[cobalt-users] Re: RAQ3 Behind firewall?

[Johan-Kristian Wold <jkwold@xxxxxxxxxxx>]

In cobalt-users digest, Vol 1 #763, "Scott Baynes" wrote :
> <snip>I'm the proud new owner of a RAQ3 and have seen a few posts about bind
> attacks and other hacks of these units.  Are most of the users out there
> putting these behind firewalls?  I realize this may depend on how you are
> selling your services (if you are a hosting company) or if you have
> backends, and depends on the services being enabled, etc.  But in general,
> do you feel these devices are secure and Cobalt releases updates in a timely
> manner?  I'm planning on using HTTP, FTP and email services (DNS elsewhere).

We're using a NASRaq for file services, and have an SGI box for web, 
mail and internal DNS, but this wil still apply for users with a RaqX 
box running internet services.

You should definitely consider a firewall if you've connected 
anything to the internet. Not only if you're offering services on a 
cobalt box, but also if you have only client machines on your LAN.

While it is possible to tighten up security on the Raq to a very high 
standard, new security holes and exploits is discovered all the time, 
which will have to be patched as you go. Keeping the Cobalt "locked 
up tight" requires considerably more time, expertise and dedication 
to securities than the "anyone can set up this in 15 minutes" sales 
pitch indicates.

A firewall will enable you to gain more control over which  services 
should be offered freely, offered to a restricted range of IP 
adresses or blocked altogether. For instance, I block incoming telnet 
and ftp services, except for a given range of ports, completely block 
access to port 8 (ping, traceroute, etc), while making mail and web 
services available to all. The admin server for the web server is 
also blocked, with access only to a limited IP range.

You will still have to be diligent and patch up the cobalt for the 
services you want to offer - the MySQL password blooper is a prime 
example of that.

As for what firewall to use, I'd go with a "network appliance" style 
box, such as the Watchguard Firebox, Cisco PIX or Sonic SonicWall - I 
don't trust the "firewall on top of NT" stuff, and I'm sceptical to 
the DIY linux kind...

I know too little of the PIX to really say Yea or Nay, but it's 
fairly straightforward to set up the basic stuff. If you need to dig 
in the IOP, I'd look for another product, though.

The SonicWall is the cheapest of the lot, very straightforward to 
setup,  but a bit limited in what you can do.

I know the Firebox well, and I find this to be a very good product. 
It requires a windows box on the back side to do configuration and 
logging (although limited logging facility is available for syslog on 
*nix). Note that I'm speaking of the Firebox, not the SOHO box. 
Branch office VPN and PPTP vpn is included. Be sure to subscribe to 
the LiveSecurity updates.

Watchguard can be found on <http://www.watchguard.com/>, Cisco at 
<http://www.cisco.com/>, and Sonic at <http://www.sonicsys.com/>

Whatever kind of firewall you get, spring for one with a DMZ and NAT 
(DMZ - a separate network interface for public servers, NAT - Network 
Adress Translation; hiding the internal network completely from the 
outside). If you colocate your public servers and want a firewall for 
the office, you don't need a DMZ, though.

Kind regards

Johan-Kr

--
Johan-Kristian Wold, M.Sc.     |
Computer systems administrator | Recursive: Adj. See recursive.
Nor-Trykk Narvik AS            |
jkwold@xxxxxxxxxxx             |                            SAM007HM02