[Gllug] Security from scratch or just stick with Astaro?

Justin Perreault justinperreault at dl-jp.com
Tue Apr 8 18:30:34 UTC 2008 

On Tue, 2008-04-08 at 15:01 +0100, John Edwards wrote:
> On Tue, Apr 08, 2008 at 12:44:34AM +0100, Justin Perreault wrote:
> > On Sun, 2008-04-06 at 23:48 +0100, John Edwards wrote:
> <snip>
> >> Astaro are well known but commercial.
> > 
> > I have been using Astaro for a few years on their free home license. Any
> > concerns with it being commercial?
> 
> The usual:
> No source code.
> No independent validation - very important for security products.
Fair enough.

> No independent fixing of bugs or adding new features.
I am not sure which parts would have prevented me from tweaking them,
mostly their interfaces I suspect. I remember changing the version of
snort at one point. The system just gave warnings that playing around
with anything via the root account nullified support coverage.

> Charges for commercial usage.
Fair enough

> No guarantee of ongoing support.
I accept this as a given with all software.


> Plus:
> The Astaro website tries to set a bunch of third party tracking
> cookies. That may be OK for some websites, but doesn't inspire
> confidence in a security product.

For all cookies I have them accept for the current session and only if I
have chosen to allow the site to do so. If I have accepted as many as a
handful during my current session I just restart Firefox if I am not
still using them.

> >> If by "updating automatically" you mean without any admin intervention
> >> at all, then I'm not aware that any of the system you list will do that.
> >> Ubuntu & Debian can do it with the "unattended-upgrades" package, but
> >> I've had trouble getting to not upgrade some packages (eg kernel & libc).
> >> 
> >> Many sysadmins advise against a completely unattended upgrade system
> >> as you never know what exactly is going to happen.
> > 
> > The only files I am looking to have updated are virus and intrusion
> > profiles for things like snort as well as security patches. Astaro does
> > this and helps me feel comfortable about not upgrading the system every
> > year.
> 
> In IPCop the Snort rules can be updated independently through the web
> interface. Snort requires you to register to get access to new rules
> sets, see:
>   http://www.snort.org.

> No virus files need to be updated because without addons IPCop doesn't
> do virus scanning. Most viruses act at the application level and are
> best handled by application proxies or gateway (eg the SMTP server for
> email). The only proxy on IPCop is the Squid web cache, for which there
> is an addon to do virus scanning.
> 
> 
> IPCop 1.4 has usually had updates every four months or so, but after
> the next minor point release (ie 1.4.19) it will just be security
> updates as the development effort moves to 2.0.
Good to know. If I can get my main machine to behave itself I'll be sure
to look into all of that.

> >> At the moment IPCop has a two step update mechanism, download package
> >> then upload to firewall via web interface, which may be a bit laborious.
> > 
> > I won't mind such for system upgrades although with what I want it for I
> > usually prefer doing a full system install, upgrading the packages
> > through the current blockade and then swapping out the new system for
> > the old.
> 
> Sorry I don't understand what you mean by blockade and swapping
> systems? Are you talking about having two firewalls?
> 
> I thought this was just going to be a firewall for a small business
> or home network.
It is just for my home network. I would have two firewalls at the time
of doing a full system upgrade, the system that is in place and the one
that is being built.

> To be more clearer, IPCop's system is this:
> 1) Get notification of new update available from announce mailing list
> or on the firewall's main webpage.
> 2) In web browser on a PC download the package from a Sourceforge mirror.
> 3) In web browser on a PC visit the updates page and upload package.
> 4) Wait a few seconds while the package file is checked and installed.
> 5) Reboot firewall is prompted to do so.
> 
> You don't need to do a full reinstall.
> 
> It's not as graceful as Debian's 'apt-get update && apt-get upgrade'
> but using Debian and it's package management system would double the
> amount of disk space that IPCop uses. This would break the bank for
> systems that use flash memory.

That looks good. I have only been doing full re-installs with main
version number changes.

> >>>  I would definitely agree with the advice not to use a virtual machine.
> >> 
> >> A firewall requires a seperation of networks, which is not what you
> >> get when you run it in a virtual machine. Put simply by the time your
> >> VM firewall sees the network traffic it's already arrived at the host
> >> machine. So the host machine must be strengthened, and become like a
> >> firewall. Which kind of defeats the point.
> > 
> > For the virtual machine I want to set up the system such that the host
> > system does not pay attention to the traffic on the ethernet ports and
> > only redirects them to what ever firewall I have set up. I have no need
> > for the host to do any more than host/build virtual machines. Is this
> > not possible?
> 
> Possible, but flawed.
> 
> Think about what happens to the packets. They arrive at the host
> system and are processed by it's TCP/IP stack. This has to pass it
> onto the VM system's virtual network interface, and then onto the
> guest OS (eg Linux running IPCop or Astaro).
> 
> So you are still open to attacks on the host's TCP/IP stack and the
> VM system, in addition to the guest OS.
That's a shame, even though understandable. It looks like I'll be
leaving VMs alone for a while longer.

> And that assumes that the hosts is running no other services of guest
> VMs. Are you going to be running SSH to manage the host OS? If so that
> could be attacked.
I have not had need for remote access yet as I work almost exclusively
from home. I'll be putting my servers in the hall closet.

> A perimeter firewall is part of your network infrastructure and needs
> to be presented to incoming packets before they arrive at your
> network.
Well put. I'll step back from being fancy.

> > From this I hope to be able to continue with my usual upgrade path of
> > build system and swap for old without the messiness of handling two
> > boxes.
> 
> Virtual machines do this well for services (eg web server, email
> server).
Fair enough.

> IPCop 1.4 is getting a touch old, but it is reliable on known good
> hardware. Running an update take a couple of minutes two or three
> times a year. I would think that for most small network the dangers
> and complexity of running a host OS with two guest VMs is not worth
> it to save a couple of minutes of downtime a few times a year.
> 
> If the host system is already running other VMs or services and can
> not be a dedicated firewall, then I have a couple of spare old PCs
> that have run IPCop perfectly in the past that you are welcome to.

Thanks for all the information and the offer. I'll definitely go down
the IPCop route based on my current wants.

-Justin

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list