Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Jim Danvers on December 21, 2003, 03:26:40 AM
-
...just curious. I learned aot a little thing called "m0n0wall" "http://m0n0.ch/wall/" that is a really slick freebsd based firewall. Doesn't require a hard disk - just a cdrom and floppy. Long story short, it requires a machine that will boot from cd (bios setting) and it stores it cfg data on the floppy. Pair the machine down to a slow processor (no fan req'd for cooling) and after bootup one basically have a very secure firewall up and running (quick boot time too!) with no moving parts. It's kinda neat. Haven't figured out if/where I'll use it, but I have been reading around the web and got to thinking... what exactly is the firewall capability of sme anyway. I believe it to be iptables based, yes (vs. older ipchains)? Is it a "secure" fw? Stateful? I have sort of toyed with the idea of placing the monowall box infront of my sme and then re-cfg'ing it as req'd... This would require some cfg'ing of the monowall in order for stuff to continue to work @my sme box (I'd have to setup some port fwds for mail, http, etc...)
Question is: Do I need to? Is it worth the effort? Is the SME box secure as it is?
The questions above are NOT a troll... just curious. ;)
Thanks!
-=- jd -=-
( PS ) Whats the deal with the 'final' version of SME 6.0? I saw a thread on it where an .iso was released, then pulled because it was wacked, then placed back on the ftp servers, (apparently) lots of complaints about it still being buggy, webmail interfaces not working right, etc. As the subject of this post says - I'm still running (and quite happy with ;) ) the 'beta' version of it..
Thanks ( take II ) again...
-
About firewalls: The Linux kernel 2.4.x in e-smith 5.6/6.0 does support statefull inspection. It can be run as a static firewall and it can be runned like a statfull inspection/dynamic firewall. I don't know for shore if e-smith activate the statefull inspection part, but I will guess it does. Personally I use to set up the e-smith withouth a firewall and then I make the proper firewall script myself that givs the exact configuration I want. When I do this I use to activate the statefull inspection part of the firewall functions.
The firewall of e-smith is based at "netfilter" that is included as a part of the Linux 2.4.x (and 2.6.x also i believe) kernel.
http://www.netfilter.org
I think there is some contribs that givs some filtering capabilities to the squid proxy. If you include such functions, I think you will also have a "application level" firewall running on the top of the packet filtering firewall. (I havent tried that e-smit contribution but have made some testing on such "manual" configuration of squid.") (I believe that the Microsoft ISA server works much the same way, a basic packet filtering function with a filtering proxy running on top of that.)
About small firewalls: I have also tried a wery small Linux firewall based on one floppy only. It has basicly the same kernel as e-smith, and can do the same when it comes to packet filtering. If you want to make some firewall script training it works in the same way as any LInux including e-smith. I think it is a very good firewall because it is allmost impossible to hack as there is allmost none "demons" running exept for the basic kernel prosesses. I will recomend it at least for a try and for testing.
http://www.zelow.no/floppyfw/
About: e-smith 6.0 pre3 and 6.0 final release: I just made some testing on those two. 6.0 pre 3 with all upgrades worked ok and with no problems as far as I could see. After I made a upgrade to 6.0 final release (a fresh new installation), there were no problems with the basic functions. But it apeared that all the contribs did not work with the 6.0 final release. For me: No problems with 6.0 pre 3, some problems with 6.0 final release.
-
By the way I forget to mention one thing ..
I think it is in many ways a basic principle in all firewall design that a firewall machine should have as few processes or demons that can be hacked or cominicated to as possibe. Every opening into the firewall machine and every prosess that a hacker can comunicate to is basicly a security risk.
In this way the design of the e-smith (with the setup as a gateway server) is "not so good" if mximum security and "imposibly to hach" is a main target. (On the other hand you save mony, you got only one box and for many kind of use it is just secure enough.)
If you want to improve security, I think a good idea will be to use a firewall with 3 connections in front of the e-smith, and then just use e-smith in "server" only mode.
This 3 commetiond will be WAN, DMZ and LAN.
There is one Linux firewall for this purpose that is rather easy to set up and it is also free for download. I have tested the last "issue" Smotthwall 2. I see they has renamed it "Smoothwall 2.0 express", but I guess it is still basicly the same.
http://www.smoothwall.org
There is some limitation for the Smoothwall, at least the one I tested: It is only a NAT routing firewall. It does not support bridging or things like that and it can only have one external ip at the external (WAN) connection.
There is one other Linux based firewall that I have been told can handle multible external ip's ant tis is ipcop, but I have not testet this.
http://www.ipcop.org/
-
By the way once more:
I had not seen the screen shots of the mOnOwall, sorry about that ..
The mOnOwall firewall apears to be basicly the same kind of firewall as the Smothwall, and I can se that it has wan,dmz and lan connections like the Smoothwall .. So all arguments for using smootwall is also basicly valid for this firewall.
Smoothwall 2.0 need a Harddisc of minimum 100 Mb. Smoothwall also support statefull inspection.
-
Firewall is not the main purpose of SME server, but rather included bonus.
SME is a multipurpose application server, with built-in basic firewall/gateway capabilities. If you need dedicated firewall only, look at many other solutions available. (GnatBox light, IpCOP, FloppyFW, Coyote Linux etc.)
-
I agree completely in this conclusion. The firewall is rather somthing like an obtion amon a lot other thing. In many cases I think it gives security enough to use the e-smit allone, and if you want to spend some more money, and possibly get some more "theoretical security" you can just set it up in server only mode and use another firewall in front.
-
Arne,
Why would you put the server in server only mode and put it behind an additional firewall?
What ports would you foreward to the server?
Would you put the server in the DMZ?
-
Hi Guys,
The set up I have been pondering is as follows -
A statefull Packet Inspection hardware firewall, something like an SMC 7404 combined router, adsl modem and SPI firewall.
This would have two portforwards for smtp and vpn.
the lan side of the router would then connect to a nic in the server
the server has two nics in it one to the router the other to the LAN.
Is this any good?
PeterG.
-
I've pondered this: if you put the server behind a separate firewall, and then forward all the ports necessary to the e-smith server to operate as a webserver/VPN/mailserver etc, then is it any more secure than connecting it direct to to the Internet?
The only advantage I can see is that a separate firewall is more easily able to "pull the plug" in the event of a sustained attack from the Internet, but otherwise a transparent firewall doesn't really add any extra security.
Please tell me if I'm missing something here...
-
PeterG,
Why would you do this? The SME server has a stateful firewall built in. If you put it behind another router/firewall, your internal IP's will get wrapped twice, this might slow you down a bit. I originally had mine set up this way and when I removed the hardware firewall, the people in the office asked if we got a faster internet connection. Putting a hardware firewall in front of your SME box will probably slow it down a bit.
If you just allow mail and VPN on the SME, it will STEALTH all ports except mail and VPN for you. Same thing except one less piece of equipment and a couple less cables to go wrong.
JMHO
Paul
-
Jason Judge said:
>I've pondered this: if you put the server behind a separate firewall, and then forward all >the ports necessary to the e-smith server to operate as a webserver/VPN/mailserver >etc, then is it any more secure than connecting it direct to to the Internet?
No, not really. And if your server is set up as "server only" and if you make a mistake on the router and foreward the wrong port, it will actually be worse.
>The only advantage I can see is that a separate firewall is more easily able to "pull the >plug" in the event of a sustained attack from the Internet, but otherwise a transparent >firewall doesn't really add any extra security.
You can still "pull the plug" on your server, just disconnect the WAN (and probably the LAN for that matter) cables from the SME box. But, by the time you discover a problem, get to the box and disconnect, it will be too late anyway.
Most attacks are geared towards MS servers anyway (for now). The other problem that seems to be big is spammers using your mail server. I don't (and won't) have my mail server open to the public.
Another problem, dyndns. SME reads it's own external interface and if it changes, it reports to dyndns. You have to use a different client if you are behind a firewall. Or get a firewall with a dns client built in. Now you have something else to configure.
Putting your SME behind another router/firewall is pointless, unless you need to use the modem/router because of ISP reasons such as your connection is PPPoA. But, if it make you feel safer, there's nothing saying you can't.
-
Paul wrote:
> Jason Judge said:
>
> >I've pondered this: if you put the server behind a separate
> firewall, and then forward all >the ports necessary to the
> e-smith server to operate as a webserver/VPN/mailserver >etc,
> then is it any more secure than connecting it direct to to the
> Internet?
>
> No, not really. And if your server is set up as "server
> only" and if you make a mistake on the router and foreward the
> wrong port, it will actually be worse.
Presumably you would know that the wrong port was used as the thing you wanted to portforward too, wasn't working?
> >The only advantage I can see is that a separate firewall is
> more easily able to "pull the >plug" in the event of a
> sustained attack from the Internet, but otherwise a transparent
> >firewall doesn't really add any extra security.
But aren't there any other ports that are open on a standard v6 install? I havent run Nessus against a v6 server but will give it a go tonight if I have time.
> Another problem, dyndns. SME reads it's own external
> interface and if it changes, it reports to dyndns. You have to
> use a different client if you are behind a firewall. Or get a
> firewall with a dns client built in. Now you have something
> else to configure.
I know an installation, not mine - honest, that has the installation that I was pondering and it all works quite happily.
> Putting your SME behind another router/firewall is pointless,
> unless you need to use the modem/router because of ISP reasons
> such as your connection is PPPoA. But, if it make you feel
> safer, there's nothing saying you can't.
What I may do is get a usb modem and run nessus against that and then against a firewall/router/modem type box. Although you mention that a router is required for PPPoA, this is the standard protocol for ADSL in the UK? How does a USB modem present itself to the SME box during installation, as just another network interface if so how are things like usernames and passwords handled?
PeterG.
-
>Presumably you would know that the wrong port was used as the thing you wanted to
>portforward too, wasn't working?
Correct, however did you remember to close that wrong port that you opened earlier??? I'm just trying to point out that the more you have to configure, the more mistakes you MIGHT make.
>But aren't there any other ports that are open on a standard v6 install? I havent run
>Nessus against a v6 server but will give it a go tonight if I have time.
SME only opens the ports for the services that are running. If you elect NOT to have the web server public, then it should not open port 80 on the external nic and so on for the rest of the services. I have never really tested this as my boxes are all running web servers.
>I know an installation, not mine - honest, that has the installation that I was pondering
>and it all works quite happily.
And it should, but why go thru the hassle if you don't have to??
>What I may do is get a usb modem and run nessus against that and then against a
>firewall/router/modem type box. Although you mention that a router is required for
>PPPoA, this is the standard protocol for ADSL in the UK? How does a USB modem
>present itself to the SME box during installation, as just another network interface if so
>how are things like usernames and passwords handled?
Your PPPoA scenario has presented itself many time in these forums with varying solutions. SME out of the box does not support PPPoA however, there are several solutions. Put pppoa in the search engine and you will find a plethora of threads. The most simple solution is to use the ISP's recomended/supplied firewall/router. USB modems will probably be your most difficult solution if not impossible. One post states the use of a PCI ADSL modem, treat it as a dial up and do some minor changes to the SME dial-up and dyndns scripts. The choice is yours.
Like I said, Put pppoa in the search engine and you should be able to find a usable solution.
-
"I've pondered this: if you put the server behind a separate firewall, and then forward all the ports necessary to the e-smith server to operate as a webserver/VPN/mailserver etc, then is it any more secure than connecting it direct to to the Internet?
The only advantage I can see is that a separate firewall is more easily able to "pull the plug" in the event of a sustained attack from the Internet, but otherwise a transparent firewall doesn't really add any extra security."
I think from a hackers point of wiew there will be a rather big difference.
Connecting the e-smith directly to the Internet and the lan to the e-smith givs a rather good place to start working for a hacker.
If he is able to get controll or root controll over the one e-smith server, he will have controll over practically all resourses and he will also have controll over a Linux platform that can be used at a platform for further attach against the lan resources.
On the other hand if you use a tree port wan/dmz/lan arrangement, the internet server and the lan resourses will be running on two different network segments with a firewall between. If you are able to work trough the firewall and get controll over the inernet server, you still have to fight the firewall to get access to the lan resourses. I also think it is a good idea to use not only one e-smith server, but two: The internet server running on the DMZ and the Lan server running on the LAN. Of course there should be no portforwarding from the Internet to the lan server.
Internet------Gateway firewall--LAN----Lanserver(s) pluss workstations
*****************************I
*****************************----DMZ---Internettservers
One other way of arranging theese things are like this:
Internet----Outher firewall---DMZ with internet server(s)---Inner firewall--Lan with server(s) and workstations
There are other reasons also one (or two) extre firewall machine might make things a little bit safer, problems related to buffer overflow, etc.
I have tested both alternative 1 and 2 and also alternative 2 with a tripple firewall arrangement at work with some users, and there were no sign of things get slowed down due to passing trough 1, 2 or 3 firewalls. All tree were nat routing firewalls. We are useing a double firewall arrangement today, and there is no problems at all with that. (Microsoft ISA server pluss RedHat 7.3). The tree firewall arrangement was only an experiment to see how that could work.
I will recomend this book about hacking tecnics and network security:
http://www.hackingexposed.com
-
If you need services offered by SME server (WEB, E-MAIL, file sharing etc.), then built-in firewall is reasonable sufficient. Where is no limits for security arrangements, including cascading firewalls, reverse proxying etc,. but in most cases it is overkill. If you are too paranoid about it, switch SME to "Private Server-Gateway" and use separate connection or IP for your public services, otherwise its reasonably safe to use standard setup with SME as server, firewall, gateway.
-
"If he is able to get controll or root controll over the one e-smith server, he will have controll over practically all resourses..."
Well yes, that's my point. If an e-smith server provides all the web-based services through port-forwarding from the firewall, then it makes no difference how the root access was obtained. Gaining access to the e-smith server should be just as easy through a firewall as it is direct - the firewall is going to have to forward all the ports that the e-smith server needs for supplying its web services, so it should be transparent to any hacker.
-- JJ
-
That is the very nice thing about the e-smith, you can use it as a "general building block" to build up any kind of network struckture. If you want to build up a network consisting of 1, 2 og 3 servers or what ever you want, it's just up to you.
PC-bokses cost very little today, and the e-smith does not require a lot of prosessor power.
So because of nice things like the e-smith and the smoothwall firewall you are free to design your network as you want, without having to send all your money away to mr Bill Gates.
Thats the very nice thing about open source programs, and open source programs that work right out the box in particular.
With programs like the e-smith and the smoothwall any nation, any organisation and almost any person can build up the network they want.
-
If you leave ports open to provide services, Hackers can always get in. You can minimize the effect by spreading your services over different servers. In other words, place a hardware firewall on the internet then foreward the HTTP port to one server, SMTP to another and so on. Also, put your private-server/gateway behind the firewall with no ports forewarded to it and all client machines hooked behind it. Then put another machine somewhere to collect hourly backups and a daily tape then take it off site.
You could go on and on but it still wouldn't be hack proof.
By the way, what precious information do you have that a hacker would spend so much time trying to get?
Hackers do one of 2 things:
1-Make up some sort of code to infiltrate all machines (like nimda & code red) and hope it does some damage. In this case, patches are released to stop them.
2-Find a target like NASA or BankAmerica and work like hell to crack through the firewalls. In this case, the hacker wants something specific.
A hacker (or his program) is not going to poke around your system for more than a few seconds unless you are un-patched or you have something of HUGE value or you have pissed him/her off.
Moral of the story:
Keep your machines patched.
Don't be a government entity or a bank.
Don't make anybody too mad.
I've had my SME server hooked directly to the net for a couple of years and except for the 1000 or so nimda/CodeRed hits a month, nobody bothers me (so far). I got nothing anybody wants.
-
If the hackers attach is directed trough trough port 22 or port 80 and theese ports have access from internet, and if theese are the only ports the hacker want to use this will be true.
On the other hand if the hacker want to start up an attack trough theese port and then the one way or the other open up for more attach/communication trough other ports, this will be more difficult trough/behind a bastion firewall in front of the server.
Also if the hacker want to use an attach based on packet spoofing or if he will try to "knock out" the "structure" of a statefull inspection firewall by some kind of memory overload or "buffer overflow" this will be more difficult on double firewall setup. While the outher firewall is heavily attacked this way, the inner firewall on the server itself normally will not take notice of this at all because this trafic is stopped by the outher firewall.
As/if the outher firewall is a Linux distributiun that is developed only for that singele purpose, like the smootwall, I thing it is possibly to build it more "robust and strong" compared with a linux distribution that is developed to serve all kind of use simular and at the same time. Firewall, fileserver, webserver, mailserver and everything in one package that can simply not be optimiced for one thing, this have to be a average of performance for it all.
By the way attacking trough one open port lets say port 80 or port 22 .. a paket firewall can do something or something about that if it is configured for that.
Blocking sertain ip adresses is no problem. You can also block on the trafick rate, so if the trafic suddenly reach up to a unnormal level the firewall can make a automatic blocking. It's also possible I think to check the length/size of the packets before they are forwardes to the server. Linux also had a project going on with some firewalling modules that can check the exact content of the data text string before dnatting to the server. I think this last project did not work very well, but i think it is still an option in iptables, even thoug it is not much used.
I think, if you want more security than this, you need some thing like a reverse proxy firewall that make a temporary storage and inspection af all trafick in to the server on the oacket and application level. I believe the new Microsoft ISA server has such a reverse proxy function (?).
-
I think hacking PC-s in private homes to use them to spread out spam and to use them in ddos attach is a popular variant of hacking. You dont need to have anything on your PC but the fact is can be used to send out spam, for ddos attack or ather attach against other machines can allways maky your PC interesting. I think some hackers attack "bigger" targets this way. First find an relatively easy target to attack first and get controll over. Then the next phase, use this first target as the base for the next attack.
-
By the way.. I forgot .. This last planned ddos attach against Microsoft wasent it organized this way ?? (Except for that microsoft found it out in the last minute and changed their address.)
-
Another thing,
I would spend WAY MORE time worrying about what email you and your other users are opening. How much you spend on Norton (or whatever AV software you use) and how often you check for MS patches/updates. You will get more problems with MS machines than your SME box.
I admin a few systems and the worst (BY FAR) problem I have ever had to fix was a virus that spread aound the entire office of one of my clients. I can't remember the name of it but I think it came in through an email. Messed up every MS machine BUT it left the SME 5.6 box alone. Spent 2 days fixing 8 MS machines.
Arne,
All this talk about HACKERS WANT to do this and HACKERS WANT to do that. Your putting fears into peoples heads that hackers are constantly trying to get into their machines. This is just NOT TRUE unless you have something High Profile. A hacker is NOT giong to try my SME box for a 2 bit web site and some shared photos. It just isn't worth the time to them.
Hackers getting into my SME box is of no real concern to me. I've got nothing there of value and if they get in, I'll reload and restore.
Your last post pretty much says it, Microsoft. Do you think the hackers will plan a dos attack against you or I in the near future....NO
If you are serving up critical or sensative data over the web, then you need to move up from this OS. I wouldn't even recommend it for a small e-store that takes credit cards. Let a large hosting company do that and take the responsibility for stolen CC numbers.
-
Just to know all the bases are covered while you sleep at night brings some peace of mind. What the client does to break their own machines during the day is their own fault (putting it bluntly, though we do have an duty to educate them).
I think there is some very useful stuff in this thread, and speaking personally, it answers a lot of questions I have been asking elsewhere. Thanks all.
-- JJ
-
Jason,
You can NEVER cover all the bases. You can build and install firewalls until you are blue in the face. If someone wants in, they will get in. It's been proven over and over again against the people that probably spend the most money on network security, Banks and the Governments. If they can't stop a hacker with millions of dollars invested in network security then neither can you or I with a couple of firewalls.
Quit dwelling on the firewall issue. If you have a client with sensative data, make sure that the data is totally secure and not connected to the rest of the world or get rid of the client. You don't want the responsibility of something like thousands of credit card numbers on your head, it just isn't worth it.
On the other hand, that small business with nothing but a bunch of work orders and sales slips. Keep them because nobody is after their data and won't put in the effort to crack an SME firewall for nothing. Just back them up each night and the most they will loose is a day of data input work.
You know, when the client's secretary opens that dreaded email or website and the whole office gets infected, the boss will say these exact word to you:
But you told us the firewall had us protected against that, why didn't you tell us to keep an eye on MS updates?
OR
We keep up on all the updates and AV subscriptions, why didn't the firewall stop this??
In other words, YOU are going to get blamed for EVERY MISTAKE (including your own if you made any) that was made. Just make it PERFECTLY CLEAR to the boss that the firewall only stops all but the BEST hackers and will not prevent email virus problems (even if you have A/V software on the server).
You can do all the A/V stuff you want, but when Ms. receptionist goes to another web based email service and pulls up and opens that infected email, or Joe Salesman is checking out his favorite porno site and clicks one button too many, then it's all over but the crying. And YOU are going to get blamed at first.
Trust me, the firewall is the least of your (and the company owner's) worries. And the more emphasis you put on the firewall, the more that business owner is going to try to blame you.
Just tell them it's better than any MS product and will stop all but the most presistant hacker. Then ask them who might be interested in their info. If they say no one, then say great, no one will waste very litle time trying to get in for nothing. Boasting firewall over firewall will give them a false sense of security and make you more liable.
JMHO
-
Jason Judge wrote:
> I think there is some very useful stuff in this thread, and
> speaking personally, it answers a lot of questions I have been
> asking elsewhere. Thanks all.
>
> -- JJ
Likewise, many thanks to all who have contributed on this thread, it is certainly very reasuring that there are other like minded people out there, who can come up with sensible debate without chucking toys around.
PeterG.
-
I think most machines that is attached to internet is attacked on regular basis some times every day and sometime once a week or something like that. On the other side I believe most of these attacks are automated attacks often from machines belonging to persons that knows nothing about that their machines is used to attach other machines.
The nature of a ddos attach as an exsample is to first find a number of not so well secured machines where it might be no interesting datas. Then you install the right kind of software on this machine manually or by automated procedures. So then your internettconnected PC is a time scheduled attach tool without your knowledge. So at the right syncronized time all the infected or hacked computers attach one common target to bring that target down. Such hackers are not attacking Microsoft or other big targets. They attach the easier targets and use those easier targets as the attacking tool against the main target. So when the main target goes down and they check their logs thei don't find the ip of the hacker. What they can se from their log is thay you did the attack against them, because your ip, not the hackers ip will be there.
A lot of the attacking mechanisms functions according to this basic prinsiple, its not only the ddos attach.
I belive that to use an old PC and Smoothwall as an aditional firewall can improve security a bit.
My personal point of view is that the most dangerous thing is to say that the things that hapens on regular and daily basis doesent hapen. If problems are well known neccesarry precautions can be made.
One thing right enough .. If you are using a Linux or a Unix machine you might be less exposed for these treats compared with a Windows machine with direct internett access, but abyhow a combined Linux firewall/webserver/fileserver with direct interntt connection is not the very safest installation that either. I belive an old PC and a 2 port smoothwall installation in front will be safer.
-
We have 2 offices
In one office we have one SME Server going through a Router/Firewall
In the other using SME server with 2 networkcards,
Both go into an additional 24 port switch
Problem is when for whatever reason the internet isn't working, we reboot the router or SME server. Of course its a lot more convenient to simply reboot the router as then it is only the external connection being broke and the rest of the office can continue. Usually the outsideside service provider is down and the reboot does no good but one has to be able to say to the provider. Yes we rebooted our hardware.
I have seen the SMC barricade 7004vbr 4 port router on sale with rebates for as little as $20.00 Canadian which is cheaper than a 2nd network card, and it has stateful packet inspection, DMZ, dhcp etc.
Another potential advantage of the 4 port router would be if you wanted to run a SME mail server but a ASP based windows server from one IP as you can forward the appropriate ports out of the router.
Kind of makes me think I should watch out for the next sale and pick up another router.
Ken