[Gllug] Security from scratch or just stick with Astaro?

John Edwards john at cornerstonelinux.co.uk
Tue Apr 8 14:01:19 UTC 2008 

On Tue, Apr 08, 2008 at 12:44:34AM +0100, Justin Perreault wrote:
> On Sun, 2008-04-06 at 23:48 +0100, John Edwards wrote:
<snip>
>> Astaro are well known but commercial.
> 
> I have been using Astaro for a few years on their free home license. Any
> concerns with it being commercial?

The usual:
No source code.
No independent validation - very important for security products.
No independent fixing of bugs or adding new features.
Charges for commercial usage.
No guarantee of ongoing support.

Plus:
The Astaro website tries to set a bunch of third party tracking
cookies. That may be OK for some websites, but doesn't inspire
confidence in a security product.


> Up till now I have figured being
> knowledgeable about such a product would be worth while, and now I am
> considering that adding another product/setup might also broaden my
> experience well.

Knowledge of more than one solution to a problem is always good.

<snip> 

>> If by "updating automatically" you mean without any admin intervention
>> at all, then I'm not aware that any of the system you list will do that.
>> Ubuntu & Debian can do it with the "unattended-upgrades" package, but
>> I've had trouble getting to not upgrade some packages (eg kernel & libc).
>> 
>> Many sysadmins advise against a completely unattended upgrade system
>> as you never know what exactly is going to happen.
> 
> The only files I am looking to have updated are virus and intrusion
> profiles for things like snort as well as security patches. Astaro does
> this and helps me feel comfortable about not upgrading the system every
> year.

In IPCop the Snort rules can be updated independently through the web
interface. Snort requires you to register to get access to new rules
sets, see:
  http://www.snort.org.

No virus files need to be updated because without addons IPCop doesn't
do virus scanning. Most viruses act at the application level and are
best handled by application proxies or gateway (eg the SMTP server for
email). The only proxy on IPCop is the Squid web cache, for which there
is an addon to do virus scanning.


IPCop 1.4 has usually had updates every four months or so, but after
the next minor point release (ie 1.4.19) it will just be security
updates as the development effort moves to 2.0.


>> At the moment IPCop has a two step update mechanism, download package
>> then upload to firewall via web interface, which may be a bit laborious.
> 
> I won't mind such for system upgrades although with what I want it for I
> usually prefer doing a full system install, upgrading the packages
> through the current blockade and then swapping out the new system for
> the old.

Sorry I don't understand what you mean by blockade and swapping
systems? Are you talking about having two firewalls?

I thought this was just going to be a firewall for a small business
or home network.

To be more clearer, IPCop's system is this:
1) Get notification of new update available from announce mailing list
or on the firewall's main webpage.
2) In web browser on a PC download the package from a Sourceforge mirror.
3) In web browser on a PC visit the updates page and upload package.
4) Wait a few seconds while the package file is checked and installed.
5) Reboot firewall is prompted to do so.

You don't need to do a full reinstall.

It's not as graceful as Debian's 'apt-get update && apt-get upgrade'
but using Debian and it's package management system would double the
amount of disk space that IPCop uses. This would break the bank for
systems that use flash memory.


>>>  I would definitely agree with the advice not to use a virtual machine.
>> 
>> A firewall requires a seperation of networks, which is not what you
>> get when you run it in a virtual machine. Put simply by the time your
>> VM firewall sees the network traffic it's already arrived at the host
>> machine. So the host machine must be strengthened, and become like a
>> firewall. Which kind of defeats the point.
> 
> For the virtual machine I want to set up the system such that the host
> system does not pay attention to the traffic on the ethernet ports and
> only redirects them to what ever firewall I have set up. I have no need
> for the host to do any more than host/build virtual machines. Is this
> not possible?

Possible, but flawed.

Think about what happens to the packets. They arrive at the host
system and are processed by it's TCP/IP stack. This has to pass it
onto the VM system's virtual network interface, and then onto the
guest OS (eg Linux running IPCop or Astaro).

So you are still open to attacks on the host's TCP/IP stack and the
VM system, in addition to the guest OS.

And that assumes that the hosts is running no other services of guest
VMs. Are you going to be running SSH to manage the host OS? If so that
could be attacked.

A perimeter firewall is part of your network infrastructure and needs
to be presented to incoming packets before they arrive at your
network.


> From this I hope to be able to continue with my usual upgrade path of
> build system and swap for old without the messiness of handling two
> boxes.

Virtual machines do this well for services (eg web server, email
server).

IPCop 1.4 is getting a touch old, but it is reliable on known good
hardware. Running an update take a couple of minutes two or three
times a year. I would think that for most small network the dangers
and complexity of running a host OS with two guest VMs is not worth
it to save a couple of minutes of downtime a few times a year.

If the host system is already running other VMs or services and can
not be a dedicated firewall, then I have a couple of spare old PCs
that have run IPCop perfectly in the past that you are welcome to.


-- 
#---------------------------------------------------------#
|    John Edwards   Email: john at cornerstonelinux.co.uk    |
#---------------------------------------------------------#
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20080408/0f548500/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list