ClearFoundation

Hi,

I've been using CC 4.x series at home and at school for over year and I am quite happy with it. (I'll be switching to ClearOs 5.x soon.)

A friend of mine is directing a small NGO and they want to set up a file/vpn server for their office. I recommended ClearOS to them, and so far they liked it's features. However they and I aren't sure about if the firewall function of the COS is sufficient to provide security. (The information that they'll keep on the server may be somewhat sensitive/important.)

The company who is going to sell the server hardware offered three different firewall appliance options with varying prices between 600 and 1200 euros + 2 year updates (with additional payment of course). Money is an issue I must say but if the firewall appliance really makes a difference they are willing to pay such sum. However, if COS is sufficient they'd like to use that money for a better cause.

Could you please tell me what I should tell to them regarding to COS's firewall?

Thank you.

I can only speak from my experiences.

COS uses the IPTABLES function that all Linuxes (And most hardware appliances) use and for all but the most specific of needs it is absolutely Bulletproof.

The only thing some of these Hardware appliances offer more than COS would be some levels of Reporting i guess....

Personally I have used SME Server, COS and IPCop (My Favourite) as firewalls and never had an intrusion that I am aware of.

I would tell them to stick with the Firewall in COS and use the $$ they save on something else useful in the Org.

Just my Humble Opinion

Kev

Thank you.

What would you think about running Vmware ESXi on the server hardware and COS and IPCop as virtual appliances where IPCop handles the firewall and COS handles the rest? Would it make any positive difference? (BTW, hardware will be hp proliant ml110 with 2.4 ghz quadcore single processor and 4 gb ram.)

IMHO ClearOS firewall is more than sufficient! don't forget that on top of the solid iptables firewall there is a dynamic intrusion detection and prevention system that will block suspsicious intruders

You need to consider what security you actually want...is this device going to be the gateway? as well as host important files? It is not as secure to host a file server with sensitive information in this way...you should at least consider hosting it behind your gateway device.

You also need to consider support for VPN etc... IMHO ClearOS does very well at doing both gateway and standalone server types, ubt of course at the end of the day it will come down to flexibility to do what you want. Possble questions are:- What outbound control do you need? what inbound services will you need? will there be any complex routing? or simple plain NAT? whose going to manage the firewall server?

Regarding Vmware I know of a few people who run ClearOS in this way...IMHO would make no positive difference, but comes down to flexibility and reporting required etc...

Tim is right

Should not be a big deal in VM - the only thing that hangs some people up is the "virtual NOC cards" if you are dealing with multiple subnets or a DMZ - but there is a LOT of documentaion on that from the VM ware side.

Check my profile. I'm using ClarkConnect/ClearOS since 2001.
So it is sufficiënt for me, otherwise I would have dropped it long ago.

As important advise: Keep you're software up-to-date.
Specific for CMS webpackages you should add, whatever you choose.
Likely there would you have intrusions. Security is not only having a good firewall.
Security means good maintenance

Geert

I have been using CC and now COS for a number of years and found the firewall intrusion detection very good, prior to implimenting a CC system v3.? I was regularly getting hits on the software fire wall on the windows machine I need to run.

As I was running zone alarm in total stealth mode at this time it was not unusual to record portscans of 100+ which in some instances required a modem reboot to restore conectivity, once I added a VOIP service and needed to get a fixed IP address for ease of configuration I found Clark Connect as reboots were no longer and option.

After setting up a CC box the external hits on the windows software firewall stopped and I would have a number of IP addresses blocked in snort intrusion detection prevention. I have since upgraded my adsl modem which now incorperates a basic firewall with NAT which I am unable to turn off and I now have no regular blocked IP addresses in the intrusion prevention system.

With this set up I am not aware of any significant breach of my small network.

I do not claim to be an expert but with my current set up I believe I have a very secure system, this is confirmed in principle when I discuss this configuration with networking experts I meet at times through my work. The main comment I get is the use of two different systems with different approaches to the same (security) requirement creates a high level of security without a high level of knowledge in networking and firewall configuration.