Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Security Gateway vs. Custom Linux Box?

Posted by Cliff on from the which-way-would-you-go dept.

michaelr asks: "I run several email-based discussion lists. While only members of the lists are allowed to post, I've lately had problems with viruses as they often impersonate the members (or the members themselves are infected). I've identified two solutions: either build a Linux box running SMTP-based antivirus software, or purchase something like the Symantec Gateway Security which includes AV among lots of other things. The street price makes it a little more expensive that a Linux box + AV software, but it seems to be zero maintenance. The problem: the Symantec device is new, and before I place my trust in it, I'd like to know: has anyone had any experience with it, or should I just build the equivalent myself?"

22 comments

  1. Does it come wiith support contract or not? by Jump · · Score: 4, Insightful

    Personally I prefer to do things myself, but you can't do everything all time. So the real question is, if this box comes with support (and what quality that support has), rather the question if you can trust it now. Just like your home made solution, it will have bugs and will need patches/upgrades etc. If you have a channel to report problems to, and they fix it for a resonable subscription price, then go for it. You should also ask, for how long the support will be available (1 year, 10 years, ...).

  2. Something that works by Yonder+Way · · Score: 3, Informative

    I have had success setting up OpenBSD with Postfix and RAV.

    OpenBSD - Free operating system, similar to Linux if that's your primary exposure to UNIX-like environments. OpenBSD doesn't have all the bells and whistles of Linux, but on the flip side it doesn't have the baggage either. It is very well suited to setting up a secure server. The built in firewalling, IMHO, is one of the things that sets OpenBSD apart from all the others. It's a snap to firewall an OpenBSD server and there are plenty of example configs out there to get you started.

    Postfix - Sorry, Sendmail just gives me fits. I don't want to have to have a reference in front of me while configuring my MTA. I know enough about SMTP to make intelligent decisions if my options are put in front of me in English. Postfix does this. Not to mention it is free, it is fast, it is secure and it is a drop-in replacement for Sendmail.

    RAV - This is not free software, but it works very well with all of the software named above. RAV is an antivirus program that is called by Postfix. It's very fast, and very effective.

    Since you're running a mailing list server, you might want to do some creative de-miming to further increase the effectiveness of your efforts. Other than GPG signatures, most MIME is unwanted anyway.

    1. Re:Something that works by Anonymous Coward · · Score: 0

      Postfix, see the article about mozilla having everthing including the kitchen sink if you want to know what a lot of people think about postfix. Post = mail fix = needs worked on, therefore postfix is a mail server that always needs worked on.

  3. Clearly Symantec! by Anonymous Coward · · Score: 1, Funny

    You'll get 3 hours advance notice of worms like the SQL Slammer...

    1. Re:Clearly Symantec! by MikeBabcock · · Score: 1

      Its pretty sad still, isn't it?

      At any rate, I didn't have 3hr advance notification of the Slammer worm; it just didn't get in at all.

      Welcome to stateful firewalls by iptables and some good old E-mail filtering.

      qmail + qfilter + some good PERL programming + McAfee

      --
      - Michael T. Babcock (Yes, I blog)
  4. Re:EXTRA!! EXTRA!! TACO CONFESSES HE IS A NULLO by Anonymous Coward · · Score: 0

    Ok wtf is this crap doing on slashdot?

  5. Linux + AV by FroMan · · Score: 4, Interesting

    At one of my last jobs I used this setup:

    Linux + Sendmail + Amavis + Sophos

    Once I had it setup I could completely forget about it. Setting up the Amavis with sendmail was a trick, but I had a homebrew sendmail.cf file because of some complications with our mail setup. Once that was done, I signed up for sophos email alerts. From that mail I setup a script to be run when ever one of those mails came through to go out to sophos' website and get the update.

    All in all, we never got an email virus coming into our network after that through this box.

    --
    Norris/Palin 2012
    Fact: We deserve leaders who can kick your ass and field dress your carcass.
  6. Symantec (Raptor/Axent) Firewall != Linux by yabHuj · · Score: 3, Informative

    The Symantec firewall formerly was known as "Raptor Firewall" or "Axent Raptor Firewall". It is a hybrid firerwall with quite a number of transparent security proxies, whereas Linux machines "only" do stateful plus maybe (standard) proxies for only a limited number of protocols. For a class overview see http://wyae.de/secure_gateway/gateways.php

    In my experience the Raptor is(was) quite good and not really comparable to a custom linux machine or off-the-shelf linux firewall (e.g. Astaro) - though I like the latter, too. It's playing in a completely different (IMHO higher) class.

    The Raptor's SPs are among most stringent I know of - but can be a real pain to pass through for nearly-compatible stuff. The Notes SMTP gate was infamous for being rejected by Raptor because of RFC-noncompliance...

    Apropos "maintenance-free": no forewall is maintenance-free. Never. You'll always have to have a look at the logs, at unusual behavious, etc. The only difference here is wether you have to care about building software patches yourself or to have a company do that for you. But the load of necessary maintenance work still is to be done. If you ignore that, you'll pay the price, probably earlier than later...

    1. Re:Symantec (Raptor/Axent) Firewall != Linux by KagatoLNX · · Score: 4, Informative

      Having both firewalls in the same Enterprise, I have to say that I prefer the Linux one.

      Symantec's firewall tries to do too much, IMHO. Firstly, it tries to do a great deal of reporting to make management types happy. Typically, this is the reason it gets bought. Unfortunately, to get this reporting to work right in most enterprises, it is necessary to use the "login" page on the firewall (else you can't track by user, only machine). I have never been able to get it to automagically authenticate to the logged in Windows user, so I get complaints about logins ALL THE TIME! So, often you end up turning off the "transparent proxy" stuff.

      Related to the above is a bad idea you must nip in the bud. These batty salespeople will claim they can track how much time employees spend "browsing the web". These firewalls have "sophisticated algorithms" to do this. I've tested it. They are bogus and misleading. We had one guy that had the Weather Channel up all day (the page would refresh every 5 minutes). He showed almost constant browsing even though it was minimized (regrettably we had to prove this to the boss by spying with VNC). Another guy had a systray application installed that polled a website for news information. It showed him as browsing all day. We also had a guy that brought up a game web page and played Java games all day. He showed 5 minutes of browsing when he was playing nonstop for hours. It doesn't work. It doesn't even come close to working. It's a flawed method and your boss is only going to make a fool of himself with it.

      Secondly, Squid on Linux does a bang-up job of transparent proxying for HTTP. Seriously. Although I recommend running an opaque proxy (it handles some situations better). Transparent Proxying doesn't save so much work as you'd think.

      For anyone with really special needs, Dante makes an excellent SOCKS server (makes ICQ and the like work like a charm--especially when the CEO wants it to just *work*). Squidguard, Dan's Guardian, and the like make an excellent site (and content if necessary) filter. Also, being in the NLANR world cache hierarchy has saved me about 25% of my requests that would have gone directly to a destination.

      Thirdly, the Linux machine is much faster, gives better diagnostics, and doesn't require the same resources (in my experience).

      Linux has been a VERY good firewall for me. Armed with tools like Snort, Ethereal, and iptables I can generally do about anything.

      In the spirit of Slashdot overkill, I'll ramble about our sophisticated home-grown reporting database that blows Symantic Security Center in the weeds. We have a custom SQL database (PostgreSQL) the is fed by a Python script. That Python script associates sites browsed with users. We've used two options for this. Since most of our clients use Windows, we had to find some way to pick up the login names. At first, we used identd. Squid would hit this directly. The drawbacks were that it took time/resources for each request, the daemon could be killed in Win98 and such, and it didn't work outside the squid (although it could have with an iplogger that used ident, but we didn't feel like sucking this out of the syslog). Now, we have the Win2000 domain servers audit to their event log. Go to ntsyslog.sourceforge.net and get the eventlog to syslog logger (damn useful in its own right). Use your favorite syslog daemon (we like syslog-ng but the stock syslog is probably more reliable) to dump the audit data into a file (or a pipe). Now we have python cook the log (via file or pipe) and dump to the database to determine who was logged in to which machine when the request came through. Very slick, works for all protocols, nearly bulletproof. We're even experimenting with tracking machines going wierd (crashing or losing connectivity) by watching for logins without logouts.

      If you want something similar, we work at $70/hr. :)

      --
      I think Mauve has the most RAM. --PHB (Dilbert Comic)
  7. Sendmail + MailScanner + Sophos by bill_mcgonigle · · Score: 1

    Works very well

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  8. Stripmime! by Max+Hyre · · Score: 1

    I subscribe to a couple of lists that use Stripmime. Basically, it enforces plaintext-only semantics on list postings. All .exes vanish, it tries to convert HTML to text, and numerous other impediments to clear, straightforward, communication are deep-sixed. The license appears to be an Old-BSD model (w/advertising clause), and the author warns it's not so hot on foreign character sets.

    Nonetheless, it's certainly a major goodness in my eyes, and you needn't change anything else about your setup.

    The site also points to a program called Demime, which I'm unacquainted with.

    --
    I refuse to believe corporations are people until Texas executes one. -- desert rain on http://www.dailykos.com/user/
    1. Re:Stripmime! by AmbushBug · · Score: 1

      We also strip all executable attachements from all mail. Its the most effective way of dealing with e-mail bourne viruses. Even though it may sound kind of drastic, keep in mind that people don't generally need to be sending executable content via e-mail. In a business setting, you usually need to allow various Microsoft attachments but for discussion lists, binary attachments should not be necessary. Virus scanners are more trouble than they are worth since you have to keep them up-to-date and any new viruses will still get through until the AV vendor updates their scanner data.

  9. biased. by Anonymous Coward · · Score: 0

    I am biased but I personally do not trust anything that comes from symantec. haven't for a long time. At my last company I deployed 2 layers of virus protection with postfix+amavis. The mail hub(all inbound mail would come through here first) ran sophos antivirus, the mail leafs ran mcafee antivirus. And yes there were a very small selection of cases when mcafee caught something sophos could not(maybe less then 0.02%). I could never determine if sophos caught something that mcafee could not since when detected the message was immediately blocked. the mail leafs only recieved mail from local users, who, after initial deployment & detection of a few viruses on the internal network never sent out another virus again while I was there. Both Mcafee and Sophos, and others I'm sure have pricing for "server-only" configurations. Mcafee and sophos are kind enough to give you a bunch of different platforms. e.g. ~8 different variants of linux and unix instead of licensing it JUST for linux or JUST for solaris or JUST for freebsd. Sophos goes further last I checked when you license the server version I think they include ALL server OSs, whereas with mcafee my licensing agreement was for UNIX only. Though the more restricted license did reduce the cost quite a bit. And when I say UNIX i mean all UNIX and Linux variants they support.

    then I used MRTG to graph virus incidents.

  10. MailScanner + Sendmail by Anonymous Coward · · Score: 1, Informative

    You can use sendmail, MailScanner and the a/v software of your choice (this guy used the linux stand-alone client of mcaffee). Total cost, minus time to set it up, is the price of a stand-alone a/v scanner (under $40). A/v datafile updates can be scripted, so no effort is required from you. You can even plug in SpamAssassin and do some anti-spam stuff.

    Never underestimate the power of open source ;)

  11. TrendMicro by Gothmolly · · Score: 1

    Since they have the lion's share of the enterprise AV market, and make both Linux and Solaris SMTP scrubbing tools, go with them.

    --
    I want to delete my account but Slashdot doesn't allow it.
  12. Sendmail + Mimedefang + av scanning on the MX by janic · · Score: 1

    Hey.

    We have 1000 users on our GroupWise postoffice. We used to use a certain third-party tool (Guinevere) to do av scanning and attachment blocking.

    Well, when klez came along, that box would regularly bluescreen and just generally pee itself.

    Sooooooo,

    We redeployed a couple of old (266 mhz) machines as mail exchangers running sendmail and mimedefang. (http://www.roaringpenguin.com/mimedefang/) Works like a charm. MimeDefang is totaly configurable and integrates with sendmail via libmilter.

    On a slow day, we process about 1500 messages. On top of that, we block a couple hundred atachments based on file type, most of which are klez and variants.

    I am in the process of testing integration with mc'fee's uvscan. I can tell you it works great. We did, of course, throw a little bit more hardware at the problem (a pair of Dell Poweredge 350s) because it has been recognised as a "critical service" and besides, I _really_ don't feel comfortable trusing both my primary and secondary mail exchangers to a couple of aging ppros.

    John

  13. Postfix + amavis + clamav by Anonymous Coward · · Score: 0


    See subject. If you need a pointy-clicky GUI for managing messages that have been isolated because they contain a virus, then perhaps add Webmin w/ FileManager to the list. That gets you most of the way.

    The Symantec Gateway Security box is actually a Linux box itself but it is EXPENSIVE and not nearly as flexible as a 'homebrew' solution. And it is overkill for doing just mail filtering. I would only suggest the GS if you think that down the road you would like to do IDS, content filtering of web-traffic, etc etc and the people who will be maintaining your setup are not comfortable with Unix.

  14. Postfix + RAV + Spamcheckers + Regex by BigUX · · Score: 1

    nuff said! 6 domains, content filtering, anti-virus. Security, performance, reliability in a Celeron900 and 3Gb of filtered mail daily

    --
    __________________________________________________ ________ TUX Powered
  15. 4 words by Anonymous Coward · · Score: 0

    john hardin's procmail sanitizer

    www.impsec.org or something. Ok so its more than 4 words. shoot me.

  16. Run Linux and a real firewall at the same time... by dijit · · Score: 1
    Checkpoint's products run on Red Hat Linux as well as they have their own customized Linux distro which I must say is very easy and best of all, it's (the OS, not their software) free and open source!

    Check Point's Website

    // Chris