Saturday, March 22, 2008

Clark Connect - Anyone Using it?

Found this interesting thread Clark Connect - Anyone Using it? over at Whirlpool.net.au

A few of the posts stood out and caught my attention and got me thinking:

From KeeWEE:
SME has my vote

Why?

I like SME too, as far as it goes, but am trying to add a RADIUS server and MySQL accounting to it. However in SME both come preconfigured for its server functions so adding further configuration means you have to 'reverse engineer' the built-in configurations a) to work out what you have to do and b) to make sure you're not inadvertently undoing something else. As a relative newbie I often wonder if it wouldn't be a lot easier starting from scratch with the 'standard configuration' that's in the documentation.

And as far as I can google - and according to SME's own forum - it's not even worth trying to have the FreeRADIUS GUI dialupadmin on any RHEL distro, and because of the 'non-standard' configurations of SME it's not recommended to use Webmin on it.

I'd guess ClarkConnect suffers from the same drawbacks - the difficulty and inadvisability of trying to further modify something that's already been modified by someone else - but I've never tried it and if it leaves the underlying OS in a purer state that SME it might better suit me.
From Andrew:

I'd guess ClarkConnect suffers from the same drawbacks - the difficulty and inadvisability of trying to further modify something that's already been modified by someone else - but I've never tried it and if it leaves the underlying OS in a purer state that SME it might better suit me.

When ClarkConnect was based on Fedora core2, it was outstanding in this regard. You could treat it like any other FC2 install. It was brilliant.

So much so that I had quite a task upgrading it - because of my mods being incompatible with theirs. So now I've gone back the other way running a very clean and unmodified CC 4.1 machine, and a separate linux work horse machine.

Its a pity because now my dedicated firewall is quite a powerful box and a 330 MHz Celeron would do the job.

From RainDog:
It's all a matter of what you want to do. As a basis for small business servers I've had many successes with SME. Set and forget. Capable , secure etc.

What I dont recommend is messing too much with SME (or CC) builds to run custom application, you see tales of woe all though the discussion boards with attempts at webmin etc. SME does what it does very well. My preferred option is to set SMEs up in gateway server mode and use a second box or board for any specialist application given that most aren't particularly demanding the hardware expense is much less than the labour involved and you can still rely on the SME box for gateway security.

And as far as I can google - and according to SME's own forum - it's not even worth trying to have the FreeRADIUS GUI dialupadmin on any RHEL distro, and because of the 'non-standard' configurations of SME it's not recommended to use Webmin on it.

I'd suggest using a CentOS box for this it's getting a little off the SME path.

I'd guess ClarkConnect suffers from the same drawbacks

Same drawbacks yes. But those drawback are advantages in another's situation. SME and CC are rock solid quick setup configurations, in doing this they offer little for the experimenter.

cheers..

More about the thinking part on the next post.

Saturday, March 15, 2008

Astro Gets Fragged

I eliminated Astaro from the list based on my previous post. I have also read in many other forums that Astaro can be hard to set-up. It would have been the only SUSE based solution, which was also a deciding factor.

Three camps have clearly formed:

BSD-based solutions: very lightweight and robust.

Debian-based solutions: Lots of options with the potential to roll my own (based on the number of tutorials I have seen on the web).

Red Hat-based solutions: Large file sizes are a concern, but there are many options that are well-known and robust.

Outstanding Decisions:
  • Do I want to mix and match the best solutions or stay with the same distro base, therefore compromising on solutions, but knowing that management will be potentially easier in the long run?
  • Roll my own solution (distro with packages) or use off the shelf distro solutions?
  • Run multiple Virtual machines or lump all of the packages under one distro or hybrid?
  • Pursue a home solution or a more robust SOHO solution (one computer vs. multiple physical machines)?
I found some interesting server tutorials over at debiantutorials that I need to check out:

Debian Etch as Server
Debian Linux file and print server: NFS, CUPS, LPR
Stream your music with gnump3d
Simple local web server on Etch
Web Server on Debian Etch

Thursday, March 13, 2008

Simple Question on Software-Based Router

Found this thread over at HardForum

Hello people,

I have been looking into useing a software based router like Smoothwall or Freesco for my company.

From all the options, i'm leaning towards freesco unless someone here tells me i shouldn't with a god reason why. Basically i need the router for QoS for voip lines.

The questions i have a pretty simple. Is there a special way to install two NIC cards? or is it just as simple as plugging in a second one and installing the drivers.

Thanks

This response caught my eye:

Pfsense has my vote

Well I have tried a lot of those (Smoothwall 2, Smoothwall 3, Clarkconnect, Endian firewall, Astaro versions 6 and 7, IPCop, Monowall and Zeroshell) in my quest to be able to play COD4 while loading my line with torrents, and I have to give my vote to pfsense (using 1.2 RC4 at the moment). Traffic shaping is by far the best I've tried, at least the ping are satying low and no lag, web access remains very fast. The traffic shaping wizard is not bad to get started but needs a little tweaking depending on the services on your network.

I have setup many configurations at various client locations, and for simplicity I agree that Smoothwall is best for newbies, I have used it for a few clients (10 to 50 users) and it has been stable as a rock, easy to configure and maintain.

I have also used Astaro for a few clients, great product (not free) but overkill for home use and traffic shaping is poorly implemented. On top of that, if you have never setup a router/firewall before you will find it a bit more complex than the other ones to say the least.

Pfsense runs on a toaster almost, is fast and has no extra useless features unless you want to install optional packages.

Hope it helps you

Wednesday, March 12, 2008

EnGarde Is Eradicated

Found this article"After troublesome install, EnGarde proves it's secure" at Linux.com. Needless to say, this is definitely not the type of KISS experience I am looking for. It also seems from reading the article that the existing EnGarde documentation is somewhat lacking.

Tuesday, March 11, 2008

Pairings

I was curious about the heritage of the remaining potential solutions, so I researched and compiled the following list:

Free/Open/NetBSD
mOnOwall - Security
Smoothwall - Security
pfSense - Security
Comixwall - Security UTM
FreeNAS - File Server

Red Hat/RHEL/Fedora /CentOS
Clark Connect - Security
Endian - Security UTM
IPCop - Security
PBX In A Flash - SELECTED - VoIP
MythDora - HTPC
SME Server - File Server
CentOS Server (roll own) - File Server

Debian/Ubuntu
Vyatta - Security
Untangle - Security UTM
Mythbuntu - HTPC
Knoppmyth - HTPC
EnGarde - File Server
Ubuntu Server (roll own) - File Server
Debian Server (roll own) - File Server

Slackware/Suse
Astaro - Security UTM

Independent Package / Application
Freevo - HTPC
MythTV - HTPC
VMware - Virtualization
Virtual Box- Virtualization

MikroTik RouterOS - This choice was eliminated because I cannot find a support community. The documentation is not as good as with other solutions.

eBox Platform - This choice was eliminated because the user forums and documentation need to be improved or edited. There does not seem to be much activity on the user forums. This platform, however, does look like it has a lot of promise.

Monday, March 10, 2008

UTM Minimum System Requirements


UTM Solutions - Minimum System Requirements





Astaro

Pentium III 900 MHz or compatible CPU
512 MB RAM
10 GB SCSI/IDE HD
Bootable CD-ROM SCSI/IDE
3 PCI-NICs (Internet, Local Net, Demilitarized Zone)

Comixwall

AMD64 or better CPU
512 MB RAM
Drive space unknown
Bootable CD-ROM

Endian
Pentium 500MHz or compatible CPU
256MB RAM
4 GB SCSI/IDE HD
CDROM An IDE, SCSI or USB CDROM drive is required for installation

Untangle
Pentium 800MHz or compatible CPU
512 MB RAM
2 NICs 3 for DMZ
CDROM drive is required for installation

Based on these minimum requirements, it looks like a UTM solution would require a separate system. Out of these, Endian looked the best due to its size and system requirements. Comixwall, the only BSD based UTM solution, also looks good, but the support community is not as well organized as with the other solutions.

I plan to start to looking at other security solutions soon, but I have already been able to eliminate one of them from contention:

Censornet - I eliminated it because it is primarily an open source Internet Web Filtering & Management solution, lacking many of the features of other security solutions under evaluation.

Sunday, March 9, 2008

Which is the BEST hardware Router/Firewall to monitor in/out traffic?

Post Made By YeOldeStonecat over at wilderssecurity.com:

Or if you want something with a bit more power, build yourself a *nix distro router...take a mid-range P3 or higher, with 2x NICs...and install one of the many *nix router distros out there.

There are many of them out there...some stronger in certain areas than others, and a growing number that bring full UTM features (Unified Threat Management). These UTM features are the ones I'm really interesting in..and using at a few clients with good success. The UTM distros add antivirus scanning of all web, mail, and ftp traffic, as well as spam removal of web traffic. Some add ad/spyware blocking of browser traffic as well. And beefier intrusion detection via Snort.

Some of the basic *nix router distros....

IPCop...one of the more popular ones, has a big development/support community with lots of add-on packages.
You can add UTM functionality to it with the add-on called Copfilter

m0n0wall

Smoothwall

pfSense...built on m0n0wall...with stronger QoS features

Clark Connect is a cool distro for a small business, sort of an open source *nix version of Microsoft Small Business Server

vyatta

For some of the UTM distros....in addition to the Copfilter build of IPCop listed above....

Endian...one of my favorites..built on top of IPCop..with the features of Copfilter...bundled into one tight package

Comixwall

Astaro

Untangle...this one is fantastic...I've built a few...using them in production...very powerful. Lots of features...even blocking of IM traffic and peer to peer traffic.

On the basic distros...all you need is an older PC...P2 or so, moderate RAM, a pair of NICs..and you're good to go. For the UTM distros..you want a bit more power...mid range or higher P3, 512 megs of RAM...Untangle likes to go above 1.0GHz and a gig of RAM.


Well I guess I have even more options to check out now.....

Saturday, March 8, 2008

Going 103M over security

Continuing from January, here is the latest list when it comes to security applications:

* Untangled - It has been getting good reviews but it seem like it wants lots of horsepower (Ram,CPU) to run well. I like the concept of a "virtual rack" of security tools with and easy to use GUI configuration tools.

* ClarkConnect
* IPcop
* Smoothwall
* mOnOwall
* redWall - I have eliminated redWall because it has not be updated in over 18 months and I have been unable to find many comments about it on-line. Reading some of the post at the redWall forums site gave me the impression the project is somewhat in limbo.

* Gibraltar - I eliminated Gibraltar because it is BIG (622 MB) Compare this this mOnOwall which is only 8MB! I also read several reviews saying it was hard to configure and install. The following feature looked pretty cool as pointed out at fsckin w/ linux “Anonymisation Gateway: The Gibraltar Anonymisation Gateway makes your overall network traffic anonymous and it makes sure you can surf in the internet anonymously.”

* Devil-Linux - I took it off the list because it just does not seem as polished and mature as the other solutions under consideration. This is a very competitive category with many well established players.

I read a good review of linux/bsd firewalls over at fsckin w/ linux:

Seven Different Linux/BSD Firewalls Reviewed

He tested the following solutions:

Firewall Graph

He concluded his review buy selecting pfSense. Based comments after the review he has decided to update his review and compare several move firewalls.

I have a few new options to check out:

Thursday, March 6, 2008

I Want My MTV

Looking at the File Server category two distinct groups emerge:

Prepackaged servers - All have a web interface

EnGarde - Based on Red Hat
FreeNAS - Based on FreeBSD
SME Server - Based on CentOS

Roll your own server:

CentOS
Debian
Ubuntu Server

I am wondering if it would be best to start with a prepackaged server and after gaining some knowledge I could then roll my own after I really determine what I want/need. It is one thing to plan this all out but another to actually implement it for real.

I finally started to review HTPC and quickly eliminated a few options:

VDR does not look like a mature project and it does not look like much has been done to it over the last two years. Found no support group and little documentation.

LinuxMCE looks like an interesting project based on Kubuntu that has some maturity but has a lot of bells and whistles that I am not interested in like home automation, phone system and security system.

Sagetv is not free (as in beer or freedom) from what I can tell. That is too bad because it is a mature product with many features.

That leaves Freevo or MythTV and its many distro spin-offs like MythDora, Mythbuntu, KnoppMyth

A quick search reveled several sites that compared all three of these distros, a coupe of these were:

Three MythTV Linux distros compared

Smokey Rokey

It looks like KnoppMyth's biggest drawback is a the inability to upgrade easily. Other website reviews tended to favor MythDora but there was no clear winner of which performs better.

Wednesday, March 5, 2008

Best on the Planet?

I was reading an older review of EnGarde at linux.com and it was an overall positive review. Supporting this, EnGarde has received many accolades and awards which EnGarde proudly posts on their website. EnGarde has a web interface configuration tool aptly called WebTool which is something I am interested in.

Another potential software solution getting good reviews is Untangle.Carlos Echenique over at PlanetX64 at the end of his review stated:

Price, performance, features, support and a killer interface all come together to produce a near perfect product. Ongoing development and a support team that listens to the needs of their customers makes the Untangle Platform your best bet for securing your network.

Scores:

Features: 4.95 out of 5
Interface: 5 out of 5
Performance & Support: 5 out of 5
Pricing: 5 out of 5
Total Score: 19.95 out of 20

PlanetX64 proudly awards Untangle Platform the Best on the Planet.

I had decided to take Annvix off the consideration list. Based on a review at linux.com and reviewing the on-line documentation. I do not think this would be the best first introduction to setting up and managing a server. I think I will require a little more hand holding than Annvix can give me based on my lack of knowledge.

Contenders still in the running:

VoIP

I have decided to choose PBX In A Flash as my VoIP solution. The Poor Man's Tech blog had a follow up post on PBX In A Flash vs. Trixbox and it gave several compelling reason to make a switch from Trixbox CE (which I use at work) to PBX In A Flash. I have been wanting to try this new asterisk based solution out and this seem like a great time to take the plunge.

Monday, March 3, 2008

List Fodder

I have been tinkering with a few potential solutions and have narrowed the list down further. I have pretty much decided to go with VMware as virtualization solution. I findly found some good tutorials on its use and have been using it sucessfuly. I also got somewhat scared of using VirtualBox as a solution on a production server based on some comments I heard on the Linux Outlaws Podcast and comment posted on various support forums. I also have to wonder what the Sun acquistion of InnoTek will mean for VirtualBox in the coming months.

I am torn becase VirtualBox is open source while VM is propritory code....

I am more intrested in PBX In A Flash based on a blog post over at Poor Man's Tech. I was aware of the trixbox phone home flap and that issue left a bad taste in my mouth fueling desires to find an alternative. (I am a current trixbox user)

I have not even looked at the HTPC solutions but hope to narrow the list soon.

I have added Debian as the basis for a potential file server and maybe more after reading some information posted at
About Debian Linux

Going to put security on hold right now until other solutions are narrowed down.