Topic: SMEServer and Smoothwall Comparison

[duncan]

I wonder how long it will take for the lions to pounce on me.

Peter

I reckon the best option nowadays are the over the counter hardware routers. I use Zyxel and for a little over $100 I get the gateway with Firewall, Vpn, Bandwidth management and virus scanning. A little more and I get wireless. No moving parts - turn it on , configure and away you go.

[judgej]

I posted this question here expecting to get the "pro SME" side of the story

You are getting the 'pro SME' version: SME is the best at what it does; other products excel in what they do. There's no point pretending SME does something that it is not designed to do

[dickmorrell]

The cool thing about having a seperate device for a hardware firewall is that you presumably built your SME for resiliance.

If you were to experience a denial of service nowadays there are so many ways of doing it. I manage the security for around 5m internet users and the buck stops with me so hence why I have an active interest in 1) designing firewalls (which I've deployed more than most ) and 2) understanding risk.

Two years ago if we saw patterns of hacking and risk it was generally geeks and kiddies portscanning and attempting known hacks against port specific activities. Nowadays if you wanted to really cause pain you wouldn't hack a firewall to take a service down you'd simply throw enough msgs per sec at a firewall with a port 25 redirect to a MTA to make it fallover.

My SME box at home is a Dual 2ghz 1gb RAM Dell server and last week it was ground to a total halt (100% CPU usage) purely when an address that is aliased to a domain I host was hammered by spam from a cable modem address range in Russia and Estonia for two hours. It was interesting to just let it log.

However it showed that traditionally where in the old days when I created Smoothwall/IPcop that it was the firewall whose harddrive would spin and pop, nowadays its the fact your MTA and SpamAssassin CPU usage and spawned processes will take your box down.

Now that mail abuse is one of the biggest threats you'll face as an admin (and those silly enough to run phpBB who get everything they deserve) would you really want to stretch a machine that should already be busy enough by adding more Snort functionality and more IDS (Nessus/LIDS ?) to the equation ?.

Better that you leave it to another point of failure. If I'd had my SME as my gateway during that attack I'd have lost as a minimum

DHCP
DNSMASQ
Squid
SMB

Now because I have aggregated the services across three loadbalanced hosts with some code from Horms and the Linux HA project all I got was one slow machine out of three and my firewall still able to serve DHCP and allow other machines to get on business as usual.

Keep your firewall seperate. A bastion host and 2nd NIC is simply a brick wall - not a firewall.

Richard

[mbachmann]

Wouldn't it be nice to have the IPCop as a virtual machine within a user mode linux on the SME-Server?

German c't magazine did that a few weeks ago with their Debian/UML-IPcop Server approach: http://www.heise.de/ct/ftp/projekte/srv/

[azche24]

Hi, arne,

On the other hand, I think it is a good solution to use a small and cheap firewall router, like that kind you can buy for 50-100 us dollar, and then locate the sme at the lan together with the workstations.

After 3-4 years of directly exposing 2 SMEs to cruel internet world i tried to switch at home: Used an "barricade" router/firewall and SME behind that.

What a hassle! The router stopped working from time to time disconnecting the whole home-lan from internet. The router had problems with logging. The router was consuming even more power than the SME. More cables. Probs also with actualizing Dyn-DNS IP.

I did not like it. I sold the HW-Router and before and after that was happy with SME alone. No PHP, no external MySQL. As far is i know nobody ever hacked it so what.