Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: arne on February 13, 2008, 04:49:19 PM
-
I am doing some tests now, trying to understand the basic prinsiples of the security on virtual installations.
It's one thing with the SME server, and that is it is extremely usable to be used in the role of a virtual server, because it has so many basic functions that is just running when just installed. If you for instance need a web proxy for the wiress lan, you can just copy over a instance of a sme 7.3 to the vireless lan area, and you have a dedicated proxy there.
Then there is this interesting question: If one virtual machine is compromized or hacked, how can this be used by the hacker to attach the underlying host system and the neigbouring virtual machines .. (The underlaying host system can be protected by applying zero ip adresses, I think, so it will be difficult to connect to.)
The only small problem with the SME server to use it as a virtual installation is that it has a "lan level security" as the only option when installed as "server-only". In some roles a "internet-level" security might be a bether choice.
Of cource to serve as "Virtual machines" might not be the primary target for the SME server, even though it does that job extremely well. (And it does the virtual host job well also.)
On the other hand there might be other situations as well, where a "hardened server only" might be a good choice. There are actually some network enviroments where there are allmost more hackers inside the firewall than outside the firewall (Schools, liberaries, etc.) For these places it might also be a good idea to have the option of a "hardened server-only" alternative.
There is tree installation alternaives "Private-server-gateway", "Server-Gateway" and "Server-only". Why not four where the fourth is the "server-only internet level security" (Where typical lan services is not exposed to the a more hostile lan area.))
There is on the other hand also the option of locking down "risky-services": http://forums.contribs.org/index.php?topic=39703.0
Jus an idea ..
-
(Waves resurrection wand over this thread)
As a new user to SmeServer I wanted to find out how to create an internet ready install with a single NIC installed. This thread is where the integrated google search for this site took me so it stands to reason that it will bring other new users here as well. :D
Has there been any work done on this front? I'm stalled at the install with the choices "Server and Gateway", "Private Server and Gateway", or "Server Only".
Ideally I'd like to choose "Server Only" since that will be the role of the machine, but the documentation I'm reading says this option is misleading due to the open and trusted nature of this install.
Is there an option to install as "Server Only - Internet Hardened" in some fashion?
-
no
-
Am I to then assume that using SMEServer as a standalone webserver is not recommended?
-
MrSmee
I think you are getting yourself confused with naming vs functionality.
SME server can act as a standalone web server very effectively and securely.
Firstly be careful following advice or comments made by "arne".
There was a lot of theoretical involvement by arne which bordered on being impractical.
SME server has been proven to be very reliable and robust for over 12 years now, and AFAIK has never been hacked due to inherent base system security problems (on correctly maintained and updated servers). Bad web apps that users have installed have allowed hackers in by devious means, but this was the fault of the app, not the OS.
... I wanted to find out how to create an internet ready install with a single NIC installed.
Not possible where the server acts as gateway (ie firewall & router functions), as two NICs are needed to give the required security isolation between the LAN and the WAN.
I'm stalled at the install with the choices "Server and Gateway", "Private Server and Gateway", or "Server Only".
The choice you make depends on the basic functionality required. I'm pretty sure it's covered in the Manual, so please read it again (linked at top of Forums).
Server & Gateway mode allows you to connect directly to the Internet via a bridged modem say using a ADSL service etc. The SME server acts as a firewall in this scenario. Various services are exposed to the Internet in this mode eg web server, mail server. One NIC connects to the WAN (ADSL Modem), the other NIC connects to the LAN (usually to a switch or hub).
Private Server & Gateway mode is essentially the same as above except that no services are exposed to the Internet and the server cannot be seen from the web, it's as if your server does not exist as far as the web is concerned. This is for the scenario where you want to have Internet access from the LAN, but do not want to have any public services running. IIRC the server is in Stealth mode.
In Server only mode the firewall functionality is disabled, so the server MUST be placed behind some other firewall or gateway device. This could be a corporate firewall or a home modem/firewall/router or even another SME server in Server & Gateway mode. You will need to open and forward ports on the firewall to the SME server for services you wish to be accessed on the SME server from the Internet eg web, mail, ssh etc.
You only choose this mode if the server is being deployed into a secure and trusted network, already protected from the Internet by other means.
Also note in Server & Gateway mode you can setup a DMZ if you configure your local network appropriately. It depends on the security model you require. I think there are instructions in the Manual re this, if not search the forums as it has been answered many times.
Keep in mind that SME server is already "Internet hardened", it depends on what your interpretation is and what your requirements are, regarding how you set it up. All services can easily be disabled with db commands and in Server & Gateway mode, these command changes also automatically open & close the firewall ports.
-
Thanks Mary. I did read the descriptions of the different versions but none gave me the confidence I was looking for to install to a machine that I intend to set up, connect to the web, and begin hosting a high traffic site.
Server and gateway sounds ideal, minus the gateway
Personal server and gateway and Standalone Server both assume a trusted network and thus (I assume) would be incapable of being placed in the open.
Is this correct?
-
MrSmee
Server and Gateway mode is what you want if the server is to be connected directly to the Internet (eg via a bridged modem) and you wish to provide web based services to the public. You do need the Gateway functionality as that provides the firewall which is essential. Connect one NIC to the modem (WAN) and leave the other NIC disconnected if you do not have or need any workstations on the LAN side.
Private server and gateway mode does not need a trusted network, as the gateway mode provides the firewall, it just does not provide services to the public. It does provide services eg web & mail to the local connection (LAN).
Server only mode requires a seperate firewall as all/most firewall functionality is deliberately disabled in that mode, ie to allow the use of a seperate firewall.
It seems you still cannot grasp the basic concepts, I do not know what your problem is with understanding this, it is straightforward. There are thousands of SME servers providing web pages, all securely using either Server and Gateway mode or Server only mode (plus separate firewall). It depends on your network arrangement as to which mode you choose.
Please be careful and use the correct parlance.
-
Perhaps I wasn't clear.
While I do fully "grasp" the documentation, I fail to see why there would be a "server and gateway" version requiring two ethernet adapters while the standalone server version includes no firewall at all. It seems that this would result in multiple new users selecting this option out of necessity to move through the install process and trusting that the developers meant that it could actually be used as a "standalone server", which would result in a system vulnerable to attack.
The only option open to me is Standalone Server mode and that is unacceptable for a standalone server :)
I do understand that you are familiar with the SMEServer system and thus this seems normal. For new inductees to the system it is counterintuitive.
-
Moving to General Discussion section of the Forums.
-
MrSmee
I know you asked about using only one NIC earlier in this thread for a gateway server. You got 2 answers which said No. What do you not understand about that ? You need 2 NICS for Server & Gateway mode and you can safely connect this server directly to the Internet without requiring any other firewall.
In Server only mode you only need 1 NIC but you do need to connect to a firewall, which is quite a common scenario as most domestic Routers/Modem/Gateway provide this functionality. Note this server will still perform virtually all the functions that Server & Gateway mode does except for providing an external interface via a firewall. Typically many users choose this mode and run into trouble as they do not realize the need for opening and forwarding ports from their Router/Gateway to their SME server running in Server only mode.
Why are you saying it's not an option for you to use 2 NICs ?
What's wrong then with you using Server only mode with 1 NIC and putting a firewall in front of it ?
If you feel the documentation is incorrect or misleading please lodge a bug report.
-
Why are you saying it's not an option for you to use 2 NICs ?
My machine contains only one NIC.
What's wrong then with you using Server only mode with 1 NIC and putting a firewall in front of it ?
This suggestion requires additional funds for a firewall (or firewall distro) to be installed, which shouldn't be assumed.
If you feel the documentation is incorrect or misleading please lodge a bug report.
I'm sure the documentation is fine, but the distros are misleadingly labeled for the average new user to SMEServer.
The concept is a great idea - a small, tight, web configurable server that takes minutes to setup. The practice however requires further refinement.
-
This suggestion requires additional funds for a firewall (or firewall distro) to be installed, which shouldn't be assumed.
I am just a home user, an amateur...
Server only mode is what I run behind a Billion ADSL modem/router, the modem router forms the firewall, have been using this config for almost 12 months now have never had an issue, can show you the logs of the attempts by script kiddies trying to get in, without success.
I use my system at home, it does the lot, I also use it as a test bed and "toy", I look after a couple of not for profit groups that I setup SME server in server only mode behind ADSL modem/routers, they provide web services and other functions for the local networks they maintain, file, folder, printer, multimedia etc etc..never had a problem..keep it simple don't try and use it for something its not designed to do and you can't go wrong..
As you can see I am an advocate for SME, and you can not beat the price, and I did try ClearOS it does not provide what SME does and I am to much of an "amateur" to be able to drive it to match SME server.
Hope your project works out, Good luck
-
My machine contains only one NIC.
Have you thought of adding another NIC (either PCI or PCI express depending of your architecture) or have you runout of slots? Then go Server Only Mode with a single NIC and rely on the firewall of your ADSL router.
-
Well Mr. Smee, I'm sorry that SME Server doesn't do exactly what you want it to do. Except that it does. If you're running it in a virtual environment, you can certainly supply two virtual NICs to the SME VM, and configure it in server/gateway mode. This may be counterintuitive, but if you as a user are experienced enough to be virtualizing machines and setting up at-risk, Internet-facing, high-load webservers, you certainly should be able to figure it out.
You are of course free to devote your spare time to poring over the source code and *creating* this variant, which would no doubt be happily accepted into the SME development path.
-
No thank you, MSmith. I have since moved on to a debian variant with the requirements I needed for an internet facing high load server.
Best of luck,
MrSmee
-
Which variant, please? Always interested in learning new things ...