hehe, you're maybe new to infrastructure management but you are raising, from my standpoint, the right question
"How to provide secure services for SMB?", meaning not deploying complex and heavy to manage infrastructure.
Virtualization doesn't make it lighter btw. To me it's even the opposite: for the one
really understanding what each component provides, virtualization might help. If you don't, it only makes everything confused, adding on top of that the extra overhead because of virtualization environment
Yes, in an ideal world, internet, intranet and extranet should be kept "isolated", with firewall in the middle plus some services on DMZ to control flows at application level (e.g. mail relay, HTTP proxy) but this results in rather complex design that is often not fitting with SMB scope (too much complex and therefore expensive). This is why Zentyal approach is very appealing.
Still with such target in mind, is Zentyal the right solution?
I don't have the absolute answer but feel that we will quickly try to achieve something complex with something designed to be easy and simple first.
Let's take 2 example that will show why, to me, Zentyal doesn't aim at providing such design:
-
LDAP server: services running on DMZ should rely on internal LDAP server so that LDAP server containing internal accounts is not exposed on internet. Zentyal design doesn't really expose LDAP on internet (LDAP ports are blocked at firewall level) but LDAP service runs on Zentyal and there is no way you can split it easily.
-
mail gateway: secure design supposed on run mail gateway (MTA) on DMZ along with anti-virus and spam filtering and then deliver mail to mailboxes hosted internally. This can't be achieved (again as far as I know) with Zentyal. The best you can do is to forward mail port (e.g. 25) to internal server, which is not as secure.
Does it mean that Zentyal out-of-the-box is not secure?
Not at all! I'm using it while I'm an IT architect focusing on infrastructure design
but I use it at home and also for small domains where I feel it fits perfectly. I would not use it for a company for which security is worth the extra cost compare to easiness. Motto is SMB. It says it all. Then border being fuzzy, some questions make sense but the ideal "state of the art" secure design doesn't.
Well, my own view only
I'd like to get Zentyal staff view too...
On additional point: VPN is not the only way to provide access to internal services: reverse proxy is very useful and secure when it come to access, from outside, to web based services running internally. I even promote this rather than VPN. Here again it depends on your constraints in term of security...
I'm reading Sam's reply now... fully in line as usual :-)