HPE Community
Operating System - Linux
1828977 Members
2183 Online
109986 Solutions
New Discussion

suggestions required

 
kcpant
Trusted Contributor

‎06-09-2005 07:04 PM

‎06-09-2005 07:04 PM

suggestions required

Hi Friends,

Your expert suggestions needed on following points,

1. is linux based iptables firewall equally secure like hardware firewall boxes? ( like cisco, checkpoint, sonicwall, fortigate etc.) if yes, what are the procedures to make it fully hardened?

2. Is using sendmail not a good option? specially if it is used behind a relay server ( behind a mail service provider).

3. Is RH linux's older version ( 8.0, 9.0) have some security issues?
PreSales Specialist
0 Kudos
8 REPLIES 8
Stuart Browne
Honored Contributor

‎06-09-2005 07:14 PM

‎06-09-2005 07:14 PM

Re: suggestions required

1) Some of those hardware-solutions actually use Linux and IPTables under-the-hood (Cisco doesn't, it uses it's own IOS).

Correctly configuring it is a matter of experience. Reading examples and also the HOWTO's that are available help you understand how it all works.

Things to keep in mind is what the different chains are. Start by reading through the HOWTO's and FAQ's located at http://www.netfilter.org/documentation/index.html .

2) Sendmail is as good as any MTA if it's behind a firewall in a local-only sort of environment. It is very powerful in what it can do, and in reality not too hard to configure (assuming you use the MC files).

3) Simply put, *YES*. RH8 & 9 have quite a number of security issues, even if you've applied all of the available eratta. If you dig around, you can find one or two Legacy projets for RH8 to keep it up-to-date with current fixes, but both of these distributions well past their end-of-life.

If you are truely security consciense, then you'll use one of the more recent distributions (RHES3 or 4, or possibly FC3), and make sure you keep up-to-date with available eratta using 'up2date' or 'yum'.
One long-haired git at your service...
0 Kudos
Gopi Sekar
Honored Contributor

‎06-09-2005 07:58 PM

‎06-09-2005 07:58 PM

Re: suggestions required


1. Almost all hardware firewall boxes runs a OS and firewall application, in the sense that there is nothing hardware there. Any problem that can occur with a software can occur to these firewall bloack boxes also. Atleast incase of iptables you have entire user community to fix the bugs as they arise and upgrading from one version to another is easier and much cheaper. No security systems are 100% accurate and can prevent damage, because hackers are moving targets and you have to be up to date always.

There are some open source based security tools which can check your system and tell you the security loop holes found. one of them is nmap and there is one more which i forgot (experts help pls). Both tries to do port scanning of the target system and informs all open ports (including server running and its version) and possible problems with it.

2. sendmail is as good as any other MTA, it is feature rich. you can expect that as the feature grows the bugs also grow. It is one of the MTA which is tested and stretched over the period of time. If you are not looking for feature rich and popular MTA then you can settle down for another MTA (postfix) which gives minimal(i am not sure) features and less bugs.

3. ofcourse yes. No system admin will encourage installing a RH 8/9 box which can be accessed over internet. If you can buy subscription then go for RHEL 4 or go for Fedora Core 4 (final release expected on 13th june)

Regards,
Gopi
Never Never Never Giveup
0 Kudos
Huc_1
Honored Contributor

‎06-09-2005 09:24 PM

‎06-09-2005 09:24 PM

Re: suggestions required

Try and install the lates version RHEL 4 or fedora 3 ( I would still wait a little while for Fedora 4 , say 1 months it is due out for the 13 june as Gopi said, but their are usualy lot of updates on the first month or so)

This is as good as any "Black box" solution with added bonus that you get a lot more controle over it.

Sendmail will do the job and lots more but not for the faint of heart.

With Tripewire or help you can save to a safe place a secure print of all that is install,if you do this right from the installation time and if you check this on a regular base you will know all that has been changed or touch since last check, this is a little heavy to get started but you learn a lot and sleep better.

With Iptables and snort you also have to dig and keep at it, but then you fell more in controle and are force to keep in touch with what happening in the real world.

So in short black box are nice but you sort of give away controle , with a RHEL 4 or Fedora core 3 you get to do it all, you learn in the process and are able to do more fine tuning (and if some very refine black box let you do to much setting up and tunning with its own os then you have to learn yet an other os).

Jean-Pierre Huc

Smile I will feel the difference
0 Kudos
kcpant
Trusted Contributor

‎06-09-2005 11:49 PM

‎06-09-2005 11:49 PM

Re: suggestions required

Thanks Stuart , Gopi (Gopi, congrates on becoming wizard in a little time, I've replied to congates thread also) and Huc. All of you have the same opinion as I have. I am also working on Linux based configurations from 2 yrs, and my experience is same: 1. iptables based firewall is better than a box if configured properly 2. sendmail is the most feature rich MTA 3. older versions are not good for current world from the security point of view.

thanks you all for supporting my views on Linux.
PreSales Specialist
0 Kudos
Steven E. Protter
Exalted Contributor

‎06-10-2005 12:26 AM

‎06-10-2005 12:26 AM

Re: suggestions required

1. iptables can be secure, but the default options the Linux install chooses are anything but secure. I've seen some port scan exploits that make me want to have my machines behind a hardware firewall as well. So I'd watch closely, since RH has still not acknowledged or accepted my well documented iptables bugzilla report. Perhaps try out shorewall, and see what it comes up with.

2. Sendmail is fine. It takes some work to make it secure and spam proof, but once done it is a fine and venerable mail tranport.

3. All RH versions have security issues. The actual issues change from version to version. RH 8 and 9 are obsolete and should not be used because nobody is going to update them should some new exploit be discovered. At least with Fedora Core 3 you have some expectations that new exploits in the real of security will be patched. I recommend Bastille to improve Linux Security. It's easy to use and does a good job.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
dirk dierickx
Honored Contributor

‎06-12-2005 07:11 PM

‎06-12-2005 07:11 PM

Re: suggestions required

1. yes, ofcourse. the linux firewall code belong to the best. there have been security holes and they have been fixed in the past, it is the job of an admin to keep an eye on the patch releases.
but this security problem is not related to linux, even those hardware appliances have them, because inside they are running software just like anything else.

2. try to avoid sendmail. it has been a while since any real security issues have been discovered in it, but one of the disadvantages is that it is so hard to configure (if you are not used to it) and if you make a mistake it is easy for others to abuse your sendmail server.
give postfix a go, but there are plenty others available.

3. i would not use those! they are old and beaten ;) if you want a free RedHat either go for fedora (http://fedora.redhat.com/), or use the RedHat Enterprise clone CentOS (http://www.centos.org/).
0 Kudos
Ross Minkov
Esteemed Contributor

‎06-12-2005 11:55 PM

‎06-12-2005 11:55 PM

Re: suggestions required


1. Yes, if you configure iptables right. It takes some experience to do it right, so if you don't have much experience have someone else take a look at the config. Also use nmap or even better nessus (http://nessus.org/). Nessus is the world's most popular open-source vulnerability scanner today.

2. Give postfix a try first. It is easier to configure. If you hit something that it does not provide and you want, then go to sendmail.

3. DO not use the numbered Red Hat version. Red Hat stopped producing security updates for them. Use either RHEL ($$$) or the latest Fedora Cure.

Regards,
Ross
0 Kudos
kcpant
Trusted Contributor

‎06-14-2005 01:14 AM

‎06-14-2005 01:14 AM

Re: suggestions required

Dear Friends,

Thank you all to share your experiences of Linux world with me.
PreSales Specialist
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.