Topic: Recommended setup for SME 7

[achandra]

Okay...As a young admin I was like - lets just put two nics and and get the thing up..

Well the more I have been thinking about it what is the recommende setup.

Should I be running a seperate firewall altogether with say 3 nics running email and web off of SME in a DMZ ? then a offer a private network to all the other systems?  In light of using Asterisk as well and doing port forwarding I was thinking about this more and more...

Suggestions??

[Boris]

Third NIC for DMZ is usually used then firewall doesn’t have control on the server’s services put there. In this case you let your (third party) server run the service to everyone and limit the accessibility of them on the firewall. I hope you understand that I am trying to say J
In a case of SME, you have all/most of the services running on the same box, but you control if they (services) available for the Internal, External or both networks. In a sense, it’s like having DMZ inside the box and control what interface they bound to and what hosts allowed using them.

For the typical intended usage scenario, SME is the only server box for the small office, serving files via samba for the LAN clients via LAN NIC only, web pages for the Intranet, Internet or both, e-mail for the LAN or Internet or both, VPN, etc…

In come rare occasions when one box is not enough and you need multiple e-mail servers or web servers that can not be handled by the same SME server (like having to run Windows IIS server in addition to Apache) you may use port forwarding or ProxyPass to utilize this, or install different firewall and handle multiple servers traffic through it.

For your particular implementation, as a young admin, you may want to explain more details on your "network to be" here and seek advise on the network planning from more experienced sysadmins.

[achandra]

Lets just assume for a second that a cracker has penetrated your firewall because you chose to open a port say 5060 for SIP communication. At that moment the cracker has penetrated your internal network, the firewall, the critical box serving up all these wonderful services as you have stated. Hence, putting all your eggs in one basket.

By seperating the network to say a DMZ, the webserver and the pbx may get cracked, but you have an attempt to protect your internal network by running a third NIC and protecting the hell out of it.

Small business or not its about securing your network. Once again just my two cents..

[dsemuk]

achandra

Why ask if you don't want advice?

Dave

[achandra]

The asking was of the question was a legitimate one. It was to pose dialog on a FORUM ( thank you very much) about possible limitations within the product or intent for usage.

If you're going to use such a product for businesses isnt it worth protecting the investment?

Most corporate environments have DMZs to protect their internal lans.

Cheap or free doesnt havent to mean limited, buggy, or not addressed.

To answer your question directly just because someone answers to a thread doesnt mean the reaction of the person who posted the thread should be " oh holy wise one, I believe you whole heartedly".

The whole point of GNU, Linux, and Open source is to create a situation where issues can be talked about, discerned, and debated if necessary to improve the product.

I responded to his answer in like. What is your valuable contribution??  

[Boris]

Small business or not its about securing your network.

There is no absolute security on the network. Any "secure network" could be penetrated provided that there are skills and dedication. Having “better” firewall or multi-level access control, cost more in hardware and administration. Small businesses have mostly small budgets and no “super-admin” on premises.
SME fills this niche with glory, providing basic firewall and server secure enough in the stock configuration. Semi experienced administrator can reduce that default security with opening more ports and installing additional services.

Cheap or free doesnt havent to mean limited, buggy, or not addressed.

SME is not “cheap” its free and wherefore its not “limited, buggy or not addressed”. If you found a bug there please report it to bug-tracker, If its too limited for your needs, use something more advanced and flexible.
Its hard to determine if SME fits in your environment without knowing specifics and theoretical discussion is not something that some “busy” people enjoy.

[achandra]

[/quote]
SME is not “cheap” its free and wherefore its not “limited, buggy or not addressed”. If you found a bug there please report it to bug-tracker, If its too limited for your needs, use something more advanced and flexible.
Its hard to determine if SME fits in your environment without knowing specifics and theoretical discussion is not something that some “busy” people enjoy.[/quote]

I really cant understand "where" it is you are coming from. Once again YOU entered into this thread and posted basically a "why cant you just accept it" type attitude.

I do agree that SME does a lot but there are some very simple and "limited" product that handle some core issues of security. Did I mention any where that I wanted Fort Knox..No. I said HOW are you adressing issues. I make this point - small business servers are the most often broken into environments by novice creackers.

Are you implying SME is "good" enough?

Still trying to understand how you have contributed to this thread without whoring it up.  

[Boris]

Are you genuinely seeking for advice on SME implementation, or just trying to start a “what OS is better” contest?
If later, you are at risk of being ignored.

[achandra]

I been a long time user of SME and installed the product in now over 30 locations.

However, with each upgrade, look, feel, and even mechanisms for controll have been changed, edited, or simply deleted.

What IM seeking is to IMPROVE the product, and ask a very legitimate question.  

The product does do alot why cant it aspire to Enterprise quality?

[dmay]

The product does do alot why cant it aspire to Enterprise quality?

The quality is definitely there.

Enterprise environments typically include multiple servers running behind enterprise grade firewalls. Inside you may find a miriad of Windows, Sun, Linux, SME and dedicated network appliances, performing various roles. Some roles are even shared across server platforms. The SME Server fits enterprise environments very well.

Darrell

[achandra]

Id like to see multiple sme servers in a clustered configuration for failover. The panel could allow the user to choose the servers to be put in a cluster scenario, as well the services to be clustered. For example have redundant email servers.

Also the the use of Asterisk ( which is being worked on), perhaps being clustered as well for failover using round robin DNS.

Thats Enterprise - Redundancy, Failover, security these are all important.

My two cents.

[dhardy]

There are several ways to skin the DMZ cat.

In the environments that I have deployed SME I have found that there is a huge confidence/skills gap i.e. the users/local admins do not have the skills to back up the things they want to do in a secure fashion.

In those environments I have the utmost confidence that SME prevents them from doing themselves any harm. If they require anything that needs a DMZ it is usually possible to provide something that works for them by using a router and some thought.

Everyone's environment/market is different, in the UK we can get a dsl connection with a routed 8ip subnet for the same price as a dynamic address from some providers, add in a nat router for another £50 - £200 (depending on what else they want) and you can port forward or have real IP addresses or a mixture of the two for all of your stuff.

The setup I run has 16ips from Zen Internet, I have a Draytek 2600 router with port forwarding for ip cameras and sip, I use the web interface for the router to set up port forwarding to individual pcs when I need to vnc/remote desktop in to another machine. My SME 6.01 server has a real ip as does my SME 7 test box, my SSL Explorer test box and my m0n0wall hotspot project.

I have no need for a DMZ as described above, I've just done everything differently.

As Darrell says above, enterprise users have probably already got enterprise style firewalls - Watchguards or Zylabs or something else.

Smaller businesses or soho users are necessarily more constrained, but as requirements grow and there are investments to be made, the choice between buying a router for £200 or hiring a sysadmin for £25,000 (or a consultant for £100 per hour) becomes easier. Its not that it can't be done or even whether it should/shouldn't be done, its that there are more factors to consider than the computers.

I consider SME to be like velcro - fantastically simple to use, life changing for many and a credit to the developers. I deploy it fearlessly where I know users will always click on the yes button in a dialog because they haven't read it and know that it will save them from themselves. I deploy it in other environments where the integration between the various parts are needed - user creation in seconds, email aliases controlled by a non-skilled admin, pptp vpn on a per user basis and so on.

The newer server virtualisation technologies may well overtake clustering and failover - the hardware will have redundancy with virtual servers isolating the OS from the hardware, the physical hardware hosting an SME could be changed without rebooting the OS.....

Costs are always the big thing. What is meant by redundancy? High Availability clustering is not the same as dr redundancy. Typically for HA hardware is in the same place and can survive an IT fault, typically for DR hardware is in different places and is designed for a rapid return to service after a catastrophic disaster rather than an instant recovery of in progress transactions. When you factor in datacentres and terabytes of data you have to agree that you are not talking about two-bit operations with minimal staff, the hardware costs a fortune to house, let alone purchase, configure and run it.

There are ways to achieve redundancy without spending much money, regardless of the os you use.

1. Configure backup MX records in your DNS and have mailservers which will queue your mail for you in the event of a problem.

2. Have two servers that rsync in the middle of the night and run indcremental or differential backups during the day that you take away with you at the end of the day. Make sure that your configs are documented so that you can absolutely recreate a server which gets stolen or otherwise 'removed' from service.

3. Configure DNS with host aliases so that you can switch between the servers by assigning the alias to the other server.

Alternatively spend megabucks and go the SAN route - Invest in iSCSI equipment (or push the boat out and go with fibre channel HBAs and FC or SCSI storage). Use the SAN management tools to take snapshot backups and replicate data away to tape.

I may have lost my way through this, the point I'm trying to make is that there are many ways to do a DMZ,  achieve redundancy and maintain uptime, all with different associated costs. In my experience SME embraces most of them through various how-tos and contribs, most times users want something which they don't understand, when they explain what they want it can usually be delivered another way.

Regards


David.

David

[achandra]

Actually your response was very well handled. I appreciate you taking the time to look at the issue and consider it.

I read through the whole thing and you have answered some of the tough questions I had. In addition gave me some ideas and concepts on how to handle such things without considering another product as I  myslef SME can handle.

What you've done is answer some the tough questions others in the IT field and management will ask.  

Once again, in all sincerity, I appreciate the comments.