Koozali.org: home of the SME Server

Learning exercise: splitting an SME into several elements working into a network

Offline Arnaud

  • *
  • 143
  • +0/-0
    • GuedeL
Hi,
for learning target, I would like to try to achieve what an SME with some installed contribs does, but by taking the "conventional" way using "normal" servers, routers, separating zones etc... and of course at least in the same quality and security.

The main functions could be:
- management of users and groups in only 1 place, incl. authentication via LDAP
- DHCP + management of the domains and hosts (DNS)
- files server incl. virus detection and access via NFS and/or Samba
- mailserver incl detection of virus + spam, groupware
- web server with several webapps, LemonLDAP for SSO and security, webdav...
- server OpenVPN
- webfiltering
- fail2ban
etc....
It is more or less what is at least done at a professional level by all enterprises > 100 employees (= when the size doesn't permit any more to solve easily with a solution "all-in-1" like SME) so it should not be impossible.

All this network would be build in an virtual environment and be based on free systems (at this time I think about Debian because of the available documentation and pfSense).

I think that it is an excellent exercise to understand better the network architectures and the settings of the different services that are often preset for "ready to run" by SME: when I think about "how to do", in details, this function or this other one, I very quickly realize that I know ....quite nothing!

How to proceed? The www is full of good and less good solutions, general explanations without concrete methods, drawings for all possible combination to connect 3 to 10 machines together.....
I would say:
0) be able to build the network into the hypervisor
1) get some "good" and "practical" documentation about network architectures
2) define the architecture
3) installation and configuration to achieve the "basics" (= what a fresh installed SME can do)
4) .......

At this time, I start with 1)
=> who can give me some info relating to documentation (in french, german or englich) , pdf... about the network architecture for this target?
=> does somebody already made this kind of game? Successfully or less successfully? Is there some private documentation about it?
=> does somebody want to play the same game?  :lol:

Bye
Arnaud

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Hi Arnaud,

I hope you would get some answer, but i would say you did not knock to the right door.
SME philisophy is KISS: keep it simply stupid.

SME is based on Red-Hat, Fedora, Centos rpm based distro.

So by trying to complexify your architecture, and using non rpm distro, I am not sure you will get a lot of answers here.

While there could be a need for more complexe architectures, they are rarely for small and medium offices or home users.

The biggest pitfall would be to decrease security thinking your are increasing it by separating each services in different machines.

Offline Arnaud

  • *
  • 143
  • +0/-0
    • GuedeL
Hi,
I fully agree with you but..... I don't have any other door to knock to (ixus isn't any more...).
I only hope that the one or the other guy with some experience with a splitted architecture could give me some "food" to start in the correct direction, by avoiding to redevelop the wheel and to make all possibles mistakes.
Inbetween I found "Cahiers de l'admin - Linux sécuriser un réseau", a quite good french document about securing the internal network, quite easy to read but very instructive (for me) in the same time.

Bye
Arnaud

Offline turandot

  • *
  • 82
  • +0/-0
Well, should I spend a few words here?

I am using SME in the Server Only mode. In conjunction with that, I am running a separate Linux based firewall distro. This setup has both historical reasons, nonetheless I think it is a reasonable approach.

Firewalls are exposed to the Internet, and due to that exposed a a lot of malign traffic. To minimize risks, I think it is a good idea to minimize the number of services running on the firewall. Services that are not running cannot be pawned. Service misconfigurations e.g. by unintentionally making them available in the Internet are less likely.

So what is essential for a firewall? From my perspective everything around routing, dialup, VPN services, DynDNS etc. (I am also running DHCP, but if you intend to use Samba 4 using AD, this will probably be moved away from the router to the associated Samba 4 instance.) And it implies a non virtualized system running on real hardware. The firewall could be based on OpenWRT, IPFire, IPCop, whatever you like.

Using this approach, "the network layer" is separated completely from "the services layer". In fact it adds a bit of required hardware and software, but I think it is affordable. SME in the Server Only role can manage all the rest of the stuff it is usually setup for. I would claim that this approach is a different flavor of the KISS.

Keep in mind that this is purely my personal humble point of view. So other people might have a different opinion for good reasons.

Cheers, turandot

Offline Arnaud

  • *
  • 143
  • +0/-0
    • GuedeL
Thanks for your reply Turandot.