Topic: Three NIC in SME -another approach

[Per]

Build a 3-nic DMZ with SMEserver -So I jump into this somewhat heated discussion....
Objective
   

• Separating local services from public services for increased security
• One (physical) box for cost-efficiency
• Benefit from SMEserver built-in capability's
• Keep SMEserver security and design policy's with minimal modification (not fiddle with firewall rules)
• Build a multipurpose environment for flexibility

Short description:
   

• One SME box in private server-gateway mode with an extra (third) ethernet card.
• Isolate this extra NIC by giving it IP 0.0.0.0
• Install VMware Server and create a virtual SME machine, in server-gateway mode.
• Connect VM to internet and let the host use it as it's gateway.
• In between you get yourself a DMZ that can be used by both physical and virtual machines.

You will find layouts and detailed How To at http://bends.se/it/smeserver/dmz_virtual_3-nic.php
It's working alright for me..

Do you think my objectives are met?
I would appreciate your input greatly as my experience are limited... /Per

[Boris]

I frequently use similar approach but with standard two NICs.
SME server in server-gateway configuration for all the Internet duties and general LAN file sharing.
VMware server bridged to LAN Ethernet NIC for LAN only applications if they are incompatible with SME (read required MS Windows server for MS SQL etc..). That VMware server can be accessed from Internet (if needed) via port-forwarding, proxypass or via VPN, depending on requirements.

[arne]

Per ->

This was an amazing and very interresting and allmost unbelivable solution to the 3'rd nic and DMZ "problem"  !

I had to read your web page 2-3 and 5 times before I thaught I understood anything at all.

Do I understand it right if the case is that you are actually doing a double nat for the secure lan segment and then a single nat for the Virtual gateway server. I understand it also that way that it is the virtual sme server that act as the internett connected firewall and server and the "host sme server" that act as the LAN server. Then also you will have the option of connectiong a wireless lan access point or a dmz server to the 3'rd nic between the "virtual gateway" and the "real gateway".

This design will also include that you actually has two server-manager panels to configure, and also two sme server in one box, the virtual gateway server and the real gateway server. Both these servers will operate and behave like an ordinary sme server.

Is this right ?

About the "remaining question" on your wab page: "Is there a way to connect to the local side of DMZ firewall from LAN ?"

Yes, for the routable services/protocols like http anf ftp this should work by default (??)(Doesen't it ??)
For the non routable protocols, ie the "windows lan server stuff" it should not work because of the nature of non routable protocols.
Does it work different from this ?
 
Have I understood it right ?

By the way, I believe that the way you do it with a chain consisting of a virtual and a real sme server will give full functionality to the dmz segment. When doing the 3'rd nic soultion with the use of another subnet (like I do it) there is a limitation that clients and servers on the dmz segment is not able to access server functions on the gateway. (Normally this will also be a wanted proporty, but possible not allways.)   

If I undertstand your solution right the dmz clients will have full "lan" access to the virtuall gateway server and no access to the "second real gateway server" (As this is configured as "private".)

By the way your solution gave me some ideas to solve the same "problem" one more way from "the minimalistic netfilter approach"... I wonder if it could be an idea to set up a single ordinary gateway server, and then to add one extra lan NIC bridged over to the original LAN NIC so there will not actually be a wan a dmz and a lan segment, but a wan and a lan1 and a lan2 charing the same ip and then to apply a Linux bridgemode firewall between LAN1 and LAN2. This could, if it works give a protected LAN2 zone with much of the same properties as a DMZ zone (using its own routed subnet.)

Thanks for exelent new ideas. (If I did understand it at all.) 

[Per]

Well, from all functional points of view, it is just like having two physical boxes:

LAN<-->LAN switch<-->SME private server<-->DMZ Switch<-->SME public server<-->WAN

This gives you the possibility to hook up anything (virtual and/or physical machines) to LAN or DMZ (virtual) switches.

Another important point is that it does not break the original design and security policy's (I belive?) of SME.
All solutions that I can think of that modifies firewall rules in a fundamental way seems risky to me.
At least it can not be considered to be a SMEserver anymore after that kind of modifications.

About the LAN-->DMZ problem: One could have a desktop machine that is connected both to LAN and DMZ, bypassing the LAN server, and access both LAN and DMZ resources. Obviously this will be a security weakpoint and is probably not a good idea at all.
A better idea would be to have a LAN machine that somehow routs both to LAN and DMZ thru LAN gateway server. But how?.

[arne]

A better idea would be to have a LAN machine that somehow routs both to LAN and DMZ thru LAN gateway server. But how?.

But when you use two gateways connected "in series" it works that way by defaut, doesen't it ? (Exept for non routable lan protocolls that will not be routed.) (I used to use two physical Linux boxes before with dmz in the middle, and I think it worked that way. Have not tried with a virtual gateway arrangement. )

Another important point is that it does not break the original design and security policy's (I belive?) of SME. All solutions that I can think of that modifies firewall rules in a fundamental way seems risky to me. At least it can not be considered to be a SMEserver anymore after that kind of modifications.

I believe it will work the exact oposite way. Setting up a virtual gateway will in some way change all of the fundament that the SME server firewalling is based on. The SME server itself does hardly contain any firewalling function at all. The allmost only firewalling it maintains is a set of firewalling rules that is applied to a kernel module that maintains the packet firewalling capability. If you replace the one set of rules with an other allmost equally sett of rules working basically the same way, there will be hardly no dramatic change for that kernel module that maintains the actually firewalling. (OK I know that there are some "firewall alike functions" behind the packet firewall, but for practically reasons, I did not mention it.)

When you change the basic fundament og the firewalling from konfiguring that certain kernel module to instructiong the kernel (or virtual processes) to do firewalling trough two nat routers pluss two bridges that will also normally be contained by the (allmost) same kernel module, things will then work dramatically different from the original SME server design based on netfilter. I would goess that using a virtuel kernel and a virtual netfilter impelmentation might have some unpredictable side effects (But of cource it might work.)

The important thing to remember is that ordinary or regular Linux firewalling is a process that runs inside the Linux kernel. If you apply a new ruleset, the firewall will still work the same way, just based on a new ruleset. If you are using one ordinary firewall setup pluss two bridges pluss one instance of a "virtual netfilter implementation" it is not easy to know how this will work. (The bridging functions would normally be maintained by the kernel module as well. Don't know how vmware does this and how things will work togeter.)

I would believe that the consept of a virtual gateway will represent a major change in design because the "environment" that the sme server configuration tools is working against is not any longer the same at all.

Of cource it could be tested out to see how it will work, but I think that there is a number of uncertain factors. It could work, but if it does I will believe that the packet traversal trough the Linux kernel will be quite much different from the original netfilter design.

[Per]

"non routable lan protocol"? Would it work if using 10.10.0.0 for LAN and 10.10.1.0 for DMZ? Or some other LAN segments?

By saying "not break policy's" I mean that I don't (intentionally) change firewall rulesets other than with the built-in functions applied when I choose "Private server-gateway" or "server-gateway"-mode.

There may be things going on 'under the hood' in an virtual environment that break things but I haven't heard of it yet. Do you or anyone else have other facts at hand? That would be big (bad) news.

Otherwise I don't know much about firewalling (or kernels, netfilters, etc) so it's no point of going deep with me...
I'm a generalist not a specialist (Is that correct in English?).

[arne]

http://www.suite101.com/article.cfm/laning_retired/44315

I guess the "thing" that first of all will not work trough routers is services that require bradcasts (but it is still possible to reconfigure a router to retransmit broadcasts.) If you do routing it will normally not transfere broadcasts.

If one NIC has ip 10.10.1.1 and the other has 10.10.0.1 and the netmask is 255.255.255.0 this will be on two different network segments and it will be a question of routing. If the netmask were 255.255.0.0 both would be on the same subnet and your router/gateway would not work.

About the basic prinsiples of Linux firewalling. - All basic theory about Linux packet firewalling is based on a principle of describing how you make control of how the datastream passes trough the Linux kernel. If the datastream is passed out from those "regular patterns" that it is supposed to do and then passed over to some virtual process, working in a completely different way, actually all those basic considurations that is normally considered to be the basis of "Linux kernel firewalling" is also lost.

No, I have never seen a documantation that proves or says that the firewalling will not work as before, but I haven't seen the oposite either. The consept of a virtual gateway does not fit in with the theory or explanation of basic Linux firewalling at all, but still it is possible that vmware has done some smart solutions so it will work. I don't know. (And I wouldn't trusted it before a lot of testing.)

http://www.netfilter.org/

When something that is supposed to occour inside the Linux kernel in some way is retransmitted to occour somewhere else I think that the situation is just unpredictable, also including the option that it might work well.


Some basic theory: http://www.usenix.org/publications/login/2005-12/pdfs/prevelakis.pdf

... when thinking it over .. if applying "standard hacking methods" a virutual firewall arrangement should anyhow have a lot more possibly weak points to attach due to its increased complexity. It will not be a "Smoothwall" but a some sort of more complex mechanism for data transport. This increased complexity could I belive increase the risk of breaking in via classical methods like dos and ddos attach, buffer overflow, different kind of memory contimination, options for bypassing filtering rules, etc. The more complex the gateway installation is, the more options there will be for finding some weak points to gain access trough. There has been a number of reported sucutity issues for the vmware environment itself. (I saw it on the web a few days ago.)

[andy_wismer]

Hi

Interesting approach! Not exactly "best practices" or the "pure firewall theory", but usable and workable.

I do use a few SME Servers at clients and friends due to either space / heat / budget restrictions as firewall, mostly with OpenVPN - and all work great so far!

I've also installed VMWare Server on a few clients Windows 2003 Server running Exchange 2003, and installed SME in VMWare as a Spam-Pass-Thru-Filter. Also works great and get's happy clients due to vastly reduced spam. Here, there is usually a hardware box doing the firewalling and port-forwarding (25 for smtp new to VM-SME instaed of Exchange...), in most cases a SonicWall. Here the main reasons are the same as above, space / heat / budget...

I do prefer and advise using a dedicated box as SME, and a dedicated firewall (Yes, I know that the Spam test for your own external IP won't work...), but it is a secure, stable and flexible solution that doesn't cost the world.

A combined box is popular for Home or SoHo environments, where space, noise, heat, power consumption, budget, waf (wife acceptance factor can be issues, but - for somewhat secure environments, the following should be given some thought:

- Are stuff like Appletalk File Server or Windows File Server really a good idea on a firewall?
- Do I really want to offer a potential hacker the opportunity of hiding behind my own proxy server?
- Was I simply too lazy to remove GCC?

On the other hand, best practices suggest using a rather spartan box as firewall, only accessible from the inside using secured connections or none at all. No DHCP / DNS server or other stuff not really needed in a firewall. And - most important of all - no uncontrolled access to the outside from a PC client. That means:

- Web and FTP access only via a secured proxy server.
- No SMTP / POP3 / IMAP access to the internet except by the In-House mail server (SME, of course!).
- No outgoing traffic from clients (Skype, P2P, IRC, DNS), not even ping.

The in-house server might be excempted from part of the rules, to allow for diagnosis and other things.

Just my 2 cents on security issues...

Andy

[Per]

Thanks Andy for your valuable input!

My intention with this is to create something better than having one SMEserver in Server-Gateway mode with all kinds of public services, + trying to protect Lan, all in the same OS. That is my current config and I belive it's downright bad policy, even for a home environment.
So, is it more secure (for LAN) or have I just added complexity?

About the LAN -> DMZ problem: I tested a VPN-tunnel from LAN to my DMZ firewall yesterday and it routed nicely. It's outlined in the HowTo. But what are the security concerns with this behaviour?

[andy_wismer]

Hi per

Well for one thing, you may have all kinds of cool Windows and Linux stuff available, but you still have a single point of failure.

An update bug, hardware failure or anything up Murphy's sleeve, and you'll not even be able to reach the Internet to look it up or fix it...

A buffer overflow error in say a NIC driver - VMWare runs them in conspicious mode - would give an attacker control of the whole box, not just the encapsulated "secure" OS.

I do admit running a lot of stuff on my SME at home, from VMWare with a Win2K AD controller, Novell Server, music stuff, GCC and a lot more. But none of the mentionned have any security or firewall duties.

I use a Sonicwall to protect my home LAN and do the needed VPNs like to my office and server-site.

But that's at home, just for me

https://www.home.anwi.ch/

(My home provider does not allow http, ftp or smtp, but does allow https,and ssh).

I use DynDNS for home, my "real" DNS Servers provide for aliasing to the DynDNS name. The SME actuallly does the DynDNS at home. The SME runs on a HP Proliant ML110, with 3.5 GB RAM (for VMWare...).

For a really secured environment, like a bank, I'd cascade say three or four top-notch firewalls like Checkpoint NG, Cisco PIX. All monitored from the secured side in say five minutes interval.
Any hacker able to hack the first firewall, would have to use that "leftover" to hack the next one and so on till inside. Checkpoints and PIX don't come with "nice" stuff like GCC, etheral & Co. And you've got a max of five minutes to pull the whole thing of!!!
Then again, banks have more to be worried about, and the bigger budget to take care of it

My two cents...

Andy

[raem]

andy_wismer

Any hacker able to hack the first firewall ....

Wouldn't that suggest the firewall has a serious bug, ie if it can be hacked at all !

You seem to suggest they would be hacking (& cracking) the firewall, but in reality they are probably hacking applications ?

[arne]

The first firewall will not be a ordinary netfilter firewall, it will be a some sort of virtual application in a virtual machine.

When it comes to the design of a virtual gateway none of the basic theory of how the underlaying netfilter firewall controls and filters the datastream trough the kernel will be valid nymore. There will be some other more or less unknown processes and dataflows that will be taking place. Basic theory about how to harden a operating system to be working as a firewall will not be valid either.

As all basic factors is rearanged, I belive the clasical way of asking if it is a question of hacking a firewall or a application also will not be valid any more.

The prinsiple of "the virtual gateway" brings in a lot of unanswered questions, and when you look into the problem how the datastream will pass trouh the kernel and how the firewalling technically will work, this wil be a rather complex design with some x-factors.

My guess is that if you try this out on the home server gateway it will work. If you make some thousands of installations world wide, and establish a feedback system for evaluationg security, it will not work. (Because the basic design is by its basic nature "soft".)

It is difficult to know, but I guess that the principle of the "virtual gateway" will not be a "big hit". But this could also be wrong, and this could in the future be a common way of doing things, so that the basic theory of firewalling has to be rewritten to catch up with the new reality.

[arne]

I forgot one thing.

The basic design prinsiple of the virtual gateway, as described above, is to first bypass the netfilter input chain that is the major security device on a Linux gateway to protect the underlaying operating system. This bypass of the input chain is performed by the vmware bridge.

This means theat parts of the underlaying host operating system will be exposed to internet with no protection at all.

Hacking the "first firewall" could then mean to attach the underlaying operating system from that position in front of the first virtual firewall where the underlaying operating system wil be exposed unprotected against internet.

(But ofcource if vmware har made this exposure smart enough, this might not be possible, but who knows ? Is it the intention of Vmware at all that their software shall be used for "virtual firewalls" or "virtual gateways ? Does they give any guarantee or documentation for such a use ?)

[andy_wismer]

Hi All

As a user of VMWare since 1998 (!) I would like to make the comunity aware of the fact that VMWare themself say using a firewall appliance  on VMWare isn't "best practices", but rather a way to learn about firewalling, routing, bridging even if you don't have all the hardware and budget for a sprawling network with several interhooked subnets. That information has been in several different places on their website...

VMWare are responsible for the vmware-bridge, but that is dependent upon the underlying NIC interface and it's driver.

SecurityFocus / Bugtraq do display nice "bugs" in almost all systems, humans do make errors, and hardware dies...

Just because you can do it, doesn't mean it's a good idea. Like SME8. I'll test it out on a VM, maybe even on real hardware. But it won't go "productive" for a while on my side. Just because Vista may work for some people, neither I nor my clients want to use it.

Like Arne said, it may work for a few, but not for all. And in my opinion it's as much security as FakeRAID is real (Hardware-) RAID.

@ RayMitchell
I don't think Checkpoint NG or Cisco PIX classify as "Applications". In most tests, they are among "best of breed" in firewalling...
Not that I really like the PIX...

Just my 2 cents...

Andy

[arne]

Per ->

How is things running with you double firewalling SME server project ?

When I first red this post I have to admit that I think I really did not fully understand the things you were explaining and how things actually were working.

It just sounded rather strange to set up a combined virtual, host lan server and firewall system, and then as a virtual machine on top of this arrangement a virtual web server.

My own first ideas and approach to this subject was that the dependable Linux Netfilter has to do the job as it has allways done, so that the host system will have to be that system that is connected to Internet via the Netfilter firewall. From this aproach a basic prinsiple will be to keep the interned connected network adapter as "clean and unchanged as possible" so there is nothing that can interphere with the Linux firewall. I made a series of test out from this approach and it worked pretty well. I am using such a netfilter/vmware/sme7.3 arrangement as internet connection just now, and I feel that it is safe enough.

The next idea that I am working on just now, (in my learning process) I think I picked up in this post, and from your suggestion, the idea about the bridged virtual firewall.

I do things slightely different as I use a Centos 5.1/64 as the host system, some instanses of SME 7.3 as servers and Smothwall 3.0 as "the virtual firewall". The idea is to use a host system that is as powerfull and minimilized, and independent of all server prosesses exept for the virtual environment, so it is stable and difficult to attach. Then there should be a Virtual firewall/gateway system, that is also an independent installation and a hardened desigh as possible. Then there is the Virtual servers running in a (more or less) protected area.

I have done some tests on this last approach and it is actually working, as described in your post.

On the other hand I find it hard to believe that the Virtual firewall and servers will maintain all of their "hardness" and security when running as Virtual installations. It does not help if the system design itself is "hard" if the environment it is running under is "soft." (As complexity increase I think there will be more "soft spots" to look for.)

On the other hand, I think virtualizations sets new standards for how it is practically and easy to make backups, to restore new installations etc.     

It is also quite interresting to see how you can combine all kind of technologies and solutions in one box when using virtualization. If you want a SME installation with Gnome and a integrated wireless adapter or a wireless access point, it can be done.

It would be interesing to hear how things is going with "the double SME" if it is running stable, if there is some new solutions, etc.

***

Some interesting theory I just found: http://www.cs.drexel.edu/~vp/VirtualFirewall/index.html