Firewall Opinion: Applicance or Linux?

[jazzman42379]

Hey Everyone,

I'm exploring options for putting up and effective firewall and had a couple of questions. Here's the setup: right now, nothing special. I've got a LAN with about 5 PCs, including a Windows domain controller. After graduation (soon), I'll be moving off the compus network and onto wonderful, unfirewalled DSL, where I plan to expand the network to provide outside services such a mail, www hosting, ftp, SSH, possibly DNS, etc. One particular service I'd provide is VPN access for myself to the internal network. I'm counting on only having 1 IP address and using private network addresses for the internal network. Not sure of this yet, but may want to run a DMZ for the main outside servers.

Here's a rundown of the requirements:
- Firewall that keeps out everything but what I want to let in
- Protects an entire Class C network (private IPs)
- VPN access to network (I would guess no more than 1 user at a time)
- VPN able to be connected to via Windows networking...nothing special needed
- Easy to use routing/filtering options
- Can NAT one-to-many (ex. having web servers on different boxes...forward port 80 to all of them)

I think at this point it's safe to say that I'll be wanting more than just a Linksys or Dlink. What I'm curious about is which would be better...getting a dedicated firewall appliance or throwing some open-source firewall onto an old box?

Recently I've been playing with Astaro security linux. It definatley has the advanced options I'd like, as well as the ease of use. I've even got a VPN connection set up with a buddy's network so it's transparent to the my computer to get to one of his. However it's weaknesses lie in the fact that according to the free home-user license, it only protects 10 IPs. And also, I have yet to get the IPSec VPN to work without an external (and pricey) client.

I've looked at Clarkconnect, which doesn't have the IPSec VPN in it's free form. I've also looked at Cisco and SonicWall appliances.

Anyone have opions on what would work good for this?
Thanx,
Jazzman

 

[Iron Woode]

Here is my opinion:

It depends.

How much effort are you willing to put into this? An appliance is easy. You just plug it in and keep an eye on things.

A linux solution can be quite tedious. And may not function as you want. As a learning experience, it can't be beat.

Personally I use Freesco. A free Linux port that sets up easily and can be remotely administered. Version 030 supports up to 10 nics. While I wouldn't call it an industrial solution, it is perfect for a small business network or home network.

There are loads of other linux firewall apps. You can download and use for free Mandrake Single Network Firewall.

The benefit of using either a linux port or a full blown linux distro is that you can recycle old computer hardware and get a hands on look at what networking and security are all about. Most firewalls don't need to be cutting edge hardware based machines. Many here use 486's. I prefer early Pentiums, or, if more power is needed, a P3 setup would be great.

Whether this helps your decision making I don't know, but there are pros and cons either way.

 

[Scarpozzi]

Appliances are cheaper. If you wanted to setup a webserver and worry about keeping it patched and all, you could do that with linux. I guess it just comes down to whether or not you want to learn or just make things easier on yourself.

 

[PlatinumGold]

opening the port for the TS kind of defeats the purpose of having a firewall. if you wanna ts in, build a vpn tunnel between two locations. it will limit exposure. or it seems to me that it would.

 

[jazzman42379]

This may be a silly question, but what is TS?

 

[PlatinumGold]

jazzman ts = terminal services

 

[TechBoyJK]

Why not OpenBSd with Packet Filter? OpenBSD is pretty similar to Linux and if you spend sometime with Packet Filter, you could probably keep a pretty tight ship.

 

[Iron Woode]

Originally posted by: TechBoyJK
Why not OpenBSd with Packet Filter? OpenBSD is pretty similar to Linux and if you spend sometime with Packet Filter, you could probably keep a pretty tight ship.

Sometimes a small footprint is wanted. Freesco works just as well, but is way smaller. Smaller equals faster in most cases, since it doesn't require the overhead of a full OS install.

He could install a full linux OS and then install PMfirewall too. It will work just fine but it is not quite as fast.

 

[jazzman42379]

Hey All,

Thanx so far for the opinions. I'm swaying more towards the open source solution due to the fact that for other solutions, like the appliances, the cost goes up drastically for users, and I don't want that cost restriction just to expand my network.

As far as the specific solution, I'd lean more towards a linux/unix solution rather than the specialized apps like Freesco or Smoothwall. Reason: I can provide external services like my external DNS. Plus it would be plenty customizable. I don't mind the learning curve, and actually invite it (wanting to get into the IT sector eventually). There's also Webmin and FreeSwan to use on it.

Couple questions related:

- Does anyone know if the free version of Clarkconnect has any IP limit restrictions? (10-IP limit...)
- Is it possible to host my primary/secondary DNS servers behind a firewall as such?

Thanx,
Jazzman

 

[n0cmonkey]

Dont run a dns server on your firewall, but it would be easy to have a dns server behind it. If you are using NAT, all you would have to do is forward UDP 53 from clients, and TCP 53 from your secondary dns server.

 

[vi edit]

I'm a fan of solid state stuff myself. Lots of hardware problems can *possibly* go wrong on a PC running linux. It works in a pinch, or if you are under major money constraints, but for mission critical stuff, I actually prefer to go the KISS route. Less parts to break = less things to trouble shoot if it stops working.

 

[Oaf357]

Whatever you do remember a firewall is a firewall.

It shouldn't be anything less or anything more.

Don't run anything else on that device other than firewall applications and network monitoring tools. Don't setup web, mail, or DNS (or any other service) on a firewall. To do this would defeat the purpose of the firewall itself.

I'm a fan of solid state devices. Plug it, program it, and leave it (except to update, patch, and reconfigure as needed). Linux is great but for just a firewall most distros are almost too robust.

 

[jazzman42379]

Originally posted by n0cmonkey
Dont run a dns server on your firewall, but it would be easy to have a dns server behind it. If you are using NAT, all you would have to do is forward UDP 53 from clients, and TCP 53 from your secondary dns server.

UDP 53 from clients and TCP 53 from secondary dns server?

So let's say I put a primary and secondary dns server up behind a NAT firewall like ClarkConnect. Which "clients" do I need to forward UDP from? Wouldn't I just set the firewall to forward both UDP/TCP 53 to both servers? Please enlighten me.

Thanx for all the advice! Keep it coming!
Jazzman

 

[alrox]

Sounds like you need to read a book/guide on firewalls and NAT. If someone answered every question you had like this, this thread would be 500 posts long.

 

[n0cmonkey]

Originally posted by: jazzman42379

Originally posted by n0cmonkey
Dont run a dns server on your firewall, but it would be easy to have a dns server behind it. If you are using NAT, all you would have to do is forward UDP 53 from clients, and TCP 53 from your secondary dns server.

UDP 53 from clients and TCP 53 from secondary dns server?

So let's say I put a primary and secondary dns server up behind a NAT firewall like ClarkConnect. Which "clients" do I need to forward UDP from? Wouldn't I just set the firewall to forward both UDP/TCP 53 to both servers? Please enlighten me.

Thanx for all the advice! Keep it coming!
Jazzman

If this is just an internal dns you will only need to acces udp 53 from your machines. If this is an external dns you will need a secondary dns server in another location and your firewall will need to allow tcp 53 from the secondary to the local one you will be running. tcp 53 is only necessary for zone file transfers and abnnormally large dns responses (I think) and by blocking it from most people you can help limit the risk you are exposing yourself to.

 

[Goosemaster]

One question:

If one were to go the *nix route, what would be the equivalent of SPI (stateful Packet Inspection) ?

 

[n0cmonkey]

Originally posted by: Goosemaster
One question:

If one were to go the *nix route, what would be the equivalent of SPI (stateful Packet Inspection) ?

IPF, IPTables, and PF all keep state. With PF and IPF its pretty simple, I dont use IPTables, so I cant tell you how easy that is to setup.

 

[MercenaryForHire]

While we're discussing the pros and cons of various appliances/Linux router builds, I have a question.

Is there one that supports port priorities (eg UDP gets priority traffic, then TCP?) FreeSCO doesn't seem to have this option.

- M4H

 

[alrox]

Originally posted by: MercenaryForHire
While we're discussing the pros and cons of various appliances/Linux router builds, I have a question.

Is there one that supports port priorities (eg UDP gets priority traffic, then TCP?) FreeSCO doesn't seem to have this option.

- M4H

Look into Freebsd+ipfw weights/queue options.

 

[Buddha Bart]

- Can NAT one-to-many (ex. having web servers on different boxes...forward port 80 to all of them)

You mean load balancing? You're not likely to find that for cheap at all in any solid-state/appliance. You can do it with LVS on linux for free.

As for the guys who say dedicate the machine to being a firewall and nothing else, that makes no sense. The firewall rules are applied before any application sees the network traffic, so your gateway machine can be just as protected as the rest as long as you write the rules right. Plus you double your points of failure (seperate webserver and firewall machine = either one can crash and your website is down. Your gateway is always gonna be a single point of failure anyway, might as well limit it to that).

bart

 

[n0cmonkey]

Originally posted by: Buddha Bart

- Can NAT one-to-many (ex. having web servers on different boxes...forward port 80 to all of them)

You mean load balancing? You're not likely to find that for cheap at all in any solid-state/appliance. You can do it with LVS on linux for free.

As for the guys who say dedicate the machine to being a firewall and nothing else, that makes no sense. The firewall rules are applied before any application sees the network traffic, so your gateway machine can be just as protected as the rest as long as you write the rules right. Plus you double your points of failure (seperate webserver and firewall machine = either one can crash and your website is down. Your gateway is always gonna be a single point of failure anyway, might as well limit it to that).

bart

You should always split services between machines. If you have your firewall serving http traffic and it gets cracked, your entire network is exposed. If you have a seperate machine, only those systems in your DMZ will be unprotected. The more services you run on one machine the better its chances are for getting cracked. Limit the risk and exposure by splitting up services.

 

[MercenaryForHire]

Originally posted by: n0cmonkey
You should always split services between machines. If you have your firewall serving http traffic and it gets cracked, your entire network is exposed. If you have a seperate machine, only those systems in your DMZ will be unprotected. The more services you run on one machine the better its chances are for getting cracked. Limit the risk and exposure by splitting up services.

Bingo. A firewall is a firewall. It's not a firewall/web/mail/ftp server. And do you really want someone running with root permissions on your router? "got DoS?"

FreeSCO is interesting, in that it can serve as all of them - so I just run it on different machines. One is firewall (and will soon become OpenBSD - thanks alrox!) one is HTTP behind it, one is FTP behind it.

- M4H

 

[monckywrench]

freesco.info

Pigtail.net LRP

<a target=new class=ftalternatingbarlinklarge href="http://mydigitaldiscount.com/display_product.cfm?product_id=21">Bootable CF card
adapter</a>

Freesco works nicely booted from a CF card (which are seen as IDE devices- check above links for info) and if you run a passive heatsink the only moving part in your box can be the PSU fan. I used the LRP utilities and info to prep the CF card and then moved Freesco to after setting it up on a floppy and testing it.
BTW, CF cards can be Ghosted. If ya put the .gho file on the root directory of a floppy-emulation bootable CD ya can clone or reimage any number of cards, hard disks, etc.

 

[n0cmonkey]

Originally posted by: monckywrench
freesco.info

Pigtail.net LRP

<a target=new class=ftalternatingbarlinklarge href="http://mydigitaldiscount.com/display_product.cfm?product_id=21">Bootable CF card
adapter</a>

Freesco works nicely booted from a CF card (which are seen as IDE devices- check above links for info) and if you run a passive heatsink the only moving part in your box can be the PSU fan. I used the LRP utilities and info to prep the CF card and then moved Freesco to after setting it up on a floppy and testing it.
BTW, CF cards can be Ghosted. If ya put the .gho file on the root directory of a floppy-emulation bootable CD ya can clone or reimage any number of cards, hard disks, etc.

OpenBSD and several linux distros can easily fit on CF cards too, so they are another option.

 

[osage]

my fav is BBI V1.5 , so easy to configure and administer. They have a great demo of the download/burn routine, and a great users guide. Kind of like a live demo..makes it very easy.