Overclock.net › Forums › Specialty Builds › Servers › Conversation with an Untangle rep.
New Posts  All Forums:Forum Nav:

Conversation with an Untangle rep.

post #1 of 15
Thread Starter 
Setting up my first Untangle box (going well) and I asked the tech his recommendations on port 80 protection for the home hosted web site. He did not give much encouragement to me in accomplishing this task. Basically he said port 80 protection for a website that is open to the world is a constant checking and changing (meaning software) exercise and if I want to offer my website to the world is is best to let a hosting service deal with site protection.

The tech did offer if I wanted to present my site to "less than the entire world" there were many different ways to do this (and thus remain "unhacked"). My question is, is it so difficult (to the extreme) to protect port 80 if it is open to the world? The Untangle rep. was not the only person I have spoken to that felt if I want to be protected I must be restrictive in who I offer myself too.
WC Rig
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7-930@4.05GHz ASUS P6X58D-Preminum XFX GeForce 275 896mb 6GB Corsair TR3X6G1600C8D 
Hard DriveOptical DriveOSMonitor
WD 150gb Raptor LightScan Win 7 64-bit Acer 22" 
KeyboardPowerCaseMouse
G15 Corsair HX620W Antec 1200 several various 
Mouse Pad
none 
  hide details  
Reply
WC Rig
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7-930@4.05GHz ASUS P6X58D-Preminum XFX GeForce 275 896mb 6GB Corsair TR3X6G1600C8D 
Hard DriveOptical DriveOSMonitor
WD 150gb Raptor LightScan Win 7 64-bit Acer 22" 
KeyboardPowerCaseMouse
G15 Corsair HX620W Antec 1200 several various 
Mouse Pad
none 
  hide details  
Reply
post #2 of 15
Whether you get "hacked" or not is dependent on the software you're using to host your website, and how secure its configuration is. For example, there is no way I would expose IIS to the global Internet, but a huge portion of the web is run on the Apache HTTP Server, running on Linux. If it was hugely vulnerable, every website on the 'Net would have been defaced a long time ago.

The trick is to:

a) Limit the number of ports open to the Internet, aside from port 80.

b) Pick an OS for the hosting machine that's known to be reasonably secure (not Windows), and learn where the vulnerabilities are, and how to close them up.

c) Pick a web server and do the same as b). Apache HTTP Server is the number one choice of course, but Apache Tomcat also delivers good performance as a web server.

A good option might be to run the web site inside a virtual machine, which will allow you to contain its running environment even further. Additionally, you may want to run the site on a different port other than 80, and run a "honey trap" site on port 80. Most attacks seem to be done by robots, and they will naturally target port 80.

Lastly, learn to read logs, so that you spot the signs of an attack. Keep continuous back ups of your site. Sign up to security mailing lists and watch for notices concerning the software you use.

Basically, you are now a system administrator.
Edited by parityboy - 1/14/11 at 6:55pm
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Dell SK-8185 Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Dell SK-8185 Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
post #3 of 15
Also, typically you want to place any WAN facing service inside of a DMZ.
Devices in a DMZ cannot initiate connections into your 'inside' network.

Therefore, if your box becomes compromised, your entire internal LAN is not.
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
post #4 of 15
Thread Starter 
parti, I like the new job description. It will be pretty neat to learn how to interpet the log. Using a non-windows OS as your first line of defense makes sense (this is explained in a CISCO ASA book I just got, Author Richard Deal). It makes sense that if you present an appliance with an OS that most have little knowledge of (like the OS in an ASA) it will be much harder to get hacked.

When I get back with Untangle for "best practices" when using their version of a DMZ I will get some info on the port manlipulation as I do want to employ this tactic. I am comming to the conclusion that site security is surely not a "set it up and forget it" type thing. i am getting the Preminum Package with support from Untangle. The way I look at it is I have a Networking Instructor available whenever I want for 50.00 a month. I will take this deal for some months (until I pick their brains clean).+rep.

EDIT: I wanted to mention how much of a tool the Untangle box is. The setup is not as complicated as an ASA setup (I have only done CISCO routers in Packet Tracer but I have been told an ASA setup is similar). The difficult part with the CISCO appliance (at least for me) is I find the language cryptic and there is no "hand-holding" at all. Untangle is not at all intimidating and if you know your basic Networking concepts (not even so high as a CompTIA grad.) you can do Untangle. I really recommend it to others who want to get their feet wet in Networking.
Beers,Thank You and +rep also.

The photo is my website (the Dell) and in the middle is my Untangle and on the end is my "internal" client. I am using XP Pro, Apache,a bridged Actiontech 1000 modem and some static IP's. There I have broken a major rule of site security and showed my hand.

Edited by PCCstudent - 1/14/11 at 8:14pm
WC Rig
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7-930@4.05GHz ASUS P6X58D-Preminum XFX GeForce 275 896mb 6GB Corsair TR3X6G1600C8D 
Hard DriveOptical DriveOSMonitor
WD 150gb Raptor LightScan Win 7 64-bit Acer 22" 
KeyboardPowerCaseMouse
G15 Corsair HX620W Antec 1200 several various 
Mouse Pad
none 
  hide details  
Reply
WC Rig
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7-930@4.05GHz ASUS P6X58D-Preminum XFX GeForce 275 896mb 6GB Corsair TR3X6G1600C8D 
Hard DriveOptical DriveOSMonitor
WD 150gb Raptor LightScan Win 7 64-bit Acer 22" 
KeyboardPowerCaseMouse
G15 Corsair HX620W Antec 1200 several various 
Mouse Pad
none 
  hide details  
Reply
post #5 of 15
Quote:
Originally Posted by beers View Post
Also, typically you want to place any WAN facing service inside of a DMZ.
Devices in a DMZ cannot initiate connections into your 'inside' network.

Therefore, if your box becomes compromised, your entire internal LAN is not.
I was going to mention DMZs, but I read somewhere recently that DMZs have fallen out of favour (can't remember the reason why). One thing to note with a DMZ is that the box is completely isolated from your internal network, so if you want to transfer files to it, it's sneakernet or nothing.
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Dell SK-8185 Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Dell SK-8185 Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
post #6 of 15
Thread Starter 
I was wondering how file transfer went with a box in a DMZ. File transfer techniques was/is one of my questions when I make contact with Untangle on Monday. I know most use Filezilla (myself currently) but I have been looking at at company (pay for) called Serve-U for FTP host. Serve-U is darn expensive and I need to look at why,they do put out a great technical newsletter every month.
WC Rig
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7-930@4.05GHz ASUS P6X58D-Preminum XFX GeForce 275 896mb 6GB Corsair TR3X6G1600C8D 
Hard DriveOptical DriveOSMonitor
WD 150gb Raptor LightScan Win 7 64-bit Acer 22" 
KeyboardPowerCaseMouse
G15 Corsair HX620W Antec 1200 several various 
Mouse Pad
none 
  hide details  
Reply
WC Rig
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7-930@4.05GHz ASUS P6X58D-Preminum XFX GeForce 275 896mb 6GB Corsair TR3X6G1600C8D 
Hard DriveOptical DriveOSMonitor
WD 150gb Raptor LightScan Win 7 64-bit Acer 22" 
KeyboardPowerCaseMouse
G15 Corsair HX620W Antec 1200 several various 
Mouse Pad
none 
  hide details  
Reply
post #7 of 15
I still think setting up two separate subnets is the way to go - with a perimeter network, and an internal LAN... You can then control routing between the two networks AND control what actually faces the internet..
ESXi Host 1
(15 items)
 
  
CPUMotherboardGraphicsRAM
(2x) Intel Xeon E5520 Dell OnBoard Matrox G200 24GB DDR3 12x2GB UDIMMS (18 slots total) 
Hard DriveHard DriveHard DriveHard Drive
PERC6-RAID50 Intel 730 480GB Intel 320 300GB Synology DS414 iSCSI SAN 
OSMonitorKeyboardPower
VMWare vSphere5 Enterprise Plus Dell iDRAC6 Remote Management [KVM-Over-IP] Dell iDRAC6 KVM Dell Hot-Swap Redundant 1100W 
CaseMouse
Dell PowerEdge T710 Stock Dell iDRAC6 KVM 
  hide details  
Reply
ESXi Host 1
(15 items)
 
  
CPUMotherboardGraphicsRAM
(2x) Intel Xeon E5520 Dell OnBoard Matrox G200 24GB DDR3 12x2GB UDIMMS (18 slots total) 
Hard DriveHard DriveHard DriveHard Drive
PERC6-RAID50 Intel 730 480GB Intel 320 300GB Synology DS414 iSCSI SAN 
OSMonitorKeyboardPower
VMWare vSphere5 Enterprise Plus Dell iDRAC6 Remote Management [KVM-Over-IP] Dell iDRAC6 KVM Dell Hot-Swap Redundant 1100W 
CaseMouse
Dell PowerEdge T710 Stock Dell iDRAC6 KVM 
  hide details  
Reply
post #8 of 15
Quote:
Originally Posted by ComGuards View Post
I still think setting up two separate subnets is the way to go - with a perimeter network, and an internal LAN... You can then control routing between the two networks AND control what actually faces the internet..
Yeah but...you work in a datacentre...you're spoiled. It would be a good exercise for the OP though.
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Dell SK-8185 Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
Ryzen
(12 items)
 
  
CPUMotherboardGraphicsRAM
Ryzen 7 1700 Gigabyte GA-AB350M Gaming 3 Palit GT-430 Corsair Vengeance LPX CMK16GX4M2B3000C15 
Hard DriveCoolingOSMonitor
Samsung 850 EVO AMD Wraith Spire Linux Mint 18.x Dell UltraSharp U2414H 
KeyboardPowerCaseMouse
Dell SK-8185 Thermaltake ToughPower 850W Lian-Li PC-A04B Logitech Trackman Wheel 
  hide details  
Reply
post #9 of 15
Quote:
Originally Posted by parityboy View Post
Yeah but...you work in a datacentre...you're spoiled. It would be a good exercise for the OP though.
I have a perimeter network at home... easily created using DD-WRT routers...
ESXi Host 1
(15 items)
 
  
CPUMotherboardGraphicsRAM
(2x) Intel Xeon E5520 Dell OnBoard Matrox G200 24GB DDR3 12x2GB UDIMMS (18 slots total) 
Hard DriveHard DriveHard DriveHard Drive
PERC6-RAID50 Intel 730 480GB Intel 320 300GB Synology DS414 iSCSI SAN 
OSMonitorKeyboardPower
VMWare vSphere5 Enterprise Plus Dell iDRAC6 Remote Management [KVM-Over-IP] Dell iDRAC6 KVM Dell Hot-Swap Redundant 1100W 
CaseMouse
Dell PowerEdge T710 Stock Dell iDRAC6 KVM 
  hide details  
Reply
ESXi Host 1
(15 items)
 
  
CPUMotherboardGraphicsRAM
(2x) Intel Xeon E5520 Dell OnBoard Matrox G200 24GB DDR3 12x2GB UDIMMS (18 slots total) 
Hard DriveHard DriveHard DriveHard Drive
PERC6-RAID50 Intel 730 480GB Intel 320 300GB Synology DS414 iSCSI SAN 
OSMonitorKeyboardPower
VMWare vSphere5 Enterprise Plus Dell iDRAC6 Remote Management [KVM-Over-IP] Dell iDRAC6 KVM Dell Hot-Swap Redundant 1100W 
CaseMouse
Dell PowerEdge T710 Stock Dell iDRAC6 KVM 
  hide details  
Reply
post #10 of 15
Thread Starter 
ComGuards,can you draw out a rough topology for me (maybe others would like to se also). Untangle just emailed me on Sunday? they want me to sign up for Preminum Support. In my last "security" thread it was suggested I get the 871 router to go with the 5505 ASA appliance. Now I will have to look up what a DD-WRT router means. Just got word my Saturday CCNA class got canceled,low enrollment. I was really looking forward to this lecture.

Really, I have not seen the phrase DD-WRT.

EDIT: DD-WRT=Linux firmware applicable for relacement in certain routers.
Edited by PCCstudent - 1/16/11 at 8:51pm
WC Rig
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7-930@4.05GHz ASUS P6X58D-Preminum XFX GeForce 275 896mb 6GB Corsair TR3X6G1600C8D 
Hard DriveOptical DriveOSMonitor
WD 150gb Raptor LightScan Win 7 64-bit Acer 22" 
KeyboardPowerCaseMouse
G15 Corsair HX620W Antec 1200 several various 
Mouse Pad
none 
  hide details  
Reply
WC Rig
(13 items)
 
  
CPUMotherboardGraphicsRAM
i7-930@4.05GHz ASUS P6X58D-Preminum XFX GeForce 275 896mb 6GB Corsair TR3X6G1600C8D 
Hard DriveOptical DriveOSMonitor
WD 150gb Raptor LightScan Win 7 64-bit Acer 22" 
KeyboardPowerCaseMouse
G15 Corsair HX620W Antec 1200 several various 
Mouse Pad
none 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Servers
Overclock.net › Forums › Specialty Builds › Servers › Conversation with an Untangle rep.