[Gllug] Security from scratch or just stick with Astaro?

John Edwards john at cornerstonelinux.co.uk
Sun Apr 6 22:48:28 UTC 2008


On Sun, Apr 06, 2008 at 10:06:00PM +0100, Chris Bell wrote:
> On Sun 06 Apr, Justin Perreault wrote:
>> Are any of these a bad route to take? Is one of these a better route
>> above the others listed? Is there a better route I should be
>> considering?
>> 
>> The purpose of the box will be blockade between my internal network and
>> my router. I want to be able to have some kind of web interface for at
>> least half of it and if logical have it updating automatically.
>> 
>> -Justin

I've used all those system except redwall and Astaro and I currently
use IPCop and Debian based systems for firewalling.

I've not heard of redwall before, but from their website it looks a
bit odd.  The features page is a very long list of ~600 Gentoo
packages. It uses a 2.6 Linux kernel, but the last update was Sept
2006 since when there have been several security holes in the 2.6
kernel. And uses MySQL for "reporting"?

Astaro are well known but commercial.

Fedora is improving but still not reliable, especially where SELinux
is concerned. But then it is intended to be a playground for RedHat
development. And it's short lifetime means you will be reinstalling
it often, which will disrupt your internet access. I don't think a
firewall system needs the latest and greatest software, but software
(and hardware) that is proven to be reliable.


>    I use IPCop. IPCop does not require a very fast machine or a large disc,
> but it should have plenty of RAM. Unfortunately older RAM can be expensive.

If you don't want to run extra services such as Squid web cache or
Snort IDS then 64MB is fine. With 512MB

The main drawback of IPCop is that the current stable release still
uses a 2.4 kernel as so does not support recent hardware such as
SATA well.

If by "updating automatically" you mean without any admin intervention
at all, then I'm not aware that any of the system you list will do that.
Ubuntu & Debian can do it with the "unattended-upgrades" package, but
I've had trouble getting to not upgrade some packages (eg kernel & libc).

Many sysadmins advise against a completely unattended upgrade system
as you never know what exactly is going to happen.

At the moment IPCop has a two step update mechanism, download package
then upload to firewall via web interface, which may be a bit laborious.


>    I would definitely agree with the advice not to use a virtual machine.

A firewall requires a seperation of networks, which is not what you
get when you run it in a virtual machine. Put simply by the time your
VM firewall sees the network traffic it's already arrived at the host
machine. So the host machine must be strengthened, and become like a
firewall. Which kind of defeats the point.


-- 
#---------------------------------------------------------#
|    John Edwards   Email: john at cornerstonelinux.co.uk    |
#---------------------------------------------------------#
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20080406/56aaed07/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list