Tech Explained

Your Own Firewall

PCQ Bureau

10 Nov 2003 10:30 IST

New Update

When it comes to implementing a firewall, there are a number of choices available. Depending on your budget, you could buy a hardware- or software-based firewall, or even build one on your own. The latter can be done using open-source software, and mainly depends on the skill set available in-house. That’s exactly what we did in PCQ Labs. Before we talk about it, let’s get a couple of issues out of the way first.

Advertisment

The most commonly debated point about a firewall is whether to deploy a hardware device or software-based one. There are advantages and disadvantages to both that can be argued till you are blue in the face. But to cut a long story short, even the hardware devices have software on them, and in some cases they are very highly optimized and embedded. In other cases it could be nothing but a small footprint PC with a hard disk or compact flash inside. An extremely important issue is the availability of updates and patches for the hardware firewall in case vulnerabilities are found. After talking to some users of hardware based firewalls, we did find that maintaining them and keeping them patched and updated was quite a problem, especially with vendors not releasing timely patches and updates.

Firewall appliances

When putting in a firewall you have a number of options. One you could buy a barebones firewall box and put your own firewall distro on it. Various models from Lanner Electronics along with their prices are given for that. The disadvantage here would be that you’ll be responsible for updating and maintaining your own firewall. Alternately, you could buy a readymade firewall based on these boxes from several vendors. Details of these vendors are given below.

Lanner Electronics,

Mumbai. Tel: 26652065/4108. E-mail: anurag@lannerinc.com

Gajshield,

Mumbai. Tel: 3092527, 3021191. E-mail: sales@gajshield.com

Price: Rs 60,000-Rs 11 lakh

Primus, Delhi. Tel: 23737270. E-mail: rrao@primus-direct.com

Price: Rs 50,000-Rs75,000 (Rs 10,000 extra for monthly maintenance and support)

Inventum,

Delhi. Tel: 55650222. E-mail: sachin@inventum.cc.

E22

Price: Rs 30,000-Rs 3 lakh

Daybegins,

Bangalore. Tel: 6622283. E-mail: bhatta@daybegins.com.

Price: Rs 70,000-Rs 1.5 lakh

Convergent,

Bangalore. Tel: 6612973. E-mail: mktg@convergentindia.com

Price: Rs 2 lakh-Rs 10 lakh

Realtime, Bangalore. Tel: 5599366, 5065019. E-mail: nat@rttsindia.com

RQS# E25 Price: Rs 75,000-Rs 5 lakh

Apara,

Bangalore. Tel: 5201381, 5201382. E-mail: valerian@apara.com

Price: Rs 1.5 lakh-15 lakh

Linuxense,

Trivandrum. Tel: 2324341. E-mail: anil@linuxense.com

Rs 1.5-Rs 5 lakh

On the other hand, software-based firewalls are normally regular PCs, and in many cases rather old PCs (486 and above), but the choices are several. You have many specialized firewall and router distros available in the open-source world and you can either choose one of those, or actually go out and make your own. There’s commercial software also available for those who wish to spend money.

Advertisment

At PCQ Labs we tried two different distros. One that we had built ourselves and another that was ready-made and we only customized it. Both worked very well. Why did we roll our own distro? Well, we don’t believe in re-inventing the wheel but when it comes to firewalls, somehow unless you know every component that has gone in, you just are never sure. We used our favorite distro PCQ-Linux 8 as the base and built it from ground up adding components as and when needed. Making your own distro is not really that difficult and was discussed some time back in one of the Linux specials. Having decided to use PCQ-Linux 8, the next step was to select the software to be installed. This is probably the longest procedure in making your distro but we chose a minimal configuration with just enough programs to get the essentials working. The essentials in this case being Netfilter, some security tools, monitoring tools like MRTG, iptraf and a packet sniffer and whatever else is required to let the system run. No compilers were installed and no user space programs were installed keeping the size of the installation small.

In fact, using one of the standard ready firewalls or router distros you can reduce the size to a single floppy or better still to a CD-ROM based distro. That would be the safest firewall, nothing writeable available. If an intruder gets in, he can’t really change a thing.

Configuring the firewall

Next comes the fun part–configuring your firewall. We used the iptables-tutorial as a basis for the firewall, though there are choices here as well, with Shorewall being a leader. The iptables tutorial can be found at

http://iptables-tutorial.frozentux.net/.

Advertisment

Standard configuration guidelines apply. Install your system, follow the recommended hardening procedures, disable all unnecessary services and then start building your firewall rules. For those who are not comfortable with the command-line, you could consider installing webmin for configuring the firewall, but do not install X-windows system. It’s unnecessary for a firewall machine.

Firewalls from Lanner Electronics
Model	Minimal configuration and its price*		Barebone Price (Rs.)	Ethernet	PortsGigabit Ethernet	Serial	Compact Flash	Form Factor	Special Features
FW - 7650A-B	P4 2.4 GHz, 1 GB DDR, RAM, 20 GB HDD, P4 slim fan	88,500	62,000	4	2	1	Upto 512 MB	1U Rackmount	LCM support
FW -6750C-B	1GHz, 128 MB RAM, 20 GB HDD, P3 slim fan	67,300	55,000	4	1	1	Upto 512 MB	1U Rackmount	LCM support
FW - 6650A-B	1GHz, 128 MB RAM, 20 GB HDD, P3 slim fan	52,600	34,700	6	0	1	Upto 512 MB	1U Rackmount	LCM support
FW -6450	1.26 GHz, 128 MB RAM, 40 GB HDD, P3 slim fan	62,600	43,000	4	0	2	Upto 512 MB	1U Rackmount	Intel LAN ports
FW - 2100	1GHz, 128 MB RAM, 40 GB HDD, Raiser card, slim fan	47,000	33,500	3	0	2	NA	1U Rackmount	On board VGA
FW - 6410	128 SODIMM RAM	32,000	25,000	4	0	1	Upto 512 MB	Slim Desktop	Low Power CPU, Ext. power adapter
500ME	20 GB slim HDD,32 MB DOM, 64MB RAM	28000 to 29500	22,000	3	0	1	No	Desktop	Ext. Power Adapter, on board CPU & RAM
FW - 3500	-	-	12,000	2	0	1	16 M NAND onboard flash	Slim Desktop	Low Cost CPU, RISC based CPU

Where to put it

Putting all this on a standard PC was no problem at all, but we also wanted to test out what else might be available. This is where we came across devices that basically PCs but with an extremely flexible or small footprint. From the outside, they look just like devices but when you open them up, you find a PC motherboard, connectors for a keyboard, monitor and mouse, USB connectors and a hard disk or compact flash inside. We got a couple of models from Lanner Electronics (see table) and decided to replace one of the hard disks in one of them with our own. It worked like a charm. One minor issue was the labeling at the back of the device. It had three network cards marked LAN, DMZ and WAN. We had to change our internal settings to match the labels, but apart from that nothing else was required. We had a firewall device up and running in a matter of minutes. We even tried the IPCop firewall distro that we’d given last month and even that worked like a charm. The advantage here is the form-factor. A headless device that can fit in a standard 19” rack is much better suited to the job than a full-blown PC.

To maintain the firewall, we did have another PC with the complete image and any further development, changes or updates are first made there and then moved onto the firewall device. Much better than having to install a compiler which may later on lead to problems rather than helping out.

Kishore Bhargava

Advertisment