[Gllug] Security from scratch or just stick with Astaro?

Justin Perreault justinperreault at dl-jp.com
Mon Apr 7 23:44:34 UTC 2008


On Sun, 2008-04-06 at 23:48 +0100, John Edwards wrote:
> On Sun, Apr 06, 2008 at 10:06:00PM +0100, Chris Bell wrote:
> > On Sun 06 Apr, Justin Perreault wrote:
> >> The purpose of the box will be blockade between my internal network and
> >> my router. I want to be able to have some kind of web interface for at
> >> least half of it and if logical have it updating automatically.

> Astaro are well known but commercial.

I have been using Astaro for a few years on their free home license. Any
concerns with it being commercial? Up till now I have figured being
knowledgeable about such a product would be worth while, and now I am
considering that adding another product/setup might also broaden my
experience well.

> >    I use IPCop. IPCop does not require a very fast machine or a large disc,
> > but it should have plenty of RAM. Unfortunately older RAM can be expensive.
> 
> If you don't want to run extra services such as Squid web cache or
> Snort IDS then 64MB is fine. With 512MB
> 
> The main drawback of IPCop is that the current stable release still
> uses a 2.4 kernel as so does not support recent hardware such as
> SATA well.

I am using dated hardware so detection is not a concern. With not
wanting to necessarily upgrade to more a robust system I will look into
IPCop more fully.

> If by "updating automatically" you mean without any admin intervention
> at all, then I'm not aware that any of the system you list will do that.
> Ubuntu & Debian can do it with the "unattended-upgrades" package, but
> I've had trouble getting to not upgrade some packages (eg kernel & libc).
> 
> Many sysadmins advise against a completely unattended upgrade system
> as you never know what exactly is going to happen.

The only files I am looking to have updated are virus and intrusion
profiles for things like snort as well as security patches. Astaro does
this and helps me feel comfortable about not upgrading the system every
year.

> At the moment IPCop has a two step update mechanism, download package
> then upload to firewall via web interface, which may be a bit laborious.

I won't mind such for system upgrades although with what I want it for I
usually prefer doing a full system install, upgrading the packages
through the current blockade and then swapping out the new system for
the old.

> >    I would definitely agree with the advice not to use a virtual machine.
> 
> A firewall requires a seperation of networks, which is not what you
> get when you run it in a virtual machine. Put simply by the time your
> VM firewall sees the network traffic it's already arrived at the host
> machine. So the host machine must be strengthened, and become like a
> firewall. Which kind of defeats the point.

For the virtual machine I want to set up the system such that the host
system does not pay attention to the traffic on the ethernet ports and
only redirects them to what ever firewall I have set up. I have no need
for the host to do any more than host/build virtual machines. Is this
not possible?

>From this I hope to be able to continue with my usual upgrade path of
build system and swap for old without the messiness of handling two
boxes.

-Justin

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list