by November 10, 2003 0 comments



When it comes to implementing a firewall, there are a number of choices available. Depending on your budget, you could buy a hardware- or software-based firewall, or even build one on your own. The latter can be done using open-source software, and mainly depends on the skill set available in-house. That’s exactly what we did in PCQ Labs. Before we talk about it, let’s get a couple of issues out of the way first. 

The most commonly debated point about a firewall is whether to deploy a hardware device or software-based one. There are advantages and disadvantages to both that can be argued till you are blue in the face. But to cut a long story short, even the hardware devices have software on them, and in some cases they are very highly optimized and embedded. In other cases it could be nothing but a small footprint PC with a hard disk or compact flash inside. An extremely important issue is the availability of updates and patches for the hardware firewall in case vulnerabilities are found. After talking to some users of hardware based firewalls, we did find that maintaining them and keeping them patched and updated was quite a problem, especially with vendors not releasing timely patches and updates.

Firewall appliances
When putting in a firewall you have a number of options. One you could buy a barebones firewall box and put your own firewall distro on it. Various models from Lanner Electronics along with their prices are given for that. The disadvantage here would be that you’ll be responsible for updating and maintaining your own firewall. Alternately, you could buy a readymade firewall based on these boxes from several vendors. Details of these vendors are given below. 
Lanner Electronics,
Mumbai. Tel: 26652065/4108. E-mail: anurag@lannerinc.com  
Gajshield,
Mumbai. Tel: 3092527, 3021191. E-mail: sales@gajshield.com 
Price: Rs 60,000-Rs 11 lakh
Primus, Delhi. Tel: 23737270. E-mail: rrao@primus-direct.com
Price: Rs 50,000-Rs75,000 (Rs 10,000 extra for monthly maintenance and support)
Inventum,
Delhi. Tel: 55650222. E-mail: sachin@inventum.cc
E22
Price: Rs 30,000-Rs 3 lakh
Daybegins,
Bangalore. Tel: 6622283. E-mail: bhatta@daybegins.com
Price: Rs 70,000-Rs 1.5 lakh
Convergent,
Bangalore. Tel: 6612973. E-mail: mktg@convergentindia.com 
Price: Rs 2 lakh-Rs 10 lakh

Realtime, Bangalore. Tel: 5599366, 5065019. E-mail: nat@rttsindia.com 
RQS# E25 Price: Rs 75,000-Rs 5 lakh
Apara,
Bangalore. Tel: 5201381, 5201382. E-mail: valerian@apara.com 
Price: Rs 1.5 lakh-15 lakh
Linuxense,
Trivandrum. Tel: 2324341. E-mail: anil@linuxense.com  
Rs 1.5-Rs 5 lakh

On the other hand, software-based firewalls are normally regular PCs, and in many cases rather old PCs (486 and above), but the choices are several. You have many specialized firewall and router distros available in the open-source world and you can either choose one of those, or actually go out and make your own. There’s commercial software also available for those who wish to spend money.

At PCQ Labs we tried two different distros. One that we had built ourselves and another that was ready-made and we only customized it. Both worked very well. Why did we roll our own distro? Well, we don’t believe in re-inventing the wheel but when it comes to firewalls, somehow unless you know every component that has gone in, you just are never sure. We used our favorite distro PCQ-Linux 8 as the base and built it from ground up adding components as and when needed. Making your own distro is not really that difficult and was discussed some time back in one of the Linux specials. Having decided to use PCQ-Linux 8, the next step was to select the software to be installed. This is probably the longest procedure in making your distro but we chose a minimal configuration with just enough programs to get the essentials working. The essentials in this case being Netfilter, some security tools, monitoring tools like MRTG, iptraf and a packet sniffer and whatever else is required to let the system run. No compilers were installed and no user space programs were installed keeping the size of the installation small. 

In fact, using one of the standard ready firewalls or router distros you can reduce the size to a single floppy or better still to a CD-ROM based distro. That would be the safest firewall, nothing writeable available. If an intruder gets in, he can’t really change a thing.

Configuring the firewall
Next comes the fun part–configuring your firewall. We used the iptables-tutorial as a basis for the firewall, though there are choices here as well, with Shorewall being a leader. The iptables tutorial can be found at
http://iptables-tutorial.frozentux.net/

Standard configuration guidelines apply. Install your system, follow the recommended hardening procedures, disable all unnecessary services and then start building your firewall rules. For those who are not comfortable with the command-line, you could consider installing webmin for configuring the firewall, but do not install X-windows system. It’s unnecessary for a firewall machine.

Firewalls
from Lanner Electronics
Model Minimal
configuration and its price*
Barebone
Price (Rs.)
Ethernet PortsGigabit
Ethernet
Serial Compact
Flash
Form
Factor
Special
Features
FW
– 7650A-B
P4
2.4 GHz, 1 GB DDR, RAM, 20 GB HDD, P4 slim fan
88,500 62,000 4 2 1 Upto
512 MB
1U
Rackmount
LCM
support
FW
-6750C-B
1GHz,
128 MB RAM, 20 GB HDD, P3 slim fan
67,300 55,000 4 1 1 Upto
512 MB
1U
Rackmount
LCM
support
FW
– 6650A-B
1GHz,
128 MB RAM, 20 GB HDD, P3 slim fan
52,600 34,700 6 0 1 Upto
512 MB
1U
Rackmount
LCM
support
FW
-6450
1.26
GHz, 128 MB RAM, 40 GB HDD, P3 slim fan
62,600 43,000 4 0 2 Upto
512 MB
1U
Rackmount
Intel
LAN ports
FW
– 2100
1GHz,
128 MB RAM, 40 GB HDD, Raiser card, slim fan
47,000 33,500 3 0 2 NA 1U
Rackmount
On
board VGA
FW –
6410
128
SODIMM RAM
32,000 25,000 4 0 1 Upto
512 MB
Slim
Desktop
Low
Power CPU, Ext. power adapter
500ME 20 GB
slim HDD,32 MB DOM, 64MB RAM
28000
to 29500
22,000 3 0 1 No Desktop Ext.
Power Adapter, on board CPU & RAM
FW
– 3500
12,000 2 0 1 16
M NAND onboard flash
Slim
Desktop
Low
Cost CPU, RISC based CPU

Where to put it
Putting all this on a standard PC was no problem at all, but we also wanted to test out what else might be available. This is where we came across devices that basically PCs but with an extremely flexible or small footprint. From the outside, they look just like devices but when you open them up, you find a PC motherboard, connectors for a keyboard, monitor and mouse, USB connectors and a hard disk or compact flash inside. We got a couple of models from Lanner Electronics (see table) and decided to replace one of the hard disks in one of them with our own. It worked like a charm. One minor issue was the labeling at the back of the device. It had three network cards marked LAN, DMZ and WAN. We had to change our internal settings to match the labels, but apart from that nothing else was required. We had a firewall device up and running in a matter of minutes. We even tried the IPCop firewall distro that we’d given last month and even that worked like a charm. The advantage here is the form-factor. A headless device that can fit in a standard 19” rack is much better suited to the job than a full-blown PC.

To maintain the firewall, we did have another PC with the complete image and any further development, changes or updates are first made there and then moved onto the firewall device. Much better than having to install a compiler which may later on lead to problems rather than helping out.

Kishore Bhargava

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.