by February 10, 2005 0 comments



Starting this month, we’ll do a comparative evaluation of various types of specialty Linux distributions. A specialty distribution is different from a regular one in that it’s created to perform one particular function, such as a firewall, a live CD, or a multimedia desktop. As the name suggests, in this issue, our focus is on
Linux-based firewalls, and we tested four of them. These are all freely downloadable from the Internet, and we’ve even given some of them on our CDs in the past. 
Here we compare four of them, tested extensively for their capabilities, functions, and vulnerabilities. Before we get into the individual reviews of these firewalls, here’s how we tested them. 

How we tested
A firewall should be secure right from the beginning, meaning it should start protecting your network the moment it’s installed and running. This means that the firewall should block all incoming ports by default until and unless you open them. That’s why we tested each firewall with its default configuration to see which is most secure. This also reduces chances of human error due to mis-configuration. We basically ran two tests on each firewall, Nessus-a vulnerability assessment tool and Firewalk-a firewall penetration tool. Besides these, we also kept in mind the ease of installation, configuration, and hardware support provided by each firewall. These are extremely important for any firewall. Surprisingly all firewalls qualified the Firewalk test but the results from Nessus showed variations. Incidentally, all firewalls had a built-in DHCP server.

Our standard test bed for testing DMZ based firewall

Our test bed
We had two types of firewalls, those that supported DMZ and those that didn’t. Those that supported DMZ were set up with three network cards, which were connected to three different networks-internal (network inside the firewall), external (the outside world or the Internet) and the DMZ (De-militarized Zone, where all the internet servers such Web, mail, etc reside). We then set up another machine with Nessus and Firewalk on the external interface of these firewalls so that we could attack them from the outside. While running the tests, we cross-checked every test result to rule out any false alarms. With Nessus, we targeted the external IP address of the firewall whereas for Firewalk, we tried to penetrate the firewall from its external IP to the DMZ (the Web server) and internal network. For firewalls that didn’t support a DMZ, we set up two interfaces in them-one for the internal local network and the other for the external one connected to a public network, such as the Internet. Tests done were the same, with the difference that Firewalk was used only to attack the internal network, as there was no DMZ.

Choosing a firewall 
Vulnerability assessment isn’t the only thing to check in a firewall. You also need to consider other factors. For instance, one factor is whether to set up a free firewall at all. If you don’t have good in-house expertise, it’s better to go for a commercial solution in which you’ll also get vendor support. The other factors mostly depend upon what type of network you are trying to protect using a firewall. 

For example, if you have a network of (say) PCs that access the net using a proxy server and you want to protect this network then you should go for a firewall which comes with a built-in good proxy server and can easily ignore the DMZ option. This will reduce the requirement for hardware for a different proxy server. But if you have some Web-servers running on your network, which are being used by others over Internet, then DMZ is a must for you. 

A very good in-built monitoring tool is available with IPCOP to graphically monitor traffic on each network

On the other hand, if you have multiple offices and want them to connect securely then you should have a firewall that has firewall-to-firewall VPN support. The other factor to keep in mind is the hardware support and whether it fits your existing hardware or not. For example, there are some installable firewalls, which don’t work on SCSI hard drives and can only work on IDEs. Or lets say you are planning to get a DSL line to connect two of your remote firewalls at two different locations. Then before getting the firewall, check weather it supports your DSL modem or not, or even supports DSL functionality at all. Lastly, keep an eye on the update cycle of your firewall and how promptly it provides patches in case a new exploit comes out.

IPCOP
IPCOP is a free Linux-based firewall, which has all the essential features that a firewall should have. The installation and configuration of this firewall is pretty simple. During the installation, it asks you to configure each network interface. Each network interface has a color code. For example, Red color is given to the interface connected to Internet, Green color to interface connected to local network and Orange color to DMZ. The firewall supports SCSI hard drives and all common network cards available in the market. Not only this, it also supports DSL connections. Its Web interface is pretty neat and self-explanatory. This firewall has an IDS system, which protects your network from internal hacking attempts. The default configuration of the firewall allows internal network to access the external (the Internet) network. But it knocks out the request or hacking attempts from the Internet to the internal network. You can configure it for a VPN, so that only authorized users can access the internal network. If you want outside world to access a particular Web, ftp or mail server, which is sitting on you internal network, then you can configure DMZ pin-holing to give access to them. Running Nessus on, IPCOP gave zero vulnerability and also passed the Firewalk test. Overall we found this firewall is a good solution for organizations, as it came out as the best amongst all others we tested. 

A text based installation and configuration makes Euronode difficult to use

CensorNet
This is not really a full-fledged firewall, though more of a content filtering solution, which typically monitors and controls users from the local network accessing the Internet. It has a built-in simple firewall, but the good thing is that you can add a third party firewall to it, such as SmoothWall. It supports SCSI drives and installs without any hardware detection issues. 

It has both a Web-based and command line interface for configuration. Its Web interface gives you very good reports with graphs and visuals. Being a proxy server also it has a facility of Web caching. You can configure CensorNet to authenticate users from a Windows Domain or Windows 2000 ADS (Active Directory Services). CensorNet has a very good system maintenance option, which let’s you probe the network and update its database of workstations and users. The tests on its default installation gave us high rink security warning ‘Vulnerability found on port general/udp’. This means, it is possible to by-pass the rules of the remote firewall by sending UDP packets with a source port equal to 53.An attacker may use this flaw to inject UDP packets to the remote hosts, in spite of the presence of a firewall. So, this is a good choice to be used as a proxy or Web- monitoring solution, but can become a good overall solution if combined with another firewall. Its own firewall is fairly basic compared to others. 

CensorNet home page showing the firewall summary. With this you will never miss out any important information

Euronode
Euronode firewall took the least time to get installed compared to other firewalls. It’s a free debian-based distribution and loses out on the ease of set up. The firewall asks for all your network settings before the installation process and sets the given settings as default. Then to configure it you have to run scripts to setup the firewall. Euronode supports a wide range of DSL hardware, so that you can connect your cable and USB DSL modems directly to it. It has a built-in proxy that can be set in transparent mode. This eliminates the hassles of users having to make the proxy settings on their Web browser. On the protection front, the firewall uses netfilter and a few scripts to create a basic firewall. Apart from basic firewall protection, it also has Clam AV to protect the network from virus attacks. Not only that, you can also configure it as a mail server also using postfix mail server. To protect this mail server, you need to configure amavis (antivirus) and SpamAssassin (anti spam) as well. All the mentioned packages get installed automatically, but to configure them you have to run the scripts given in /etc/euronode/scripts. It doesn’t have a DMZ or VPN support, but on the performance front, Eronode did very well with zero vulnerabilities reported in Nessus. So if you need a quick firewall set up, try this one.

Devil-Linux 
This is another free Linux-based firewall, which can also act as a router. Its installation is easy, but you have to configure lot of parameters during installation. Being a CD-based firewall, it asks you to save the settings on a floppy disk. So if the firewall is rebooted, its setting remains intact on the floppy. It also has support for a DSL router, so that you can connect the firewall directly to it. Among other features, it has VPN support and you can also configure SMTP/POP3/IMAP4/SPAM server with Filter/Virus Scanner on it. The mentioned packages don’t come installed with the firewall, so you have to install and configure them separately. Installing additional modules and configurations of the firewall can be done through the server console itself and it’s very easy to use. The default firewall setup has a standard firewall script with IP-Masquerading/NAT that protects your network from network attacks. One good feature about Devil-Linux is that it was the only firewall to come with VLAN support. This feature helps you create virtual networks on a single physical network. 

Specification Table

Firewall
Name
VLAN DSL VPN DMZ Interface
SSH  Web-Interface
IDS Virus
Protection
SCSI
Support
Traffic
Shapping
Live
CD/HDD
 
Install
LOGS
and
Reports
Ease
of
Installation
Ease
of config
Nessus
 
Result

 

Firewalk
result

 

Devil-Linux Yes Yes Yes Yes Yes No Yes Yes Yes No Live
CD
Bad OK OK One
Security hole, One Security warning
Passed
IPCOP No Yes Yes Yes Yes Yes Yes No Yes Yes Installable Good Easy Easy passed Passed
CensorNet No No No No No Yes No No Yes Yes Installable Very
Good
OK Easy One
Security hole, One Security warning
Passed
Euronode No yes No No Yes No Yes Yes No No Installable Very
Good
Dfficult OK passed Passed

A menu driven configuration tool is quite modular and makes it pretty easy to work on

In our tests Devil-Linux did not do very well though, as it gave high risk vulnerability warning ‘Vulnerability found on port general/icmp’, which means that the remote host is vulnerable to an ‘Etherleak’, which in turn means that the remote Ethernet driver is leaking bits of content of the memory to the remote operating system. 

Note that an attacker may take advantage of this flaw only when its target is on the same physical subnet. Overall, it would be a good choice for organizations, provided patch up this vulnerability. Thankfully Nessus tells you which patch to use.

Anindya Roy and Sanjay Majumder

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<