software based firewall recommendation?

[Brazen]

We would like something with content filtering, ipsec/l2tp VPN, Intrusion Prevention, and maybe even some virus scanning.

I've played around with general purpose linux distros before, and set up Fedora Core 3 as a firewall/router no problem, but I get stuck at setting up snort with inline protection.

Now I'm looking at taylor-made firewall distros - SmoothWALL and RedWALL, but SmoothWALL is crippled unless you pay for it so that leaves RedWALL. I can't find any real documentation on RedWALL though and I can't get it to a web interface to setup things like snort and dansguardian.

So, I'm wondering what other people suggest as an intuitive, powerfull, and free software firewall (I'm not demanding, what?).

Now the reason we want a software solution is because I would like to put this on a box with gig ethernet cards, and firewall off our servers from the rest of the network and get close to a gig throughput. If anyone has thoughts in this also, share them.

 

[n0cmonkey]

Not tailor made, but OpenBSD has the best Free firewall software out there. There is a snort2pf app to get snort working inline (although I think that's a horrid idea). The documentation is good enough that you'll wonder why you don't demand that from payware.

 

[Brazen]

You think snort inline is a horrid idea? I don't get why?

edit: or you meant using snort2pf is a bad way of getting snort to work inline?

 

[n0cmonkey]

Originally posted by: Brazen
You think snort inline is a horrid idea? I don't get why?

I haven't seen any favorable reports for IPSes. When I looked at them there was a big fear of DoSing a system by spoofing traffic from one of the servers to trigger the IPS. The IPS gets fooled into blocking the system it's supposed to protect. Ick.

 

[Brazen]

Originally posted by: n0cmonkey

Originally posted by: Brazen
You think snort inline is a horrid idea? I don't get why?

I haven't seen any favorable reports for IPSes. When I looked at them there was a big fear of DoSing a system by spoofing traffic from one of the servers to trigger the IPS. The IPS gets fooled into blocking the system it's supposed to protect. Ick.

That wasn't Snort. Dung, I can't think of the name of that other IPS.... begins with a "p" I think. I know what your are refering to though, and snort is so popular precisely because it overcomes those problems.

 

[Googer]

I am using Sygate and like it much more than Zone alarm, but neither of those are opensource. But maybe I should consider looking for one since it's something I have not considerd.

 

[n0cmonkey]

Originally posted by: Brazen

Originally posted by: n0cmonkey

Originally posted by: Brazen
You think snort inline is a horrid idea? I don't get why?

I haven't seen any favorable reports for IPSes. When I looked at them there was a big fear of DoSing a system by spoofing traffic from one of the servers to trigger the IPS. The IPS gets fooled into blocking the system it's supposed to protect. Ick.

That wasn't Snort. Dung, I can't think of the name of that other IPS.... begins with a "p" I think. I know what your are refering to though, and snort is so popular precisely because it overcomes those problems.

What's the best solution? It isn't a 'white list.'

Maybe inline snort just kills that particular connection, I can't remember. It's been a while. I just think the best security device the security team will have happen to be people.

 

[Brazen]

Originally posted by: n0cmonkey

Originally posted by: Brazen

Originally posted by: n0cmonkey

Originally posted by: Brazen
You think snort inline is a horrid idea? I don't get why?

I haven't seen any favorable reports for IPSes. When I looked at them there was a big fear of DoSing a system by spoofing traffic from one of the servers to trigger the IPS. The IPS gets fooled into blocking the system it's supposed to protect. Ick.

That wasn't Snort. Dung, I can't think of the name of that other IPS.... begins with a "p" I think. I know what your are refering to though, and snort is so popular precisely because it overcomes those problems.

What's the best solution? It isn't a 'white list.'

Maybe inline snort just kills that particular connection, I can't remember. It's been a while. I just think the best security device the security team will have happen to be people.

Yes, well, we are short on people, and I don't have time to check log files every minute. So I want something automated.

 

[Brazen]

Originally posted by: Googer
I am using Sygate and like it much more than Zone alarm, but neither of those are opensource. But maybe I should consider looking for one since it's something I have not considerd.

Isn't Sygate a personal firewall? I'm looking for something to run on it's own box and protect the network behind it. I suppose I could use something like Sygate or Zone Alarm along with Windows ICS, but that doesn't seem like a good idea.

 

[Nothinman]

Yes, well, we are short on people, and I don't have time to check log files every minute. So I want something automated.

All you'll end up doing is running around 'fixing' problems created by the automated IPS, I can't imagine that having any sort of automated blocking would be a good idea because it's too easy to exploit/trick.

 

[Brazen]

Originally posted by: Nothinman

Yes, well, we are short on people, and I don't have time to check log files every minute. So I want something automated.

All you'll end up doing is running around 'fixing' problems created by the automated IPS, I can't imagine that having any sort of automated blocking would be a good idea because it's too easy to exploit/trick.

Well, our firewall and content filter are doing just fine. If IPS is not up to par yet, it will be.

 

[spidey07]

Originally posted by: n0cmonkey

Originally posted by: Brazen
You think snort inline is a horrid idea? I don't get why?

I haven't seen any favorable reports for IPSes. When I looked at them there was a big fear of DoSing a system by spoofing traffic from one of the servers to trigger the IPS. The IPS gets fooled into blocking the system it's supposed to protect. Ick.

real IPS get around that. But it is a very valid concern.

although for freeware snort friggin rocks.

-edit- just like any automated security system it has to be tuned/baselined.

 

[Nothinman]

God, I hate the term freeware...

 

[spidey07]

Originally posted by: Nothinman
God, I hate the term freeware...

I'm 34, that's what I call it.



spidey ain't down on the o-source gig see my home-skillet?

 

[Nothinman]

Yea but "freeware" reeks of crappy VB tools with no source available.

 

[spidey07]

Originally posted by: Nothinman
Yea but "freeware" reeks of crappy VB tools with no source available.

word G.

peace out homie. catch ya on the VBO-free side.

west side-eh! Represent mo-fo!

ok, I'm drunk now and am going to bed.

 

[Brazen]

Originally posted by: Nothinman
Yea but "freeware" reeks of crappy VB tools with no source available.

I concur. But then opensource is free....and ware...so I guess it fits.

 

[Boscoh]

OpenBSD. It's probably the most secure, open-source free software out there.

If you're going to be setting up any kind of IDS or IPS, understand that you're going to spend a few weeks tuning it so it doesnt block your boss when they go to surf the web. IDS/IPS's really love to block anything the boss does, and they always seem to know who the boss is.

Might want to put the device in monitor-only mode for a while until you have an idea of what is legit and what should be blocked. Then implement on a weekend and simulate everything that your users do before you leave.

 

[bersl2]

Originally posted by: Nothinman
Yea but "freeware" reeks of crappy VB tools with no source available.

:beer:

 

[n0cmonkey]

Originally posted by: spidey07

Originally posted by: n0cmonkey

Originally posted by: Brazen
You think snort inline is a horrid idea? I don't get why?

I haven't seen any favorable reports for IPSes. When I looked at them there was a big fear of DoSing a system by spoofing traffic from one of the servers to trigger the IPS. The IPS gets fooled into blocking the system it's supposed to protect. Ick.

real IPS get around that. But it is a very valid concern.

although for freeware snort friggin rocks.

-edit- just like any automated security system it has to be tuned/baselined.

Any clue how they get around that? I looked a while back because I didn't believe these companies would let a problem like that exist, but couldn't find any answers.

Snort's alright. I think Prelude has some major potential. Haven't gotten a chance to play with it yet though...

 

[n0cmonkey]

Originally posted by: Boscoh
OpenBSD. It's probably the most secure, open-source free software out there.

If you're going to be setting up any kind of IDS or IPS, understand that you're going to spend a few weeks tuning it so it doesnt block your boss when they go to surf the web. IDS/IPS's really love to block anything the boss does, and they always seem to know who the boss is.

Might want to put the device in monitor-only mode for a while until you have an idea of what is legit and what should be blocked. Then implement on a weekend and simulate everything that your users do before you leave.

I think I read in an email from Martin Roesch that sourcefire's snort appliances use OpenBSD.

 

[sourceninja]

If you liked smoothwall, check out IPCop, its a fork of smoothwall, and open source. It also has features that smoothwall pro has.

Personally I use m0n0wall. Its small, bsd based, and fits on a 16meg flash stick. Plus it has some complex features most personal firewall/routers dont have.

 

[w0ss]

I am also using m0n0wall. Only thing I need from m0n0wall that it doesn't have is support for Dual Wan. Does anyone know any Firewall distros that support Dual Wan?

 

[n0cmonkey]

Originally posted by: w0ss
I am also using m0n0wall. Only thing I need from m0n0wall that it doesn't have is support for Dual Wan. Does anyone know any Firewall distros that support Dual Wan?

OpenBSD apparently has support for multipath.

 

[Brazen]

m0n0wall and IPCop, yeah, those are the kind of things I'm looking for. I'll check those two out.

Originally posted by: Boscoh
OpenBSD. It's probably the most secure, open-source free software out there.

If you're going to be setting up any kind of IDS or IPS, understand that you're going to spend a few weeks tuning it so it doesnt block your boss when they go to surf the web. IDS/IPS's really love to block anything the boss does, and they always seem to know who the boss is.

Might want to put the device in monitor-only mode for a while until you have an idea of what is legit and what should be blocked. Then implement on a weekend and simulate everything that your users do before you leave.

Right now, my problem is getting Snort to work period on a Fedora Core router I've set up. That's why I'm trying to find a preconfigured system, like redwall, or m0n0wall.