testet this.

http://www.ipcop.org/

[Arne]

By the way once more:

I had not seen the screen shots of the mOnOwall, sorry about that ..

The mOnOwall firewall apears to be basicly the same kind of firewall as the Smothwall, and I can se that it has wan,dmz and lan connections like the Smoothwall .. So all arguments for using smootwall is also basicly valid for this firewall.

Smoothwall 2.0 need a Harddisc of minimum 100 Mb. Smoothwall also support statefull inspection.

[Boris]

Firewall is not the main purpose of SME server, but rather included bonus.
SME is a multipurpose application server, with built-in basic firewall/gateway capabilities. If you need dedicated firewall only, look at many other solutions available. (GnatBox light, IpCOP, FloppyFW, Coyote  Linux etc.)

[Arne]

I agree completely in this conclusion. The firewall is rather somthing like an obtion amon a lot other thing. In many cases I think it gives security enough to use the e-smit allone, and if you want to spend some more money, and possibly get some more "theoretical security" you can just set it up in server only mode and use another firewall in front.

[Paul]

Arne,

Why would you put the server in server only mode and put it behind an additional firewall?

What ports would you foreward to the server?

Would you put the server in the DMZ?

[PeterG]

Hi Guys,

The set up I have been pondering is as follows -

A statefull Packet Inspection hardware firewall, something like an SMC 7404 combined router, adsl modem and SPI firewall.

This would have two portforwards for smtp and vpn.

the lan side of the router would then connect to a nic in the server

the server has two nics in it one to the router the other to the LAN.

Is this any good?

PeterG.

[Jason Judge]

I've pondered this: if you put the server behind a separate firewall, and then forward all the ports necessary to the e-smith server to operate as a webserver/VPN/mailserver etc, then is it any more secure than connecting it direct to to the Internet?

The only advantage I can see is that a separate firewall is more easily able to "pull the plug" in the event of a sustained attack from the Internet, but otherwise a transparent firewall doesn't really add any extra security.

Please tell me if I'm missing something here...

[Paul]

PeterG,

Why would you do this?  The SME server has a stateful firewall built in.  If you put it behind another router/firewall, your internal IP's will get wrapped twice, this might slow you down a bit.  I originally had mine set up this way and when I removed the hardware firewall, the people in the office asked if we got a faster internet connection.  Putting a hardware firewall in front of your SME box will probably slow it down a bit.

If you just allow mail and VPN on the SME, it will STEALTH all ports except mail and VPN for you.  Same thing except one less piece of equipment and a couple less cables to go wrong.

JMHO

Paul

[Paul]

Jason Judge said:

>I've pondered this: if you put the server behind a separate firewall, and then forward all >the ports necessary to the e-smith server to operate as a webserver/VPN/mailserver >etc, then is it any more secure than connecting it direct to to the Internet?

No, not really.  And if your server is set up as "server only" and if you make a mistake on the router and foreward the wrong port, it will actually be worse.


>The only advantage I can see is that a separate firewall is more easily able to "pull the >plug" in the event of a sustained attack from the Internet, but otherwise a transparent >firewall doesn't really add any extra security.

You can still "pull the plug" on your server, just disconnect the WAN (and probably the LAN for that matter) cables from the SME box.  But, by the time you discover a problem, get to the box and disconnect, it will be too late anyway.

Most attacks are geared towards MS servers anyway (for now).  The other problem that seems to be big is spammers using your mail server.  I don't (and won't) have my mail server open to the public.

Another problem, dyndns.  SME reads it's own external interface and if it changes, it reports to dyndns.  You have to use a different client if you are behind a firewall.  Or get a firewall with a dns client built in.  Now you have something else to configure.

Putting your SME behind another router/firewall is pointless, unless you need to use the modem/router because of ISP reasons such as your connection is PPPoA.  But, if it make you feel safer, there's nothing saying you can't.

[PeterG]

Paul wrote:

> Jason Judge said:
>
> >I've pondered this: if you put the server behind a separate
> firewall, and then forward all >the ports necessary to the
> e-smith server to operate as a webserver/VPN/mailserver >etc,
> then is it any more secure than connecting it direct to to the
> Internet?
>
> No, not really.  And if your server is set up as "server
> only" and if you make a mistake on the router and foreward the
> wrong port, it will actually be worse.

Presumably you would know that the wrong port was used as the thing you wanted to portforward too, wasn't working?


> >The only advantage I can see is that a separate firewall is
> more easily able to "pull the >plug" in the event of a
> sustained attack from the Internet, but otherwise a transparent
> >firewall doesn't really add any extra security.

But aren't there any other ports that are open on a standard v6 install? I havent run Nessus against a v6 server but will give it a go tonight if I have time.
 
> Another problem, dyndns.  SME reads it's own external
> interface and if it changes, it reports to dyndns.  You have to
> use a different client if you are behind a firewall.  Or get a
> firewall with a dns client built in.  Now you have something
> else to configure.

I know an installation, not mine - honest, that has the installation that I was pondering and it all works quite happily.

 
> Putting your SME behind another router/firewall is pointless,
> unless you need to use the modem/router because of ISP reasons
> such as your connection is PPPoA.  But, if it make you feel
> safer, there's nothing saying you can't.

What I may do is get a usb modem and run nessus against that and then against a firewall/router/modem type box. Although you mention that a router is required for PPPoA, this is the standard protocol for ADSL in the UK? How does a USB modem present itself to the SME box during installation, as just another network interface if so how are things like usernames and passwords handled?


PeterG.

[Paul]

>Presumably you would know that the wrong port was used as the thing you wanted to
>portforward too, wasn't working?

Correct, however did you remember to close that wrong port that you opened earlier???  I'm just trying to point out that the more you have to configure, the more mistakes you MIGHT make.

>But aren't there any other ports that are open on a standard v6 install? I havent run
>Nessus against a v6 server but will give it a go tonight if I have time.

SME only opens the ports for the services that are running.  If you elect NOT to have the web server public, then it should not open port 80 on the external nic and so on for the rest of the services.  I have never really tested this as my boxes are all running web servers.

>I know an installation, not mine - honest, that has the installation that I was pondering
>and it all works quite happily.

And it should, but why go thru the hassle if you don't have to??

>What I may do is get a usb modem and run nessus against that and then against a
>firewall/router/modem type box. Although you mention that a router is required for
>PPPoA, this is the standard protocol for ADSL in the UK? How does a USB modem
>present itself to the SME box during installation, as just another network interface if so
>how are things like usernames and passwords handled?

Your PPPoA scenario has presented itself many time in these forums with varying solutions.  SME out of the box does not support PPPoA however, there are several solutions.  Put pppoa in the search engine and you will find a plethora of threads.  The most simple solution is to use the ISP's recomended/supplied firewall/router.  USB modems will probably be your most difficult solution if not impossible.  One post states the use of a PCI ADSL modem, treat it as a dial up and do some minor changes to the SME dial-up and dyndns scripts.  The choice is yours.

Like I said, Put pppoa in the search engine and you should be able to find a usable solution.

[Arne]

"I've pondered this: if you put the server behind a separate firewall, and then forward all the ports necessary to the e-smith server to operate as a webserver/VPN/mailserver etc, then is it any more secure than connecting it direct to to the Internet?

The only advantage I can see is that a separate firewall is more easily able to "pull the plug" in the event of a sustained attack from the Internet, but otherwise a transparent firewall doesn't really add any extra security."


I think from a hackers point of wiew there will be a rather big difference.

Connecting the e-smith directly to the Internet and the lan to the e-smith givs a rather good place to start working for a hacker.

If he is able to get controll or root controll over the one e-smith server, he will have controll over practically all resourses and he will also have controll over a Linux platform that can be used at a platform for further attach against the lan resources.

On the other hand if you use a tree port wan/dmz/lan arrangement, the internet server and the lan resourses will be running on two different network segments with a firewall between. If you are able to work trough the firewall and get controll over the inernet server, you still have to fight the firewall to get access to the lan resourses. I also think it is a good idea to use not only one e-smith server, but two: The internet server running on the DMZ and the Lan server running on the LAN. Of course there should be no portforwarding from the Internet to the lan server.


Internet------Gateway firewall--LAN----Lanserver(s) pluss workstations
*****************************I
*****************************----DMZ---Internettservers


One other way of arranging theese things are like this:


Internet----Outher firewall---DMZ with internet server(s)---Inner firewall--Lan with server(s) and workstations

There are other reasons also one (or two) extre firewall machine might make things a little bit safer, problems related to buffer overflow, etc.

I have tested both alternative 1 and 2 and also alternative 2 with a tripple firewall arrangement at work with some users, and there were no sign of things get slowed down due to passing trough 1, 2 or 3 firewalls. All tree were nat routing firewalls. We are useing a double firewall arrangement today, and there is no problems at all with that. (Microsoft ISA server pluss RedHat 7.3). The tree firewall arrangement was only an experiment to see how that could work.

I will recomend this book about hacking tecnics and network security:
http://www.hackingexposed.com

[Boris]

If you need services offered by SME server (WEB, E-MAIL, file sharing etc.), then built-in firewall is reasonable sufficient. Where is no limits for security arrangements, including cascading firewalls, reverse proxying etc,. but in most cases it is overkill. If you are  too paranoid about it, switch SME to "Private Server-Gateway" and use separate connection or IP for your public services, otherwise its reasonably safe to use standard setup with SME as server, firewall, gateway.