Protect one of your most valuable assets—your small business network—with an open source firewall. We look at five of the best small business open source firewalls available.
The Internet is a big, scary place, and so we must protect our small business networks with strong, reliable firewalls. Firewalls can range from a simple gadget that keeps bad data packets out of networks to sophisticated multi-function gateways.
Open source operating systems like Linux, FreeBSD, and OpenBSD include tons of built-in networking and security features. That makes them natural platforms for building security products, and most commercial firewalls are built on one of them. You have a multitude of choice: from tiny embedded systems for broadband wireless routers, to giant enterprise firewalls with all the bells-and-whistles—from free community support to paid commercial support.
If you’re not an Internet service provider, you don’t need big, expensive Cisco or Juniper gear. Look for open source-based products; they’re proven, and you’ll save money. Let’s take a look at a sampling of the many fine small business open source firewalls available today.
The Endian firewall offers a range of products—from a free community edition to hardware appliances for various workloads. The Endian UTM Mini 25—a nice deal at $995—supports 5-25 people, though it could certainly support more users for basic tasks like email, Web surfing, and VPNs. This firewall comes in a compact, power-saving unit with four Gigabit Ethernet ports, two USB ports, 2GB RAM, and 8GB storage. You can choose from several other hardware appliances for bigger workloads.
The Endian software—a complete Linux distribution—is hardened for security work: firewall, intrusion prevention and detection, anti-virus and anti-spam, VPN and secure remote access, and high availability. You can choose either the free community version or a commercial version. The commercial version offers more features such as management tools, support for commercial add-ons like Sophos anti-virus and Commtouch anti-spam, virtual machine support, and various support options.
A reliable old favorite, IPCop is a free download that you install on your own hardware. It’s well-maintained and has a good browser-based graphical administration interface. IPCop doesn’t try to pack in every conceivable bit of networking functionality; rather it sticks to firewall and Internet gateway duties: packet filtering, proxy, traffic shaping, VPN and secure remote access, user authentication, name services, and time server.
It uses a color-coded mechanism for creating and managing a basic set of subnets: Green is your internal trusted network, Red is the Internet, Orange is your DMZ for any Internet-facing servers, and Blue is either a wireless subnet or a second trusted wired subnet.
IPCop comes with good network and system monitoring and performance graphs that let you quickly see any trouble spots. It is free of cost and comes with community support only.
In the early 2000s, Linksys released the WRT54G broadband router/firewall/switch/wireless access point—with five wired Ethernet ports, Wi-Fi, and management software. It was (and is) perfect for small networks.
Although the original firmware was limited, it was Linux-based so eager hackers downloaded the source code and improved it. This spawned excellent third-party firmware replacements, such as Sveasoft, FreeWRT, DD-WRT, Tomato, and OpenWRT and turned a useful $70 router into a $500 routing powerhouse.
Now you can choose from dozens of these great little routers. Update the firmware, and use them as your sole firewall and router for small networks, as secure wireless access points, or to set up wireless hotspots.
Today, you can flash new firmware using your router’s Web interface in about five minutes—an easier, safer process than it used to be. The primary risk is a power interruption. If you can keep the lights on long enough to flash the new firmware, you’re set. Plus, a number of router vendors install DD-WRT or OpenWRT rather than maintain their own firmware—no updating software required.
Before you buy, visit the OpenWRT website and consult the Supported Devices database. It’s easier when you buy a well-supported product. OpenWRT is free of cost, with no commercial support options.
PfSense offers a range of networking products, including a free community edition, hardware appliances, and cloud services. If you need a strong, on-premises firewall, then take a look at the free community download (that you install on your own hardware), or at one of the hardware appliances that comes pre-loaded and ready to work.
A bargain at $499, the SG-2440 PfSense Security Gateway Appliance provides a secure VPN to give remote workers access to your network, policy routing, advanced routing, captive portal, and many other features. PfSense offers several other hardware appliances for larger workloads.
Another excellent multi-function firewall, the Untangle Internet Gateway can handle a wide range of duties: user authentication (including Active Directory integration) VPN, captive portal, Web filtering, anti-virus, anti-spam, intrusion prevention, ad blocker, reporting, and higher-end features such as WAN balancing and automatic failover.
The base package is free, and you can choose from a range of fee-based add-ons. Untangle is very flexible, and you can chose from multiple software bundles options—from free to all the bells-and-whistles, including paid support. The most expensive bundle costs $540 per year. While you can purchase individual applications, if you want more than two or three apps, bundles offer the best value.
Untangle also sells hardware appliances. Its lowest-priced firewall, the u10, costs $799 and supports 10 users though, as always, this depends on traffic volumes. The top-of-the-line m3000 is a heavy-duty, high-speed workhorse rated for 3000 users. At $7,599 it’s competitively priced.
Carla Schroder is the author of The Book of Audacity, Linux Cookbook, Linux Networking Cookbook, and hundreds of Linux how-to articles. She’s the former managing editor of Linux Planet and Linux Today.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|