Topic: Security in 'Server Only' mode

[Peasant]

I'm putting in SME for a client of mine, and initially we were looking at using a drop box for e-mail, and putting SME in server only mode behind a firewall. We are now considering using SMTP for e-mail, and punching a hole in the firewall at port 25 to get to SME. Would SME be  secure in this situation?
Knowing that SME is designed to be a gateway, should we just go the whole hog, and put set it in Server/gateway mode, turning their current router into an ADSL modem with no firewall? They have no need for a web server so would not want ports 80 or 443 open externally. I do have need for opening 4899 for remote administration though.

As usual, all comments much appreciated.

Cheers.

[imcintyre]

I cannot give you "guaranteed to work" advice, because I don't know and you are the one getting paid.

I was reading this the other day, http://forums.contribs.org/index.php?topic=39387.0 The comments by Andy_Wizmer may be pertinent and give you something to search the forums.

[raem]

Peasant

Would SME be  secure in this situation?

Personal opinion/preference again will decide the answer.
In server only mode, the sme server MUST be protected by an firewall, and punching a hole in an existing firewall/router is an acceptable approach.
Using this "layout", results in two devices to control, and possibly complicates some setup depending what else you may want to do.

Going the "whole hog" as you describe it, and putting your server in server gateway mode and utilising the firewall in sme server will achieve the same end result, but put all administration settings within the server itself, ie creating one point of administration, and in my opinion lowering the administrative complexity.

As far as which method is more or less secure, as ports are effectively forwarded to services in either case, then there is no real security differences from that point of view.
I personally feel the sme server in server gateway mode which is kept regularly updated, will be more secure in the long run, as the kernel gets updated, thus ensuring any potential kernel related security bugs are non events, as well as other access applications being updated too eg ssh etc.
A hardware router may not ever be updated unless there are software/firmware upgrades released and you make the effort to do the upgrades too.

In either arrangement, ie server only + router versus server gateway + modem, the real security weakness will be in web applications, and having weak passwords and opening lots of services to the Internet, and allowing inappropriate access eg ssh access via password instead of via public private key and so on.

In server gateway mode, the Server manager has a good port forwarding & opening panel to allow you further control. You can also set any services to private access (rather than public) by simple db commands.

[Peasant]

As far as which method is more or less secure, as ports are effectively forwarded to services in either case, then there is no real security differences from that point of view.
I personally feel the sme server in server gateway mode which is kept regularly updated, will be more secure in the long run, as the kernel gets updated, thus ensuring any potential kernel related security bugs are non events, as well as other access applications being updated too eg ssh etc.
A hardware router may not ever be updated unless there are software/firmware upgrades released and you make the effort to do the upgrades too.

Thanks, that is pretty much what I thought, but wanted to be sure.

I cannot give you "guaranteed to work" advice, because I don't know and you are the one getting paid.

  Fair enough, and thanks for the pointer. To try and help out a bit I've donated $100 just a few minutes ago, and will follow it up with another $100 when this system is in and working. I've been hoping to get more involved for a number of months now, but have not had the time.

Cheers and keep up the good work.

[arne]

Yes and yes for both alternatives. Those are the two alternatives that have been used up troug the years from the early start. Some believe that the one is the bether, and some has more belive in the other alternative, but they both works quite well.

When it comes to other alternative solotuions like a 3 port firewalls, virtual firewalls etc, things are more untested, and nobody really knows.