Slashdot Mirror
Symantec Security Gateway vs. Custom Linux Box?
michaelr asks: "I run several email-based discussion lists. While only members of the lists are allowed to post, I've lately had problems with viruses as they often impersonate the members (or the members themselves are infected). I've identified two solutions: either build a Linux box running SMTP-based antivirus software, or purchase something like the Symantec Gateway Security which includes AV among lots of other things. The street price makes it a little more expensive that a Linux box + AV software, but it seems to be zero maintenance. The problem: the Symantec device is new, and before I place my trust in it, I'd like to know: has anyone had any experience with it, or should I just build the equivalent myself?"
juh, finally.
-- unix is for people without a social life - Patrick van Eijk
Rob Malda is a 26-year old white male with a stocky build and a beard. His head is shaved. He responded to my ad to be interviewed for this article wearing only leather pants, leather boots and a leather vest. I could see that both of his nipples were pierced with large-gauge silver rings.
Questioner: I hope you won't be offended if I ask you to prove to me that you're a nullo. Just so that our readers will know that this isn't a fake.
Rob: Sure, no problem. (stands and unbuckles pants and drops them to his ankles, revealing a smooth, shaven crotch with only a thin scar to show where his genitals once were).
Q: Thank you. That's a remarkable sight.
(laughs and pulls pants back up). Most people think so.
Q: What made you decide to become a nullo?
(pauses). Well, it really wasn't entirely my decision.
Q: Excuse me?
The idea wasn't mine. It was my lover's idea.
Q: Please explain what you mean.
Okay, it's a long story. You have to understand my relationship with Michael before you'll know what happened.
Q: We have plenty of time. Please go on.
Both of us were into the leather lifestyle when we met through a personal ad. Michael's ad was very specific: he was looking for someone to completely dominate and modify to his pleasure. In other word, a slave.
The ad intrigued me. I had been in a number of B&D scenes and also some S&M, but I found them unsatisfying because they were all temporary. After the fun was over, everybody went on with life as usual.
I was looking for a complete life change. I wanted to meet someone who would be part of my life forever. Someone who would control me and change me at his whim.
Q: In other words, you're a true masochist.
Oh yes, no doubt about that. I've always been totally passive in my sexual relationships.
Anyway, we met and there was instant chemistry. Michael is a few years older than me and very good looking. Our personalities meshed totally. He's very dominant.
I went back to his place after drinks and had the best sex of my life. That's when I knew I was going to be with Michael for a long, long time.
Q: What sort of things did you two do?
It was very heavy right away. He restrained me and whipped me for quite awhile. He put clamps on my nipples and a ball gag in my mouth. And he hung a ball bag on my sack with some very heavy weights. That bag really bounced around when Michael fucked me from behind.
Q: Ouch.
(laughs) Yeah, no kidding. At first I didn't think I could take the pain, but Michael worked me through it and after awhile I was flying. I was sorry when it was over.
Michael enjoyed it as much as I did. Afterwards he talked about what kind of a commitment I'd have to make if I wanted to stay with him.
Q: What did he say exactly?
Well, besides agreeing to be his slave in every way, I'd have to be ready to be modified. To have my body modified.
Q: Did he explain what he meant by that?
Not specifically, but I got the general idea. I guessed that something like castration might be part of it.
Q: How did that make you feel?
(laughs) I think it would make any guy a little hesitant.
Q: But it didn't stop you from agreeing to Michael's terms?
No it didn't. I was totally hooked on this man. I knew that I was willing to pay any price to be with him.
Anyway, a few days later I moved in with Michael. He gave me the rules right away: I'd have to be naked at all times while we were indoors, except for a leather dog collar that I could never take off. I had to keep my head shaved. And I had to wear a butt plug except when I needed to take a shit or when we were having sex.
I had to sleep on the floor next to his bed. I ate all my food on the floor, too.
The next day he took me to a piercing parlor where he had my nipples done, and a Prince Albert put into the head of my cock.
Q: Heavy stuff.
Yeah, and it got heavier. He used me as a toilet, pissing in my mouth. I had to lick his asshole clean after he took a shit, too. It was all part of a process to break down any sense of individuality I had. After awhile, I wouldn't hesitate to do anything he asked.
Q: Did the sex get rougher?
Oh God, yeah. He started fisting me every time we had sex. But he really started concentrating on my cock and balls, working them over for hours at a time.
He put pins into the head of my cock and into my sack. He attached clothespins up and down my cock and around my sack. The pain was pretty bad. He had to gag me to keep me from screaming.
Q: When did the idea of nullification come up?
Well, it wasn't nullification at first. He started talking about how I needed to make a greater commitment to him, to do something to show that I was dedicated to him for life.
When I asked him what he meant, he said that he wanted to take my balls.
Q: How did you respond?
Not very well at first. I told him that I liked being a man and didn't want to become a eunuch. But he kept at me, and wore me down. He reminded me that I agreed to be modified according to his wishes, and this is what he wanted for me. Anything less would show that I wasn't really committed to the relationship. And besides, I was a total bottom and didn't really need my balls.
It took about a week before I agreed to be castrated. But I wasn't happy about it, believe me.
Q: How did he castrate you?
Michael had a friend who was into the eunuch scene. One night he came over with his bag of toys, and Michael told me that this was it. I was gonna lose my nuts then and there.
Q: Did you think of resisting?
I did for a minute, but deep down I knew there was no way. I just didn't want to lose Michael. I'd rather lose my balls.
Michael's friend restrained me on the living room floor while Michael videotaped us. He used an elastrator to put a band around my sack.
Q: That must have really hurt.
Hell yeah. It's liked getting kicked in the balls over and over again. I screamed for him to cut the band off, but he just kept on going, putting more bands on me. I had four bands around my sack when he finished.
I was rolling around on the floor screaming, while Michael just videotaped me. Eventually, my sack got numb and the pain subsided. I looked between my legs and could see my sack was a dark purple. I knew my balls were dying inside.
Michael and his friend left the room and turned out the light. I lay there for hours, crying because I was turning into a eunuch and there wasn't anything I could do about it.
Q: What happened then?
Eventually I fell asleep from exhaustion. Then the light switched on and I could see Michael's friend kneeling between my legs, touching my sack. I heard him tell Michael that my balls were dead.
Q: How did Michael react?
Very pleased. He bent down and felt around my sack. He said that it felt cold.
Michael's friend told me that I needed to keep the bands on. He said that eventually my balls and sack would dry up and fall off. I just nodded. What else could I do at that point?
Q: Did it happen just like Michael's friend said?
Yeah, a week or so later my package just fell off. Michael put it in a jar of alcohol to preserve it. It's on the table next to his bed.
Q: How did things go after that?
Michael was really loving to me. He kept saying how proud he was of me, how grateful that I had made the commitment to him. He even let me sleep in his bed.
Q: What about the sex?
We waited awhile after my castration, and then took it easy until I was completely healed. At first I was able to get hard, but as the weeks went by my erections began to disappear.
That pleased Michael. He liked fucking me and feeling my limp cock. It made his dominance over me even greater.
Q: When did he start talking about making you a nullo?
A couple of months after he took my nuts. Our sex had gotten to be just as rough as before the castration. He really got off on torturing my cock. Then he started saying stuff like, "Why do you even need this anymore?"
That freaked me out. I always thought that he might someday take my balls, but I never imagined that he'd go all the way. I told him that I wanted to keep my dick.
Q: How did he react to that?
At first he didn't say much. But he kept pushing. Michael said I would look so nice being smooth between my legs. He said my dick was small and never got hard anymore, so what was the point of having it.
But I still resisted. I wanted to keep my cock. I felt like I wouldn't be a man anymore without it.
Q: So how did he get you to agree?
He didn't. He took it against my will.
Q: How did that happen?
We were having sex in the basement, and I was tied up and bent over this wooden bench as he fucked me. Then I heard the doorbell ring. Michael answered it, and he brought this guy into the room.
At first I couldn't see anything because of the way I was tied. But then I felt these hands lift me up and put me on my back. And I could see it was Steve's friend, the guy who took my nuts.
Q: How did you react?
I started screaming and crying, but the guy just gagged me. The two of them dragged me to the other side of the room where they tied me spread eagled on the floor.
Steve's friend snaked a catheter up my dick, and gave me a shot to numb my crotch. I was grateful for that, at least. I remember how bad it hurt to lose my balls.
Q: What was Steve doing at this time?
He was kneeling next to me talking quietly. He said I'd be happy that they were doing this. That it would make our relationship better. That kind of calmed me down. I thought, "Well, maybe it won't be so bad."
Q: How long did the penectomy take?
It took awhile. Some of the penis is inside the body, so he had to dig inside to get all of it. There was a lot of stitching up and stuff. He put my cock in the same jar with my balls. You can even see the Prince Albert sticking out of the head.
Then they made me a new pisshole. It's between my asshole and where my sack used to be. So now I have to squat to piss.
Q: What has life been like since you were nullified?
After I got over the surgery and my anger, things got better. When I healed up, I began to like my smooth look. Steve brought friends over and they all admired it, saying how pretty I looked. It made me feel good that Steve was proud of me.
Q: Do you have any sexual feeling anymore?
Yes, my prostate still responds when Steve fucks me or uses the buttplug. And my nipples are quite sensitive. If Steve plays with them while fucking me, I have a kind of orgasm. It's hard to describe, but it's definitely an orgasm.
Sometimes Steve says he's gonna have my prostate and nipples removed, but he's just kidding around. He's happy with what he's done to me.
Q: So are you glad Steve had you nullified?
Well, I wouldn't say I'm glad. If I could, I'd like to have my cock and balls back. But I know that I'm a nullo forever. So I'm making the best of it.
Steve and I are very happy. I know that he'll take care of me and we'll be together always. I guess losing my manhood was worth it to make that happen for us.
Return To The
OMG BIG PENIS ATE MY SOUP
Personally I prefer to do things myself, but you can't do everything all time. So the real question is, if this box comes with support (and what quality that support has), rather the question if you can trust it now. Just like your home made solution, it will have bugs and will need patches/upgrades etc. If you have a channel to report problems to, and they fix it for a resonable subscription price, then go for it. You should also ask, for how long the support will be available (1 year, 10 years, ...).
I have had success setting up OpenBSD with Postfix and RAV.
OpenBSD - Free operating system, similar to Linux if that's your primary exposure to UNIX-like environments. OpenBSD doesn't have all the bells and whistles of Linux, but on the flip side it doesn't have the baggage either. It is very well suited to setting up a secure server. The built in firewalling, IMHO, is one of the things that sets OpenBSD apart from all the others. It's a snap to firewall an OpenBSD server and there are plenty of example configs out there to get you started.
Postfix - Sorry, Sendmail just gives me fits. I don't want to have to have a reference in front of me while configuring my MTA. I know enough about SMTP to make intelligent decisions if my options are put in front of me in English. Postfix does this. Not to mention it is free, it is fast, it is secure and it is a drop-in replacement for Sendmail.
RAV - This is not free software, but it works very well with all of the software named above. RAV is an antivirus program that is called by Postfix. It's very fast, and very effective.
Since you're running a mailing list server, you might want to do some creative de-miming to further increase the effectiveness of your efforts. Other than GPG signatures, most MIME is unwanted anyway.
You'll get 3 hours advance notice of worms like the SQL Slammer...
At one of my last jobs I used this setup:
Linux + Sendmail + Amavis + Sophos
Once I had it setup I could completely forget about it. Setting up the Amavis with sendmail was a trick, but I had a homebrew sendmail.cf file because of some complications with our mail setup. Once that was done, I signed up for sophos email alerts. From that mail I setup a script to be run when ever one of those mails came through to go out to sophos' website and get the update.
All in all, we never got an email virus coming into our network after that through this box.
Norris/Palin 2012
Fact: We deserve leaders who can kick your ass and field dress your carcass.
The Symantec firewall formerly was known as "Raptor Firewall" or "Axent Raptor Firewall". It is a hybrid firerwall with quite a number of transparent security proxies, whereas Linux machines "only" do stateful plus maybe (standard) proxies for only a limited number of protocols. For a class overview see http://wyae.de/secure_gateway/gateways.php
In my experience the Raptor is(was) quite good and not really comparable to a custom linux machine or off-the-shelf linux firewall (e.g. Astaro) - though I like the latter, too. It's playing in a completely different (IMHO higher) class.
The Raptor's SPs are among most stringent I know of - but can be a real pain to pass through for nearly-compatible stuff. The Notes SMTP gate was infamous for being rejected by Raptor because of RFC-noncompliance...
Apropos "maintenance-free": no forewall is maintenance-free. Never. You'll always have to have a look at the logs, at unusual behavious, etc. The only difference here is wether you have to care about building software patches yourself or to have a company do that for you. But the load of necessary maintenance work still is to be done. If you ignore that, you'll pay the price, probably earlier than later...
Works very well
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I subscribe to a couple of lists that use Stripmime. Basically, it enforces plaintext-only semantics on list postings. All .exes
vanish, it tries to convert HTML to text, and numerous other
impediments to clear, straightforward, communication are deep-sixed. The license
appears
to be an Old-BSD model (w/advertising clause), and
the author warns it's not so hot on foreign
character sets.
Nonetheless, it's certainly a major goodness in my eyes, and you needn't change anything else about your setup.
The site also points to a program called Demime, which I'm unacquainted with.
I refuse to believe corporations are people until Texas executes one. -- desert rain on http://www.dailykos.com/user/
I am biased but I personally do not trust anything that comes from symantec. haven't for a long time. At my last company I deployed 2 layers of virus protection with postfix+amavis. The mail hub(all inbound mail would come through here first) ran sophos antivirus, the mail leafs ran mcafee antivirus. And yes there were a very small selection of cases when mcafee caught something sophos could not(maybe less then 0.02%). I could never determine if sophos caught something that mcafee could not since when detected the message was immediately blocked. the mail leafs only recieved mail from local users, who, after initial deployment & detection of a few viruses on the internal network never sent out another virus again while I was there. Both Mcafee and Sophos, and others I'm sure have pricing for "server-only" configurations. Mcafee and sophos are kind enough to give you a bunch of different platforms. e.g. ~8 different variants of linux and unix instead of licensing it JUST for linux or JUST for solaris or JUST for freebsd. Sophos goes further last I checked when you license the server version I think they include ALL server OSs, whereas with mcafee my licensing agreement was for UNIX only. Though the more restricted license did reduce the cost quite a bit. And when I say UNIX i mean all UNIX and Linux variants they support.
then I used MRTG to graph virus incidents.
You can use sendmail, MailScanner and the a/v software of your choice (this guy used the linux stand-alone client of mcaffee). Total cost, minus time to set it up, is the price of a stand-alone a/v scanner (under $40). A/v datafile updates can be scripted, so no effort is required from you. You can even plug in SpamAssassin and do some anti-spam stuff.
;)
Never underestimate the power of open source
Since they have the lion's share of the enterprise AV market, and make both Linux and Solaris SMTP scrubbing tools, go with them.
I want to delete my account but Slashdot doesn't allow it.
Hey.
We have 1000 users on our GroupWise postoffice. We used to use a certain third-party tool (Guinevere) to do av scanning and attachment blocking.
Well, when klez came along, that box would regularly bluescreen and just generally pee itself.
Sooooooo,
We redeployed a couple of old (266 mhz) machines as mail exchangers running sendmail and mimedefang. (http://www.roaringpenguin.com/mimedefang/) Works like a charm. MimeDefang is totaly configurable and integrates with sendmail via libmilter.
On a slow day, we process about 1500 messages. On top of that, we block a couple hundred atachments based on file type, most of which are klez and variants.
I am in the process of testing integration with mc'fee's uvscan. I can tell you it works great. We did, of course, throw a little bit more hardware at the problem (a pair of Dell Poweredge 350s) because it has been recognised as a "critical service" and besides, I _really_ don't feel comfortable trusing both my primary and secondary mail exchangers to a couple of aging ppros.
John
See subject. If you need a pointy-clicky GUI for managing messages that have been isolated because they contain a virus, then perhaps add Webmin w/ FileManager to the list. That gets you most of the way.
The Symantec Gateway Security box is actually a Linux box itself but it is EXPENSIVE and not nearly as flexible as a 'homebrew' solution. And it is overkill for doing just mail filtering. I would only suggest the GS if you think that down the road you would like to do IDS, content filtering of web-traffic, etc etc and the people who will be maintaining your setup are not comfortable with Unix.
nuff said! 6 domains, content filtering, anti-virus. Security, performance, reliability in a Celeron900 and 3Gb of filtered mail daily
_________________________________________________
john hardin's procmail sanitizer
www.impsec.org or something. Ok so its more than 4 words. shoot me.
Check Point's Website