When it comes to implementing a firewall, there are a number of choices available. Depending on your budget, you could buy a hardware- or software-based firewall, or even build one on your own. The latter can be done using open-source software, and mainly depends on the skill set available in-house. That’s exactly what we did in PCQ Labs. Before we talk about it, let’s get a couple of issues out of the way first.
The most commonly debated point about a firewall is whether to deploy a hardware device or software-based one. There are advantages and disadvantages to both that can be argued till you are blue in the face. But to cut a long story short, even the hardware devices have software on them, and in some cases they are very highly optimized and embedded. In other cases it could be nothing but a small footprint PC with a hard disk or compact flash inside. An extremely important issue is the availability of updates and patches for the hardware firewall in case vulnerabilities are found. After talking to some users of hardware based firewalls, we did find that maintaining them and keeping them patched and updated was quite a problem, especially with vendors not releasing timely patches and updates.
Firewall appliances | ||||||||||
|
On the other hand, software-based firewalls are normally regular PCs, and in many cases rather old PCs (486 and above), but the choices are several. You have many specialized firewall and router distros available in the open-source world and you can either choose one of those, or actually go out and make your own. There’s commercial software also available for those who wish to spend money.
At PCQ Labs we tried two different distros. One that we had built ourselves and another that was ready-made and we only customized it. Both worked very well. Why did we roll our own distro? Well, we don’t believe in re-inventing the wheel but when it comes to firewalls, somehow unless you know every component that has gone in, you just are never sure. We used our favorite distro PCQ-Linux 8 as the base and built it from ground up adding components as and when needed. Making your own distro is not really that difficult and was discussed some time back in one of the Linux specials. Having decided to use PCQ-Linux 8, the next step was to select the software to be installed. This is probably the longest procedure in making your distro but we chose a minimal configuration with just enough programs to get the essentials working. The essentials in this case being Netfilter, some security tools, monitoring tools like MRTG, iptraf and a packet sniffer and whatever else is required to let the system run. No compilers were installed and no user space programs were installed keeping the size of the installation small.
In fact, using one of the standard ready firewalls or router distros you can reduce the size to a single floppy or better still to a CD-ROM based distro. That would be the safest firewall, nothing writeable available. If an intruder gets in, he can’t really change a thing.
Configuring the firewall
Next comes the fun part–configuring your firewall. We used the iptables-tutorial as a basis for the firewall, though there are choices here as well, with Shorewall being a leader. The iptables tutorial can be found at
http://iptables-tutorial.frozentux.net/.
Standard configuration guidelines apply. Install your system, follow the recommended hardening procedures, disable all unnecessary services and then start building your firewall rules. For those who are not comfortable with the command-line, you could consider installing webmin for configuring the firewall, but do not install X-windows system. It’s unnecessary for a firewall machine.
|
Where to put it
Putting all this on a standard PC was no problem at all, but we also wanted to test out what else might be available. This is where we came across devices that basically PCs but with an extremely flexible or small footprint. From the outside, they look just like devices but when you open them up, you find a PC motherboard, connectors for a keyboard, monitor and mouse, USB connectors and a hard disk or compact flash inside. We got a couple of models from Lanner Electronics (see table) and decided to replace one of the hard disks in one of them with our own. It worked like a charm. One minor issue was the labeling at the back of the device. It had three network cards marked LAN, DMZ and WAN. We had to change our internal settings to match the labels, but apart from that nothing else was required. We had a firewall device up and running in a matter of minutes. We even tried the IPCop firewall distro that we’d given last month and even that worked like a charm. The advantage here is the form-factor. A headless device that can fit in a standard 19” rack is much better suited to the job than a full-blown PC.
To maintain the firewall, we did have another PC with the complete image and any further development, changes or updates are first made there and then moved onto the firewall device. Much better than having to install a compiler which may later on lead to problems rather than helping out.
Kishore Bhargava