Topic: Firewalls & SME Servers Public Access

[Skydiver]

Issues SME in Server Only Mode.
This setup will include:

SHDSL internet connection with a bank of 6 public ip address's

1 IP address is used as a gateway ip address
5 usable IP address's for public access SME servers

1. The First IP address is used for 1 Linux Clark connect gateway/firewall to manage local internet access for all office work staions.


2. Remaining 4 IP's will be SME servers and are required to have public IP address,s for public services.

These 4 SME servers have only one NIC and are running SME7.0Alpha5 in Server Only mode.

Issues with security Server only mode. Firewalls are noted as down and all ports are open.

I note: It does not make any sence to place an extra NIC in each server allowing Gateway mode to be enabled as this will only allow port forwarding not to open ports.

Why purchase a hardware router with firewall features for each server when SME security is fine when its operational. Besides this will place the SME servers in a NAT inviroment and for these public services NATS are ok but create other issuses for public aplications they are running.

Each server will be using its own Service ports with its own domain and 3 of the servers have applications that require open ports for public access with no NAT issues all unused ports will or should be locked down in stealth mode.

Can anyone help me address security and port issues for this configuration.

I would like to see the SME firewall available in all modes gateway or server only mode with config settings available within the e-smith server manager not just port forwarding in gateway mode.

Thanks for your time please post a reply on how best it would be to implement this configuration. Any idea you have i would be happy to read and test.

Cheers

[gregswallow]

Sounds like you want to use Clark Connect for what SME is designed for, and 4 other servers for what something like Plesk or Cpanel was designed to do on one server.

[gregswallow]

Sounds like you want to use Clark Connect for what SME is designed for, and 4 other servers for what something like Plesk or Cpanel was designed to do on one server.

[MSmith]

Yes, this sounds like a classic case of using a hammer to drive a screw.  IMHO you'd be far better off evaluating various distributions in light of the services you wish to provide, then setting up something like White Box or Fedora Core 3 to that service's specifications.

What you're wanting to do runs contrary to the whole SME Server philosophy of providing a few selected services to the outside via WAN interface and many integrated services to the LAN.

So please do consider rethinking your plan here.

[arne]

Hello !

I don't understand why this setup menitioned above could not work.

My point of view and my experience is that the sme server sat up as "server only" works perfectely well. The only thing you will have to do is to make a firewall acript so that "the server only" will have an firewall.

Two easy and good tools that is good to use also as wel for the "server only" is the "iptraf" utility and the "nmap" portscanner. The iptraf can be used for easy trafic monitoring and the nmap to see which ports ans services that are open.

I use to set up the sme server as "server only" and actually never as a gateway (don't ask me why, just practical reasons from time to time) and according to my point of view the suggested use of the 4 sme servers was not so bad.

Whether you can just set in two network cards in the sme server to "fool" them to believe they are "gateways" and then use the default firewall, I don't know because I have not tried, but I believe that this cold be done. (But the first configuration would have to be done from the unused "lan" connection, I blieve, as the "wan" card will give no access (I believe)).

I think that the Sme server as a "server only" and with some kind of firewall can do a great job as an internetserver. Four servers might sound like "a lot", but after all hardware can be rather cheap these days, and with a free software it does not have to be a lot of money.

One thing that I an courious about: Why do you want to use the "Clarkconnect" as a gateway ? Why not rather use a more specialised gateway software like "Smoothwall". Of cource tha Clarkconnect could do the job, and I guess that it might for instance show strong performace as web proxy.

You say that you will run the services on each server on different portnumbers (Do I understand it right ?) Should it be any reason for that ? As long as each server has it's individual external ip (!?) there should be no nead for running the sevices on different portnumbers (!!??). I think the same and identical portnumber but different ip would be a bether choice for those sme servers.

One other thing I'm courious about: Why do you want to use as much as 4 sme servers ? It's true, I think, that the philosophy behind the sme server is that it is a "all in one" server, but I think that 4 each "all in one servers in one room" also can perform well, even though you do not use all of the capabilities for each of them.

Lets say .. if you wanted to use one as "the mail server" and one as the "web server" and even one as the "spear web server". I think this could work perfectly well. If used on this way the fireall can be locked for the services that is not in use.

I think that the Sme server will not be a very good web hotel, but as a "all in one server" for an external customer, it might perform very well.

Best reg Arne.

[arne]

By the way, one way of increasing the security of the servers would be to set up a firewall bridge in front of the four servers as a replacement or addition to the four individual firewalls.

A firewall bridge can be built up from another pc with two network cards and a Linux 2.6.x kernel or a modified 2.4.x kernel on it, modified for briging firewalling purposes.

A bridging firewall wil not affect existing IP adresses or adressing schemes. The bridging firewall itself will not need an ip (so it is rather difficult to attack.)

Floppyfw is a small Linux distribution with a modified 2.4.x kernel that can do the most of packet filtering using bridging or routing mode.

http://www.zelow.no/floppyfw/

Floppy fw can run from a floppy, from a CD, a HD or an electronic media, CF or USB stick.

Arne.

[Skydiver]

Server 1 hosts websites and emails for a several domains and provides the office with secure internet access.

Server 2 Provides Gatekeeper Services
Server 3 Provices Billing and Auth Services
Server 4 Provides Bridging Services H323/SIP (SoftSwitch
Server 5 Provides SIP - RTPProxy/Media Stream services            
 

As they are VOIP related Servers. NAT Would cause issues i only wish to deal with coming from clients behind NATS. Note Each Server has a public Static IP.

The SHDSL is being installed monday next week i really would like to have security sorted so i can place the servers online the same day and start the final testing phase. For at the moment everything has been developed on a LAN.

I wanted to use SME because the whole project is based around open source products and services, and the company will be advertising the open source products used to form the complete solution. SME - e-smith has been good for myself and my clients over the years, i wanted to give some exposure back to SME showing its still one of the best options.

I need some support in the configuration of the network for firewalls. Please

Cheers
   

[arne]

This was a rather unusual use of 4 ea sme servers !

No 1 is a "standard sme server", ok, but the other 4 does not, i think, use any of those typical functions that make up an sme server. One the other hand there might be no reason that say that the sme server can not be used, even though I must admit it is not the first server I would think about for this certain use. (Why use a preconfigured web, mail, ftp and samba server for some iptelephony application ??)

When it comes to the firewall part of it I think it is just as easy, or difficult or imposible, that you want it to be.

If one should set up a firewall for some server functions where the only known issue is that the comunication will be a quite lot more complicated one than for an ordinary sme server, it will ofcource be impossible to configure a firewall for that.

If on the other hand you sat up the servers, let it run in an "ordniary operating mode", or "used as for normal operations" wheli you are logging and monitoring all trafick to and from the server, you will have that required datas for configuring the firewall.

When you can say for shure what the "normal dataflow" is, then you can configure the firewall for letting trough this trafick, nothing less, nothing more.

When it comes to this kind of trafick, I think it will be a very good idea to avoid nat in the server end. I don't know if there could be any issues with the Linux firewall, when it comes to these "special datastreams" related to ip telephony, but well, as long as routing and nat functions is avoided I will guess it can handle it.

Not my business, but I can not avoid to ask "myself" one question: For server 2-4, why not rather use a stripped down installation of a Linux server based on the new 2.6.x kernel, and then install those specialized server functions on such a platform as the "main server functions" for that platform ?  

If the datastreams is very complicated it might be an idea to use a Linux bridge as already mentioned, and then to use this to analyse the trafick passing trough. The bridge installation can then be used to monitor and record the trafick so that firewalls at the servers or on the bridge can be configurated according to this.

[Skydiver]

Thanks for your reply

The reason i am using the SME with the http compiled functions is because each server has front ends for configuration via html/php webpages hence the need for the services on servers 2 & 4 actualy all servers have frontends that require the services including mail for registration conformation, invoice sending, Voicemail notify error reports etc.....

I am liking the idea of the bridge and monitoring the traffic. I will test your ref and try a old spare box i have here and place it up front.
My understanding is it will not use a public ip address and only act as a bridge allowing services to the servers with the public ip address's.

[arne]

I have tried this bridge setup for testing purposes only. I am 99.999 percent sure that the bridge will not need any ip adress as long as you have direct console access. If you need to log on it will need "some kind if ip adress".

I'm also 99.999 percent that it is possible to motiotor the trafick passing trough the bridge using tools like iptraf and ethereal. http://www.ethereal.com/

For the SME 6.0.1 I use the iptraf module for RedHat 7.3

To make an easy and proper use of the etherael packet sniffer or trafic monitor, I think it is a good idea to use Gnome or KDE.

Also I think it is a good idea to use a modern Linux distrubution with the 2.6.x kernel for the bridging function. The 2.6.x kernel has a bridging firewalling capability as a default. The 2.4.x kernel has not.

As far as I can remember, It is fully possible to monitor what's passing trough such a bridge, but it is not possible to use any client or server functions at the bridge PC as there is no ip to comunicate against. I think it is also not possible to use a port scanner from the bridge, as there is no return adress.

For practical reasons it might be an good idea to borrow the bridge an IP for temporary use if there is one available. (It can be tricky to comunicate to and from an "invisible" PC)

[arne]

Correction:

If you need to MAKE A REMOTE log on it will need "some kind if ip adress".

[Skydiver]

The SHSDL package comes with a bank of 32 Public Ip address's 1 for the gateway ip and 31 usable ips i can give the unit a public if required. I use Ethreal for my testing so i have no issue there.

Say
 
two servers are listening on ports 5060

can have both ports bridged to each public ips as they are seperate services

i dont really want to have

5060 forwarded 5060 on ip 2
then
5070 forwared 5060 on ip 3

[arne]

Yes a bridge without an ip works much like a 2 port hub with a built in firewalling capability.

I think there will be no issues about passing port 5060 for two differnt external ips trough it.

Like a hub the bridge does absulutely noting with the packets if you dont tell it to do so, so notmally you will not have to think about that there is a bridge at all, as long as it is open. (no firewall or filtering.)

You should be able to monitor trafic passing trough and you should also be able to block unvanted trafic dynamically by applying filtering rules as required. (Theory, .. testet in lab setup with rather limitet trafic only. There might be some isues about aplying rules dynamically in the "real life". Dont know, but could by tried)

[Skydiver]

Ok

I will start testing and provide results incase someone else down the track requires a simular solution.

Thanks for all your help

   

[Skydiver]

Would it have been much easyier if SME had firewall opens in all modes not just port forwarding in Gateway mode.

Not that its an issue as i believe this will work but maybe its something to look at as an option.
It can be supported in VER 6.X and below but i failed to make it happen in 6.5 and 7.0 alpha5..

Just a passing thought