Symantec Security Gateway vs. Custom Linux Box?

michaelr asks: "I run several email-based discussion lists. While only members of the lists are allowed to post, I've lately had problems with viruses as they often impersonate the members (or the members themselves are infected). I've identified two solutions: either build a Linux box running SMTP-based antivirus software, or purchase something like the Symantec Gateway Security which includes AV among lots of other things. The street price makes it a little more expensive that a Linux box + AV software, but it seems to be zero maintenance. The problem: the Symantec device is new, and before I place my trust in it, I'd like to know: has anyone had any experience with it, or should I just build the equivalent myself?"

Does it come wiith support contract or not?

[Jump]

Personally I prefer to do things myself, but you can't do everything all time. So the real question is, if this box comes with support (and what quality that support has), rather the question if you can trust it now. Just like your home made solution, it will have bugs and will need patches/upgrades etc. If you have a channel to report problems to, and they fix it for a resonable subscription price, then go for it. You should also ask, for how long the support will be available (1 year, 10 years, ...).

Linux + AV

[FroMan]

At one of my last jobs I used this setup:

Linux + Sendmail + Amavis + Sophos

Once I had it setup I could completely forget about it. Setting up the Amavis with sendmail was a trick, but I had a homebrew sendmail.cf file because of some complications with our mail setup. Once that was done, I signed up for sophos email alerts. From that mail I setup a script to be run when ever one of those mails came through to go out to sophos' website and get the update.

All in all, we never got an email virus coming into our network after that through this box.

Re:Symantec (Raptor/Axent) Firewall != Linux

[KagatoLNX]

Having both firewalls in the same Enterprise, I have to say that I prefer the Linux one.

Symantec's firewall tries to do too much, IMHO. Firstly, it tries to do a great deal of reporting to make management types happy. Typically, this is the reason it gets bought. Unfortunately, to get this reporting to work right in most enterprises, it is necessary to use the "login" page on the firewall (else you can't track by user, only machine). I have never been able to get it to automagically authenticate to the logged in Windows user, so I get complaints about logins ALL THE TIME! So, often you end up turning off the "transparent proxy" stuff.

Related to the above is a bad idea you must nip in the bud. These batty salespeople will claim they can track how much time employees spend "browsing the web". These firewalls have "sophisticated algorithms" to do this. I've tested it. They are bogus and misleading. We had one guy that had the Weather Channel up all day (the page would refresh every 5 minutes). He showed almost constant browsing even though it was minimized (regrettably we had to prove this to the boss by spying with VNC). Another guy had a systray application installed that polled a website for news information. It showed him as browsing all day. We also had a guy that brought up a game web page and played Java games all day. He showed 5 minutes of browsing when he was playing nonstop for hours. It doesn't work. It doesn't even come close to working. It's a flawed method and your boss is only going to make a fool of himself with it.

Secondly, Squid on Linux does a bang-up job of transparent proxying for HTTP. Seriously. Although I recommend running an opaque proxy (it handles some situations better). Transparent Proxying doesn't save so much work as you'd think.

For anyone with really special needs, Dante makes an excellent SOCKS server (makes ICQ and the like work like a charm--especially when the CEO wants it to just *work*). Squidguard, Dan's Guardian, and the like make an excellent site (and content if necessary) filter. Also, being in the NLANR world cache hierarchy has saved me about 25% of my requests that would have gone directly to a destination.

Thirdly, the Linux machine is much faster, gives better diagnostics, and doesn't require the same resources (in my experience).

Linux has been a VERY good firewall for me. Armed with tools like Snort, Ethereal, and iptables I can generally do about anything.

In the spirit of Slashdot overkill, I'll ramble about our sophisticated home-grown reporting database that blows Symantic Security Center in the weeds. We have a custom SQL database (PostgreSQL) the is fed by a Python script. That Python script associates sites browsed with users. We've used two options for this. Since most of our clients use Windows, we had to find some way to pick up the login names. At first, we used identd. Squid would hit this directly. The drawbacks were that it took time/resources for each request, the daemon could be killed in Win98 and such, and it didn't work outside the squid (although it could have with an iplogger that used ident, but we didn't feel like sucking this out of the syslog). Now, we have the Win2000 domain servers audit to their event log. Go to ntsyslog.sourceforge.net and get the eventlog to syslog logger (damn useful in its own right). Use your favorite syslog daemon (we like syslog-ng but the stock syslog is probably more reliable) to dump the audit data into a file (or a pipe). Now we have python cook the log (via file or pipe) and dump to the database to determine who was logged in to which machine when the request came through. Very slick, works for all protocols, nearly bulletproof. We're even experimenting with tracking machines going wierd (crashing or losing connectivity) by watching for logins without logouts.

If you want something similar, we work at $70/hr. :)