[mdlug] Replacing D-Link router with Smoothwall box

Michael ORourke mrorourke at earthlink.net
Wed Oct 1 19:15:12 EDT 2008 

Jeff,

I hadn't seriously thought about using virtualization, but it could work 
well in this situation.  If I did do virtualization, I would put the web 
server and mail server into a virtual PC with eth1 on the orange network. 
You're right, if it does get compromized, then they would have access to 
everything, all the samba files and the internal network from the second 
NIC.  Not a good plan.  I think the simpler approach using the red-green and 
port forwarding might be the better solution here as Tony suggested.  Then I 
wouldn't have to manage the virtual PC on the orange network and the main 
server on the green network.  But it looks like the trade-off would be a 
less secure server.  Which boils down to how secure does the server/data 
need to be.
Thanks for the feedback.

-Mike

----- Original Message ----- 
From: "Jeff Hanson" <jhansonxi at gmail.com>
To: "MDLUG's Main discussion list" <mdlug at mdlug.org>
Sent: Wednesday, October 01, 2008 4:21 PM
Subject: Re: [mdlug] Replacing D-Link router with Smoothwall box


> On Wed, Oct 1, 2008 at 3:39 PM, Michael ORourke <mrorourke at earthlink.net> 
> wrote:
>> Lug Nuts,
>>
>> I have a small network with a Linux (OpenSuSE 11) server installed.  I am
>> considering replacing the D-Link router with a Smoothwall box (Linux
>> router/firewall).  But after reading up on the Smoothwall docs, I'm not 
>> sure
>> of the best way to proceed.  The Linux server is running Samba, Apache, 
>> and
>> soon to be running a mail server.  According to the Smoothwall docs, it
>> looks like you would normally put the server in the DMZ (orange network)
>> because it provides external facing services (i.e. web).  But that will
>> cause problems with the Samba services as it will be on a different 
>> subnet
>> than the green network (internal clients) and it will require extra ports 
>> be
>> opened between the green and orange networks.  Some Google searches have
>> suggested that you NOT put Samba on the orange network.
>
> It's just a matter of risk management.  If the web server is not
> publicly usable (ssh tunneled, client certificates required, etc.)
> then it's less of a problem on Green as it's less likely to be
> breached.  Orange is primarily for public servers.
>
> I'm not sure about Samba but I wouldn't have smb or other file sharing
> publicly accessible.  Normally I would use a VPN for those.  But
> having ports forwarded to systems on Green is normal for BitTorrent.
>
>> Here are a couple of possible solutions.  For one, I'm not going to build 
>> a
>> second server with just Apache and Postfix on the orange network (DMZ), 
>> that
>> just seems like a waste of resources.  But I could go with a red-green
>> configuration and port forward web & email traffic to the green network
>> (internal), just like the D-Link does now.  Or maybe setup a second nic
>> (eth1) in the server on the green network (internal) and bind samba to 
>> that
>> interface and still have eth0 on the orange network (DMZ) protected by 
>> the
>> smoothwall box.  Any other suggestions out there?
>
> How about virtualization?  Binding Samba to a different NIC on the
> same system isn't going to provide any benefits from Orange DMZ if the
> Samba server is breached.  Root is root.  Running Samba in a VM on the
> server would keep security problems contained.
>
> I can't help you much with Smoothwall as I'm using IPCop.  I've got
> six NICs for Red, Green, Orange (unused), Blue (public wireless),
> Gray1 (family), Gray2 (sandbox for repairing anything with Windows on
> it).  I haven't set up a public server yet but I'm planning on a web
> or game server at some point.  I may also set up a RADIUS server with
> ToS agreement web page for the public wireless eventually.  I can ssh
> in using keys and use WoL to start systems remotely.  I haven't messed
> with TCP/IP tunneling yet but that's next on my list.
>
> The most complicated thing I've done so far is set up a VPN connection
> to a company I do work for.  I can browse files on their Windows
> server and I'm currently using Adobe Illustrator via RDC to a Vista
> workstation.  It wasn't fast when the system was using XP and Vista
> reduced it by half (company mandated upgrade - not a problem as I bill
> by the hour).
> _______________________________________________
> mdlug mailing list
> mdlug at mdlug.org
> http://mdlug.org/mailman/listinfo/mdlug


--------------------------------------------------------------------------------



No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.169 / Virus Database: 270.7.5/1701 - Release Date: 9/30/2008 
7:08 PM

More information about the mdlug mailing list