Symantec Security Gateway vs. Custom Linux Box?

michaelr asks: "I run several email-based discussion lists. While only members of the lists are allowed to post, I've lately had problems with viruses as they often impersonate the members (or the members themselves are infected). I've identified two solutions: either build a Linux box running SMTP-based antivirus software, or purchase something like the Symantec Gateway Security which includes AV among lots of other things. The street price makes it a little more expensive that a Linux box + AV software, but it seems to be zero maintenance. The problem: the Symantec device is new, and before I place my trust in it, I'd like to know: has anyone had any experience with it, or should I just build the equivalent myself?"

Something that works

[Yonder+Way]

I have had success setting up OpenBSD with Postfix and RAV.

OpenBSD - Free operating system, similar to Linux if that's your primary exposure to UNIX-like environments. OpenBSD doesn't have all the bells and whistles of Linux, but on the flip side it doesn't have the baggage either. It is very well suited to setting up a secure server. The built in firewalling, IMHO, is one of the things that sets OpenBSD apart from all the others. It's a snap to firewall an OpenBSD server and there are plenty of example configs out there to get you started.

Postfix - Sorry, Sendmail just gives me fits. I don't want to have to have a reference in front of me while configuring my MTA. I know enough about SMTP to make intelligent decisions if my options are put in front of me in English. Postfix does this. Not to mention it is free, it is fast, it is secure and it is a drop-in replacement for Sendmail.

RAV - This is not free software, but it works very well with all of the software named above. RAV is an antivirus program that is called by Postfix. It's very fast, and very effective.

Since you're running a mailing list server, you might want to do some creative de-miming to further increase the effectiveness of your efforts. Other than GPG signatures, most MIME is unwanted anyway.

Symantec (Raptor/Axent) Firewall != Linux

[yabHuj]

The Symantec firewall formerly was known as "Raptor Firewall" or "Axent Raptor Firewall". It is a hybrid firerwall with quite a number of transparent security proxies, whereas Linux machines "only" do stateful plus maybe (standard) proxies for only a limited number of protocols. For a class overview see http://wyae.de/secure_gateway/gateways.php

In my experience the Raptor is(was) quite good and not really comparable to a custom linux machine or off-the-shelf linux firewall (e.g. Astaro) - though I like the latter, too. It's playing in a completely different (IMHO higher) class.

The Raptor's SPs are among most stringent I know of - but can be a real pain to pass through for nearly-compatible stuff. The Notes SMTP gate was infamous for being rejected by Raptor because of RFC-noncompliance...

Apropos "maintenance-free": no forewall is maintenance-free. Never. You'll always have to have a look at the logs, at unusual behavious, etc. The only difference here is wether you have to care about building software patches yourself or to have a company do that for you. But the load of necessary maintenance work still is to be done. If you ignore that, you'll pay the price, probably earlier than later...

Re:Symantec (Raptor/Axent) Firewall != Linux

[KagatoLNX]

Having both firewalls in the same Enterprise, I have to say that I prefer the Linux one.

Symantec's firewall tries to do too much, IMHO. Firstly, it tries to do a great deal of reporting to make management types happy. Typically, this is the reason it gets bought. Unfortunately, to get this reporting to work right in most enterprises, it is necessary to use the "login" page on the firewall (else you can't track by user, only machine). I have never been able to get it to automagically authenticate to the logged in Windows user, so I get complaints about logins ALL THE TIME! So, often you end up turning off the "transparent proxy" stuff.

Related to the above is a bad idea you must nip in the bud. These batty salespeople will claim they can track how much time employees spend "browsing the web". These firewalls have "sophisticated algorithms" to do this. I've tested it. They are bogus and misleading. We had one guy that had the Weather Channel up all day (the page would refresh every 5 minutes). He showed almost constant browsing even though it was minimized (regrettably we had to prove this to the boss by spying with VNC). Another guy had a systray application installed that polled a website for news information. It showed him as browsing all day. We also had a guy that brought up a game web page and played Java games all day. He showed 5 minutes of browsing when he was playing nonstop for hours. It doesn't work. It doesn't even come close to working. It's a flawed method and your boss is only going to make a fool of himself with it.

Secondly, Squid on Linux does a bang-up job of transparent proxying for HTTP. Seriously. Although I recommend running an opaque proxy (it handles some situations better). Transparent Proxying doesn't save so much work as you'd think.

For anyone with really special needs, Dante makes an excellent SOCKS server (makes ICQ and the like work like a charm--especially when the CEO wants it to just *work*). Squidguard, Dan's Guardian, and the like make an excellent site (and content if necessary) filter. Also, being in the NLANR world cache hierarchy has saved me about 25% of my requests that would have gone directly to a destination.

Thirdly, the Linux machine is much faster, gives better diagnostics, and doesn't require the same resources (in my experience).

Linux has been a VERY good firewall for me. Armed with tools like Snort, Ethereal, and iptables I can generally do about anything.

In the spirit of Slashdot overkill, I'll ramble about our sophisticated home-grown reporting database that blows Symantic Security Center in the weeds. We have a custom SQL database (PostgreSQL) the is fed by a Python script. That Python script associates sites browsed with users. We've used two options for this. Since most of our clients use Windows, we had to find some way to pick up the login names. At first, we used identd. Squid would hit this directly. The drawbacks were that it took time/resources for each request, the daemon could be killed in Win98 and such, and it didn't work outside the squid (although it could have with an iplogger that used ident, but we didn't feel like sucking this out of the syslog). Now, we have the Win2000 domain servers audit to their event log. Go to ntsyslog.sourceforge.net and get the eventlog to syslog logger (damn useful in its own right). Use your favorite syslog daemon (we like syslog-ng but the stock syslog is probably more reliable) to dump the audit data into a file (or a pipe). Now we have python cook the log (via file or pipe) and dump to the database to determine who was logged in to which machine when the request came through. Very slick, works for all protocols, nearly bulletproof. We're even experimenting with tracking machines going wierd (crashing or losing connectivity) by watching for logins without logouts.

If you want something similar, we work at $70/hr. :)

MailScanner + Sendmail

You can use sendmail, MailScanner and the a/v software of your choice (this guy used the linux stand-alone client of mcaffee). Total cost, minus time to set it up, is the price of a stand-alone a/v scanner (under $40). A/v datafile updates can be scripted, so no effort is required from you. You can even plug in SpamAssassin and do some anti-spam stuff.

Never underestimate the power of open source ;)