Koozali.org: home of the SME Server
Contribs.org Forums => General Discussion => Topic started by: del on October 09, 2009, 07:49:46 PM
-
The subject says it all, just how good or secure is SME in server/gateway mode?
I have adoctors office that has been told they need to install a Watchguard router (http://store.watchguard.com/store/wgtech/en_US/DisplayProductDetailsPage/productID.107829900/categoryID.13167600 (http://store.watchguard.com/store/wgtech/en_US/DisplayProductDetailsPage/productID.107829900/categoryID.13167600)) because Linux based routers are not any good :sad:
-
I have adoctors office that has been told they need to install a Watchguard router (http://store.watchguard.com/store/wgtech/en_US/DisplayProductDetailsPage/productID.107829900/categoryID.13167600 (http://store.watchguard.com/store/wgtech/en_US/DisplayProductDetailsPage/productID.107829900/categoryID.13167600)) because Linux based routers are not any good
It won't be hard for you to show that whoever made that statement didn't know what they were talking about:
http://news.zdnet.co.uk/security/0,1000000189,39145296,00.htm
-
del
How good is good ?
I have been using e-smith/sme for 9 years in server gateway mode and the firewall has never been breached.
sme currently uses iptables and is as secure a firewall as there could be.
Regular kernel updates for sme server ensure latest security fixes, compared to many firewall routers that still run an old less secure kernel (due to not being regularly updated).
Feature wise, sme provides antivirus scanning of server files and email with clamav. Spam filtering of email is provided by spamassassin and RBL lists. Executable content filtering on email attachments also prevents receipt of virus infected email attachments. RBL lookups reject a lot of rubbish email outright. sme has many layers of protection by default. You can then very simply add the squidguard contrib, or better still the dansguardian contrib for real time web site content analysis and blocking including blocking of downloads of nominated file types (by extension). Dansguardian can also be easily configured to lookup squidguard lists and other popular blocklists. clamav support is included in dansguardian to allow real time virus scanning of downloaded files.
The firewall rules can be further manipulated beyond default settings by db commands and custom templates for masq, giving you great flexibility. Note that the default firewall settings are safe and adequate for most users. The firewall does not need manual tweaking under normal operation, as appropriate ports are opened and closed as services are enabled or disabled in server manager. There is also a port opening and forwarding panel to allow specific ports to be forwarded to other nominated devices on your LAN.
Simplicity and security are the main design principles of the whole sme server, where the firewall functionality is tightly integrated into the overall design of sme server.
-
Moving this topic to the General Discussion forum, it is more appropriate there. Thanks!
-
Moving this topic to the General Discussion forum, it is more appropriate there. Thanks!
but we are in contribs here :-)
-
but we are in contribs here :-)
Are we ;) ... Thanks for spotting that.
-
I have to agree with mary,
In fact SME with a few fetures like dansguardian / squidguard is probably more secure than most basic firewalls / routers out there.
Yes it would be nice to have more flashy log and configuration interface and a nice QOS would be nice but most of the time people install a server / firewall and that can be the end of it for years apart from a small bit of maintance.
It sounds to me like a sales ploy, "YOU NEED THIS" its only $XXX or your Fu**ed
And in 12 months time "YOU NEED THIS UPDATE" its only $XXXX or your back to above...
From http://news.zdnet.co.uk/security/0,1000000189,39145296,00.htm
The Firebox X is a 1.2GHz Intel-based device with 256MB RAM and 64MB of flash memory. It runs a secure Linux kernel that Stevens said has been "custom hardened by our security engineers". The product costs between $1,900 and $5,000, depending on the number of additional features and applications required.
Any network is only as Secure as the people behind it and what they are looking at, installing and playing with.
By all means if you have a large network of have a big requirement for QOS etc the you need to invest.
-
versa & del
...it would be nice to have ... QOS
While limited in scope, there is the HTBWondershaper script or the wondershaper contrib, which at least manage outgoing bandwidth.
qmail is also very bandwidth consuming and for that you can easily adjust the number of "instances" in various parts of the mail system, using db commands
-
Hi Friend, I used for long time sme server as a gateway an never be reach or attacked, but recently in order to have more alternatives I tested ipfire.
Best Regards.
Eviny
-
I would submit to you for your thoughtfull consideration that your friend who said Linux is not good for firewall is ill informed.
Most firewalls are Linux as are routers. (Look up Tomato software). I have two Watchguard servers which are a pain to administer, which is probably build on Linux (or some form of UNIX), my guess is. So If you get a Watchguard you probably are getting Linux anyway.
Just my thought. We use both Watchguard and SME with dansguardian and squidguard. Im thinking of putting in another firewall into another place and trying to decide whether to get Watchguard (1000-2500$) and yearly subscriptions of 300-400 dollars or SME for free with an old computer. We put in the SME server because we could not do some things with Watchguard, despite having their support try to fix it, (like getting exchange webmail to work outside our organization or vpning into network.)
Watchguard is a fine product, if you want to pay for it. There is a huge learning curve however, its very tunable. But I think most people dont have the knowledge to really use it all. (Who understands all the settings on their home router/firewall, which is run on linux probably?) By the way you will need a second computer if you want to run their web program and logs interface. (So now you must buy another computer.) A doctor is no more or less important than my organisation or Im sure others who use it. We have various medical and health records on our site. But what about all those companies that have Credit car info that my be using SME.
The truth is that a poorly administered Linux or windows or what ever has security issues. Like road safety its generally the nut behind the wheel that is the problem not the vehicle (ok maybe not if your driving a pinto).
One might also add that if your Windows computers use passwords (good ones) and lock after 5 minutes this is a huge deterrent. People forget (heaven forbid) but if someone gets on to your network they still have to break into the desktops. Not that easy if your not at the machine. (just a thought for free)
Conclusion. To say Linux is no good for a firewall is a poorly educated response and simply not try, since most firewalls are Linux.
These are a just a few of my random thoughts.
Regards
Happy Hunting.
-
steve288,
I already have SME in the doctors office :smile: It was someone who is selling them some Electronic Medical Records software that told them they needed Watchguard. I posted here just to be sure that SME is in fact a good firewall (never really doubted it, just wanted reassuring :smile:) I have explained to them that they have had no problems to date and that the other company are probably on some sort of commission to sell Watchguard. So thanks to everyone for their input, especially Charlie for posting the link about Watchguard actually being Linux. This helped my case no end :grin:
Del
I would submit to you for your thoughtfull consideration that your friend who said Linux is not good for firewall is ill informed.
Most firewalls are Linux as are routers. (Look up Tomato software). I have two Watchguard servers which are a pain to administer, which is probably build on Linux (or some form of UNIX), my guess is. So If you get a Watchguard you probably are getting Linux anyway.
Just my thought. We use both Watchguard and SME with dansguardian and squidguard. Im thinking of putting in another firewall into another place and trying to decide whether to get Watchguard (1000-2500$) and yearly subscriptions of 300-400 dollars or SME for free with an old computer. We put in the SME server because we could not do some things with Watchguard, despite having their support try to fix it, (like getting exchange webmail to work outside our organization or vpning into network.)
Watchguard is a fine product, if you want to pay for it. There is a huge learning curve however, its very tunable. But I think most people dont have the knowledge to really use it all. (Who understands all the settings on their home router/firewall, which is run on linux probably?) By the way you will need a second computer if you want to run their web program and logs interface. (So now you must buy another computer.) A doctor is no more or less important than my organisation or Im sure others who use it. We have various medical and health records on our site. But what about all those companies that have Credit car info that my be using SME.
The truth is that a poorly administered Linux or windows or what ever has security issues. Like road safety its generally the nut behind the wheel that is the problem not the vehicle (ok maybe not if your driving a pinto).
One might also add that if your Windows computers use passwords (good ones) and lock after 5 minutes this is a huge deterrent. People forget (heaven forbid) but if someone gets on to your network they still have to break into the desktops. Not that easy if your not at the machine. (just a thought for free)
Conclusion. To say Linux is no good for a firewall is a poorly educated response and simply not try, since most firewalls are Linux.
These are a just a few of my random thoughts.
Regards
Happy Hunting.
-
There are four reasons I can imagine someone wanting a watchguard:
1) Reflective port forwarding
If a LAN user accesses http://wan-ip:xxx, and port xxx is forwarded to a different LAN workstation, the watchguard uses NAT to re-source the traffic locally on the firewall, then sends it to the intended LAN workstation, allowing the connection to succeed. While this generates terrific amounts of traffic through the firewall it is easy on the admin.
In SME networks, I do this by making sure that "xxx" is the right port number both locally and remotely, then by making sure that my DNS returns the WAN IP for remote users and the LAN IP for local users.
(The Watchguard also supports multiple WAN IPs, so you could have http://wan-ip-1 going to LAN-Server-1 and http://wan-ip-2 going to LAN-Server-2 -- this would require creative use of ProxyPass and VirtualDomains on a SME network)
2) "Transparent" mode
Watchguard firewalls support a "transparent" mode that I have never seen anywhere else.
In transparent mode, the LAN workstations can have public IP addresses on the same subnet as your ISP's gateway/router while still being protected by the firewall.
Basically, you take an existing, working network - then drop the watchguard down between the gateway and everything else in "transparent" mode - and you're done. No routing configuration necessary, no port forwarding rules required, no NAT -- just login to the watchguard and tell it which services should be permitted for which internal host.
I do this on SME networks by using intelligence and planning...
3) Connection Monitoring
I really enjoyed the watchguard's connection monitoring capabilities. While it is possible to monitor traffic internet traffic from your LAN using a SME (using iptraf, or examining the log files manually), the Watchguard has some easy-to-use options that provide very useful real-time connection information.
4) Laziness, Ignorance or Greed
A lazy vendor who really knows his stuff and always uses Watchguard might want to continue using watchguard to minimize the training/retraining required for his support staff.
An ignorant vendor who just barely knows how to use a Watchguard might be afraid to use anything else for fear of making a stupid mistake that compromises his client's data.
A greedy vendor who gets great commissions, incentives, etc for selling Watchguards might want to sell a Watchguard to every client in order to maximize the amount or size of the prizes s/he wins.
These are the *only* reasons I can imagine someone specifically wanting a Watchguard. I got so frustrated with them that I vowed never to use one again -- mostly over little things like the firewall breaking when you apply updates or create new rules. Granted, this was in the 1990's, but how many times should I have to completely re-program my firewalls after installing software updates? And how frustrating is it to have to do this for units located at remote offices (apply update, lose connectivity, travel to office, reprogram)?
I don't remember the specifics, but I also have a clear sense that seemingly simple operations aimed at solving challenge "x" would break the solution implemented last quarter for challenge "b".
Maybe Watchguard has solved the issues that frustrated me so, but I'll never know :-)
-
mmccarn:
you should look at m0n0wall/pfsense...
you can achieve the same things of watchguard for free..
and, no flame please, bsd* pf is far better than iptables IMHO
-
Transparent mode (Bridgemode firewalling) is a standard Linux function that is supported via iptables for most Linux distros including the kernel of the SME server, as far as I remember. For a distro like the SME server "transparent mode" should not give any sence at all.
A transparant mode (bridge mode) firewall can be built from any old PC with two networksadapters and for a standard Linux distro instance Centos. (I tested this with Centos but I guess that other distros will work as well.)
-
mmccarn:
you should look at m0n0wall/pfsense...
you can achieve the same things of watchguard for free..
and, no flame please, bsd* pf is far better than iptables IMHO
I second that , pfsense is vary nice (load balance , nice gui , carp , and other nice things)
For bigger networks sme server+pfsense is an amazing combo...
About firewalls i have learned in my short life that it is a lot cheaper to break in to the office and steal the server
Than try to hack it from the outside (speaking from experience - coming to the office on sunday after working
a few hours on the day before on strict firewall rules just to find out the doors are broken and the server room is
empty).
Back to the subject sme is vary secure by design ( a lot better than ms servers) and even better when used
As server gateway , the kernel is updated on a regular basis and being open source makes it open for review
by the users.
-
I have used E-smith and SME server from the earlier days of E-Smith, and I think, for me, there have been zero firewall issues during those years.
I'm not sure about the year, but I can remember that my first E-smith replaced Windows NT4 (New Technology) on a server, and I think that the admin panel looked approx something like this: http://www.linuxjournal.com/article/5176
I think that any computer system, and any other system also, is just as secure as their safety records.
So then the question is: How many years, how many installations, how many system hours, and how many serious or less serious insidents ?
I believe that even though the SME server in some way has a bit complex design, it has what one can call a "proven level of security and reliability".
The technical problems that has been on mine installations during those years, for me can be grouped in two:
1. problems due to my own incorrect modifications (none releted to firewall.)
2. Problems related to hardware that has failed.