The Internet is a big, bad scary place, and so we must protect our small business networks with good stout firewalls. Firewalls can range from a simple gadget that keeps bad data packets out of our networks, to sophisticated multi-function gateways. Let’s take a look at a sampling of the many fine open source firewalls we have to choose from.
Open Source Firewalls
Open source operating systems like Linux, FreeBSD, and OpenBSD have tons of built-in networking and security features, so they are natural platforms for building security products. And most commercial firewalls are built on one of them. There are multitudes of choices — from tiny embedded systems for broadband wireless routers to giant enterprise firewalls with all the bells and whistles — from free community support to paid support.
If you’re not an Internet service provider you don’t need the big fancy expensive Cisco or Juniper gear; look for open source-based products because they are proven, and you’ll save money.
The Endian firewall offers a range of products, from a free community edition to hardware appliances for various workloads. The Endian Mini is a nice deal at $995, suggested for 5-25 users, though it could certainly support more for basic tasks like email, Web surfing, and VPNs. This firewall comes in a nice little compact power-saving unit with five Gigabit Ethernet ports and a USB port, 512MB RAM, 512MB to 4GB storage, all powered by an ARM system-on-a-chip (ARM SOC). The ARM SOC-based systems are perfect for this sort of use, because they don’t need much power, they’re compact, and they can handle good-sized workloads. You can choose from several other hardware appliances for bigger workloads.
Figure 1: Endian system load graph. Image courtesy Wikipedia and Tom H. Lautenbacher.
The Endian software is a complete Linux distribution hardened for security work: firewall, intrusion prevention and detection, anti-virus and anti-spam, VPN and secure remote access, and high availability. There is a free community version and a commercial version. The commercial version offers more features such as management tools, support for commercial add-ons like Sophos anti-virus and Commtouch anti-spam, virtual machine support, and various support options.
IPCop: The Bad Packets Stop Here
A reliable old favorite that has been around for years, IPCop is a free download that you install on your own hardware. It is well-maintained and has a good browser-based graphical administration interface. IPCop doesn’t try to pack in every conceivable bit of networking functionality, rather it sticks to firewall and Internet gateway duties: packet filtering, proxy, traffic shaping, VPN and secure remote access, user authentication, name services, and time server.
It has a color-coded mechanism for creating and managing a basic set of subnets: Green is your internal trusted network, Red is the Internet, Orange is your DMZ for any Internet-facing servers, and Blue is wireless subnet, or a second trusted wired subnet.
IPCop comes with a batch of good network and system monitoring and performance graphs that let you quickly see if there are any trouble spots. It is free of cost and comes with community support only.
OpenWRT For Little Wireless Routers
Back in the early 2000s, Linksys released the WRT54G broadband router/firewall/switch/wireless access point. A nifty little gadget with five wired Ethernet ports, Wi-Fi, and management software, it was billed as easy to use even for novices. Of course this was a little misleading as you still need some networking knowledge even for a pointy-clicky interface. But it was (and is) a great little gadget that’s perfect for small networks.
The original Linksys embedded firmware was limited and did not fully exploit the capabilities of the hardware. Fortunately it was Linux-based software, so eager hackers downloaded the source code and improved on it. This spawned a number of excellent third-party firmware replacements, such as Sveasoft, FreeWRT, DD-WRT, Tomato, and OpenWRT. Replacing the original vendor’s firmware with one of these turned a useful $70 router into a $500 routing powerhouse.
You can now choose from dozens of these little routers, and they’re all great little gadgets. You can use them as your sole firewall and router for small networks, or as secure wireless access points. You can even for setting up wireless hotspots. In those early days flashing new firmware was risky and for gurus only, because a mistake could make the router unbootable.