Symantec Security Gateway vs. Custom Linux Box? 22
michaelr asks: "I run several email-based discussion lists. While only members of the lists are allowed to post, I've lately had problems with viruses as they often impersonate the members (or the members themselves are infected). I've identified two solutions: either build a Linux box running SMTP-based antivirus software, or purchase something like the Symantec Gateway Security which includes AV among lots of other things. The street price makes it a little more expensive that a Linux box + AV software, but it seems to be zero maintenance. The problem: the Symantec device is new, and before I place my trust in it, I'd like to know: has anyone had any experience with it, or should I just build the equivalent myself?"
Does it come wiith support contract or not? (Score:4, Insightful)
Something that works (Score:3, Informative)
OpenBSD - Free operating system, similar to Linux if that's your primary exposure to UNIX-like environments. OpenBSD doesn't have all the bells and whistles of Linux, but on the flip side it doesn't have the baggage either. It is very well suited to setting up a secure server. The built in firewalling, IMHO, is one of the things that sets OpenBSD apart from all the others. It's a snap to firewall an OpenBSD server and there are plenty of example configs out there to get you started.
Postfix - Sorry, Sendmail just gives me fits. I don't want to have to have a reference in front of me while configuring my MTA. I know enough about SMTP to make intelligent decisions if my options are put in front of me in English. Postfix does this. Not to mention it is free, it is fast, it is secure and it is a drop-in replacement for Sendmail.
RAV - This is not free software, but it works very well with all of the software named above. RAV is an antivirus program that is called by Postfix. It's very fast, and very effective.
Since you're running a mailing list server, you might want to do some creative de-miming to further increase the effectiveness of your efforts. Other than GPG signatures, most MIME is unwanted anyway.
Clearly Symantec! (Score:1, Funny)
Re:Clearly Symantec! (Score:2)
At any rate, I didn't have 3hr advance notification of the Slammer worm; it just didn't get in at all.
Welcome to stateful firewalls by iptables and some good old E-mail filtering.
qmail + qfilter + some good PERL programming + McAfee
Linux + AV (Score:5, Interesting)
Linux + Sendmail + Amavis + Sophos
Once I had it setup I could completely forget about it. Setting up the Amavis with sendmail was a trick, but I had a homebrew sendmail.cf file because of some complications with our mail setup. Once that was done, I signed up for sophos email alerts. From that mail I setup a script to be run when ever one of those mails came through to go out to sophos' website and get the update.
All in all, we never got an email virus coming into our network after that through this box.
Symantec (Raptor/Axent) Firewall != Linux (Score:3, Informative)
In my experience the Raptor is(was) quite good and not really comparable to a custom linux machine or off-the-shelf linux firewall (e.g. Astaro [astaro.com]) - though I like the latter, too. It's playing in a completely different (IMHO higher) class.
The Raptor's SPs are among most stringent I know of - but can be a real pain to pass through for nearly-compatible stuff. The Notes SMTP gate was infamous for being rejected by Raptor because of RFC-noncompliance...
Apropos "maintenance-free": no forewall is maintenance-free. Never. You'll always have to have a look at the logs, at unusual behavious, etc. The only difference here is wether you have to care about building software patches yourself or to have a company do that for you. But the load of necessary maintenance work still is to be done. If you ignore that, you'll pay the price, probably earlier than later...
Re:Symantec (Raptor/Axent) Firewall != Linux (Score:5, Informative)
Symantec's firewall tries to do too much, IMHO. Firstly, it tries to do a great deal of reporting to make management types happy. Typically, this is the reason it gets bought. Unfortunately, to get this reporting to work right in most enterprises, it is necessary to use the "login" page on the firewall (else you can't track by user, only machine). I have never been able to get it to automagically authenticate to the logged in Windows user, so I get complaints about logins ALL THE TIME! So, often you end up turning off the "transparent proxy" stuff.
Related to the above is a bad idea you must nip in the bud. These batty salespeople will claim they can track how much time employees spend "browsing the web". These firewalls have "sophisticated algorithms" to do this. I've tested it. They are bogus and misleading. We had one guy that had the Weather Channel up all day (the page would refresh every 5 minutes). He showed almost constant browsing even though it was minimized (regrettably we had to prove this to the boss by spying with VNC). Another guy had a systray application installed that polled a website for news information. It showed him as browsing all day. We also had a guy that brought up a game web page and played Java games all day. He showed 5 minutes of browsing when he was playing nonstop for hours. It doesn't work. It doesn't even come close to working. It's a flawed method and your boss is only going to make a fool of himself with it.
Secondly, Squid on Linux does a bang-up job of transparent proxying for HTTP. Seriously. Although I recommend running an opaque proxy (it handles some situations better). Transparent Proxying doesn't save so much work as you'd think.
For anyone with really special needs, Dante makes an excellent SOCKS server (makes ICQ and the like work like a charm--especially when the CEO wants it to just *work*). Squidguard, Dan's Guardian, and the like make an excellent site (and content if necessary) filter. Also, being in the NLANR world cache hierarchy has saved me about 25% of my requests that would have gone directly to a destination.
Thirdly, the Linux machine is much faster, gives better diagnostics, and doesn't require the same resources (in my experience).
Linux has been a VERY good firewall for me. Armed with tools like Snort, Ethereal, and iptables I can generally do about anything.
In the spirit of Slashdot overkill, I'll ramble about our sophisticated home-grown reporting database that blows Symantic Security Center in the weeds. We have a custom SQL database (PostgreSQL) the is fed by a Python script. That Python script associates sites browsed with users. We've used two options for this. Since most of our clients use Windows, we had to find some way to pick up the login names. At first, we used identd. Squid would hit this directly. The drawbacks were that it took time/resources for each request, the daemon could be killed in Win98 and such, and it didn't work outside the squid (although it could have with an iplogger that used ident, but we didn't feel like sucking this out of the syslog). Now, we have the Win2000 domain servers audit to their event log. Go to ntsyslog.sourceforge.net and get the eventlog to syslog logger (damn useful in its own right). Use your favorite syslog daemon (we like syslog-ng but the stock syslog is probably more reliable) to dump the audit data into a file (or a pipe). Now we have python cook the log (via file or pipe) and dump to the database to determine who was logged in to which machine when the request came through. Very slick, works for all protocols, nearly bulletproof. We're even experimenting with tracking machines going wierd (crashing or losing connectivity) by watching for logins without logouts.
If you want something similar, we work at $70/hr.
Sendmail + MailScanner + Sophos (Score:2)
Stripmime! (Score:2)
I subscribe to a couple of lists that use Stripmime [phred.org]. Basically, it enforces plaintext-only semantics on list postings. All .exes
vanish, it tries to convert HTML to text, and numerous other
impediments to clear, straightforward, communication are deep-sixed. The license
appears
to be an Old-BSD model (w/advertising clause), and
the author warns it's not so hot on foreign
character sets.
Nonetheless, it's certainly a major goodness in my eyes, and you needn't change anything else about your setup.
The site also points to a program called Demime [squawk.com], which I'm unacquainted with.
Re:Stripmime! (Score:1)
MailScanner + Sendmail (Score:1, Informative)
Never underestimate the power of open source
TrendMicro (Score:2)
Sendmail + Mimedefang + av scanning on the MX (Score:1)
We have 1000 users on our GroupWise postoffice. We used to use a certain third-party tool (Guinevere) to do av scanning and attachment blocking.
Well, when klez came along, that box would regularly bluescreen and just generally pee itself.
Sooooooo,
We redeployed a couple of old (266 mhz) machines as mail exchangers running sendmail and mimedefang. (http://www.roaringpenguin.com/mimedefang/) Works like a charm. MimeDefang is totaly configurable and integrates with sendmail via libmilter.
On a slow day, we process about 1500 messages. On top of that, we block a couple hundred atachments based on file type, most of which are klez and variants.
I am in the process of testing integration with mc'fee's uvscan. I can tell you it works great. We did, of course, throw a little bit more hardware at the problem (a pair of Dell Poweredge 350s) because it has been recognised as a "critical service" and besides, I _really_ don't feel comfortable trusing both my primary and secondary mail exchangers to a couple of aging ppros.
John
Postfix + RAV + Spamcheckers + Regex (Score:1)
Run Linux and a real firewall at the same time... (Score:1)
Check Point's Website [checkpoint.com]