Topic: Is SME 5.6 a secure app firewall

[Alejandro Lengua]

I would like your opinions about if you consider SME a secure firewall...
or do prefer to use an specialized firewall in front of SME

[Bill]

As a firewall, sme is only moderately secure. Any box that runs applications and is directly connected to the internet is only as good as the latest patch and sme5.6 has not been patched in quite a while (apt-get thinks it should update 12-14 packages on my update4 box) I run another firewall in front of the sme and only forward the ports I really need (80 and 25).

If you are just running a home network and dont care if it gets trashed you can run direct but if your needs are greater than that I would run something else in front of the box (IPcop or smoothwall)

I would also recommend that you get and use the latest 6.0 beta rather than running 5.6.

Of course this is just my personal opinion and I am sure that I will get flamed for talking bad about the box. Opinions are like a**holes, everyone has one and they are all different.  :^)

[Bill Pflaumer]

I personally like IPCOP better, it is developing at a greater rate than smoothwall , with great addons such as DansGuardian and a Integrated GUI to Administer DG. Add a third NIC and place SME in a DMZ. Soon a 'BLUE' Interface will be added for wireless. Even the previous president (Dick Morrell)  of smoothwall likes IPCOP better !

Bill

[Ray Mitchell]

Bill ie bill_AT_fingerlakesrepair.com

Why don't you raise your security concerns with smesecurity@mitel.com and see what they have to say. If you feel the server is insecure then do something about it.

My understanding from reading previous posts is that Mitel only release patches when necessary, and that the packages you are referring to may not in fact have vulnerabilities, when properly analysed.

If you present your security concerns to Mitel they will advise you accordingly, and do let us all know the outcome.

quote from the bugs page

Reporting security concerns
Mitel Networks takes the security of the 6000 MAS and SME Server very seriously. Security concerns should be reported to smesecurity@mitel.com, and only there. In particular, security concerns should not be posted to public forums, such as those on this site.

To Alejandro
see http://www.e-smith.org/docs/papers/smeserver-security.html
this may give you an idea of how seriously Mitel take the security of sme server

I have had a sme server connected 24 hrs a day to Internet for over 3 years without a single security breach, and that was throughout a period of very volatile worm activity etc.

Regards
Ray Mitchell

[Bill]

I did and the answer received was that I am using a unsupported developer release and will receive no support from Mitel. Not exactly reassuring. Dont get me wrong, I think its a great product but its not highly secure.  I have already manually updated the things I felt were needed (kernel, samba, apache, etc) and will continue to do so as needed.

[Rich Lafferty]

Bill wrote:
>
> I did and the answer received was that I am using a
> unsupported developer release and will receive no support
> from Mitel.

Well, that's true -- the smesecurity@mitel.com email address is not one
that provides technical support. Rather, it's there for the community to let us know about security-related problems that we might otherwise be unaware of. When someone reports a security issue, we investigate the report, and if we determine that it is a valid concern, we schedule an update.

That said, I can't find any mail that reached smesecurity@mitel.com from
a fingerlakesrepair.com email address -- only a non-security-related
bug report on 6.0 Beta3 sent to smebugs@mitel.com. If you've sent us mail regarding security problems and you believe that your advisory was inappropriately handled, please feel free to send another message to that address; I'll keep an eye out and will handle it directly.

Rich Lafferty
System Administrator
Mitel Networks

[Maggard]

I gotta say I'm not sure what the question is. Or more accurately what the answer would be.

Is SME secure? In the experience of the folks here it appears to be.

Do I have valuable stuff behind it? My clients do. I have files that are important to me.

Is it secure enough to sleep well at night? I do.

Do I think the folks at Mitel are on top of  security concerns and responsive in addrssing them? Yes, that is my impression.

Is e-smith as secure as other distributions? It seems to be as secure or even more secure (just due to less 'stuff' being loaded and Mitel being a mite conservative in versions) then the Red Hat it is based upon.

Could it withstand a determined attack by a team of NSA spooks? Who can judge?

If you are THAT concerned about security then I suggest you shouldn't be looking at a free distribution of an easy to administer general purpose server. Consider something behind a dedicated firewall or four, running a very secure OS like OpenBSD, AIX, or honestly, MacOS 9 (US Army swore by it - limited as a server but by that virtue hard to hack!)

Does any of that help?

Oh, and yeah, I wouldn't expect Mitel to be answering any "is it secure" questions on 6beta at all. Nobody serious about security would be using a release not judged by it's creators to be production-ready much less secure. Either pay and get the SME version of 6 with support or wait for the e-smith version to come out before asking for judgement calls on it.

[Graeme Fleming]

Your really asking the wrong question - security is a state of mind!

The question is: how secure do I need a system to be?  A level of security is made up of many component aspects that relate to a system as a whole; no point having the biggest badest system in the world if someone can compromise the server physical security and hack the admin password!!!

If you are worried or concerned consult a specialist to review your whole system and broaden your view of security and treat it as a discipline in its own right.

[Maggard]

Graeme Fleming wrote:
>
> Your really asking the wrong question - security is a state
> of mind!
>
> The question is: how secure do I need a system to be?  A
> level of security is made up of many component aspects that
> relate to a system as a whole; no point having the biggest
> badest system in the world if someone can compromise the
> server physical security and hack the admin password!!!

Or just wheel the server out...

>http://catless.ncl.ac.uk/Risks/22.90.html#subj1

Had a buddy last month trying to track down where a client's bandwidth was going. Packets were suddenly getting dropped all over the floor but nothing should have changed on the site. Tracked it down to BitTorrent traffic. Turned out the company on the floor below had an admin-asst/techie with a serious pr0n habit who'd done some midnight rewiring to get more bandwidth...

-- Michael

I can't say too much, I once had an E-Z Bake oven on my in-lab test server racks for over a year before my VP noticed anything odd (I think it was it's pale green color.) Made a great corn muffin thing over the 100w bulb tho'.