Koozali.org: home of the SME Server

Firewall..?

Howard

Firewall..?
« on: December 23, 2003, 03:51:39 AM »
Hi,

Is the firewall on e-smith good enough to have it connected directly to the internet or should I have a seperate firewall between it and the internet..?

Thanks

Arne

Re: Firewall..?
« Reply #1 on: December 23, 2003, 04:24:58 AM »
I think this depends on a lot of different factors, your kind of business / your requirement for security, your backup routines and general security routines. My personal opinion is that 2 firewalls in general are more secure than one, but there are different points of view, se this tread:

http://forums.contribs.org/index.php?topic=19304.msg76416#msg76416

Howard

Re: Firewall..?
« Reply #2 on: December 23, 2003, 05:32:04 AM »
Thanks for the reply - as you say there are varying opinions...

I have an old machine that I was looking at turning into a firewall - but it looks like it may be more trouble than it's worth.. And it appears that the SME firewall is adequate for what I use my SME box for.. (mail and web)

Colin Craig

Re: Firewall..?
« Reply #3 on: December 23, 2003, 12:00:11 PM »
Hi
Putting together a Secure/Cheap(or free) firewall isn't really much trouble these days

I use Smoothwall - this took 20 minutes to have up/running (this including burning the ISO!)

Other's include IPCOP, and MonoWall

all of these use old hardware, and are very simple to setup/install

http://www.smoothwall.org
http://ipcop.sourceforge.net
http://www.m0n0.ch/wall/

I like to know exactly what is coming into my network, and a dedicated firewall is always (IMHO) better than an addon to an existing server


Colin

Howard

Re: Firewall..?
« Reply #4 on: December 23, 2003, 03:00:49 PM »
That makes sense I guess...

Monowall looks good... Would this need me to make changes to how my dynamic dns works  - ie would I need to run it from my firewall...

Also - would it be a good idea to run e-smith behind it in server / gateway mode for extra protection..?

Thanks

Boris

Re: Firewall..?
« Reply #5 on: December 23, 2003, 08:37:47 PM »
SME uses the same firewall engine as SmoothWall and IPCop.
It is not as easy and visual to configure advanced features of it and statistics, but for simple set up you don't even need them. Save yourself time and leave SME as your server/gateway. It is good enough in the default configuration.

Colin Craig

Re: Firewall..?
« Reply #6 on: December 23, 2003, 08:51:37 PM »
I run my SME Server in Server only mode, and use smoothwall to provide a pure firewall.
I trust smoothwall (as much as you can trust a piece of software),as i manage/support Various incarnations of this from the GPL version to the Corporate Server version for various customers - hence the reason I don't use server/gateway mode for SME

I can't speak for IPCOP or MonoWall, but Smoothwall  Express 2.0 (GPL) supports Dynamic DNS from a few different providers

Althought Boris is right, and it is possible to use SME as a server/firewall, it comes down to personal choice

I prefer to have as few services as possible running as possible on my firewall to cut down on the possibility of loopholes/security flaws, hence the reason I have a separate firewall


Hope this helps

Colin

Arne

Re: Firewall..?
« Reply #7 on: December 23, 2003, 11:00:50 PM »
I use a 2 port harware firewall in my home, and then I have the e-smith connected to the lan together with the workstations, on the same lan segment. I think this workes qite simular to a smoothwall with a to port configuration.

There is no problems at all related to such a configuration. All functions to the e-smith runns without a problem to-from internet and to-from LAN.

But one thing I'm wondering a little about .. If you use the tree port configuration on the smothwall and put the e-smith on the dmz, I think you will have at least some small problems. I belive that the Samba fileserver (??) and the domain controller (!!), if you want to use that also use the Netbios protokoll, that I believe is not routable from network segment to network segment, Lan to Dmz (??).

Does any of you have experinece using the Smoothwall or some other firewall with dmz in such a 3 port configuration mode ?? (I believe that the 2 port solution and not to use the dmz will be the right and best solution for a home network, if you want an aditional firewall, but I'm not shore about it. Depends on if the dmz solution will make that problems I believe it will.)

I would be wery coutious to here if any of you has tested the 3 port / dmz alternative while using a firewall in front of the e-smith.

Howard

Re: Firewall..?
« Reply #8 on: December 24, 2003, 01:23:41 AM »
I appreciate all the replies...

I guess I will leave my config as it is...

Thanks

Colin Craig

Re: Firewall..?
« Reply #9 on: December 24, 2003, 10:19:45 AM »
Yes - My firewall/smoothwall is a direct replacement for your hardware firewall.

It's an old PC with 2 LAN cards - one is connected to the Router, and the other to my network switch, where the E-Smith, and PC's are connected

Smoothwall/IPCOP can be run in various configurations, some of which include a DMZ Network, but this is not neccesary.

Standard Microsoft NETBIOS runs using the NetBui Network Protocol (in the older operating Systems - Win98 and below) - This was not routable, however, it was/is possible to run NETBIOS over TCP/IP, and remove this restriction
However, to put the E-smith server in the DMZ will cause more problems - by default, there would be issues with accessing Samba File Shares, and domain logins as you say.
 These can be overcome by opening pinholes for the relevant network Protocols from the DMZ to the internal Network. However this kind of defeats the purpose of putting the server in the DMZ

In the vast majority of home networks, there is no need for a DMZ

I have used various Firewalls - both GPL and corporate using DMZ's

These tend to be used separate dedicated servers that provide resources to external users - eg Web portals to corporate applications, Mail Scanners,  etc.
In these cases, there are other servers providing SAMBA, domain controllers etc inside the firewall

Belthazar

Re: Firewall..?
« Reply #10 on: December 24, 2003, 10:32:49 AM »
Howard

Rather be safe than sorry.  Security requires a multitiered approache, no single layer of security scheme is sufficient by itself. Put that old pc equipment to work & protect yourself ;)

[%sig%]

guestHH

Re: Firewall..?
« Reply #11 on: December 24, 2003, 03:19:31 PM »
Guys,

Anybody of you want to write up a doc on how to protect your sme server the way you think is best ? Would sure be nice to add it to our 'archive' ;-)

guestHH

Paul

Re: Firewall..?
« Reply #12 on: December 24, 2003, 07:56:43 PM »
If you multi-tier your firewalls, be VERY VERY careful.  You could actually make your system less secure than if you just use your SME box alone.  If you intend to do this, make sure you know EXACTLY what you are doing.

For instance, if you use a firewall (hard or soft) in front of your SME box and open the DMZ to the SME box that is set up as server only, you have just made a BIG mistake.  Don't think for a minute that more is better.  More can be better only if you know how to do it.

If you do it wrong it's like putting 3 deadbolts on your door and leaving them all unlocked.  It might look impressive from the outside but it won't be worth a S#!T

I agree with Hsing, someone needs to do a How-To including 2 and 3 teir setups and what to do and more important WHAT NOT TO DO.

JMHO

Paul