Need suggestions for (Linux) firewall - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Lounge » Need suggestions for (Linux) firewall

Page 1 of 3

1

Topic Options

#172073 - 2006-12-27 11:34 AM Need suggestions for (Linux) firewall
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	Guy's, We are planning to setup a new firewall. Several people I know recommended a Linux firewall because it is secure (this off course depends on your setup) and relatively easy to manage. I've bee looking at SuSe enterprise server and just dl-ed the evaluation version to see if it is what I’m seeking. Anybody have any other suggestions? PS: forgot to mention that I'm almost blind in the Linux world so something manageable with a web browser or GUI would be my first choice to start testing. _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#172074 - 2006-12-27 12:39 PM Re: Need suggestions for (Linux) firewall [Re: Mart]
Richard H. Richard H. Administrator Registered: 2000-01-24 Posts: 4946 Loc: Leatherhead, Surrey, UK	Unless you already know Linux it is probably safer to go for a firewall appliance rather than building it from scratch yourself - a quick google will get you plenty of results. Any reason you're not looking at one of the big boys such as Cisco? Depending on your needs you will normally require three distinct services, though they are commonly included on the same box. The first is a router. In order to provide any sort of control the devices need to be on seperate subnets, otherwise they could simply talk to each other. The next is the firewall. The firewall's job is to stop traffic according to your rules. It doesn't really do anything else. The final part is the proxy. This is the service which will talk through the firewall. While you don't have to have a proxy it is in my experience the simplest and safest way to manage access. The firewall and router must be on the same box. The proxy can also be integrated into the same box, could be a seperate server on your internal subnet or for the really paranoid could be on a server in a DMZ. Being on a seperate box means that the proxy could of course be Windows based, and in a primarily Windows shop that's not a bad idea as it simplifies authentication and administration. The Linux kernel has had routing and firewall built into the kernel for a long time, which is why it is often considered as a firewall. Especially where funds are tight you can build a very very cheap firewall. There are even a number of "firewalls on a floppy" projects around, such as this one. There are plenty of Linux solutions ready made, some are GUI interfaces to the bog-standard kernel facilities, some are complete solutions including the OS. There is a large list on SourceForge One well thought of product is SmoothWall If you need a good non-Windows proxy I can strongly recommend Squid You should probably also think about what else you may need your firewall to do: dynamic routing updates failover (high availability) IP masquerading (NAT) statefull connections caching DMZ support Authentication (AD / LDAP / NT) VPN IDS integration with third party content managers / monitoring Traffic shaping and/or reporting
Top

#172075 - 2006-12-27 01:17 PM Re: Need suggestions for (Linux) firewall [Re: Richard H.]
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	Quote: .... Any reason you're not looking at one of the big boys such as Cisco? .... Yep. The biggest reason is $$ (in my case €€). The price of a firewall is not a real show stopper but I've worked with Symantec appliances and for those we hade to dump over 6000 euros each to our supplier and this is just not doable for now. Currently we are just looking into alternatives for our old firewall. Smoothwall is definitively an option if I can get some supported NIC's. Squid would also be an option. It’s just that I have almost no experience with Linux firewalls and I'm looking for some suggestions/comment/warning/whatever from people that already use a Linux firewall. Anyway thanx for the Info Richard. I'll look into the links you provided and maybe setup some test systems with the different types. _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#172083 - 2006-12-27 05:40 PM Re: Need suggestions for (Linux) firewall [Re: Mart]
Gargoyle Gargoyle MM club member Registered: 2004-03-09 Posts: 1597 Loc: Valley of the Sun (Arizona, US...	I can not help with a Linux solution, but have found that a Firewall appliance (Cisco, SonicWall etc..) Gives the best all around protection. Cisco now has their ASA appliances out that will give you Firewall VPN Concentrator and IDS in one box. Depending on your needs, they can be fairly inexpensive once you consider how much you can do with it. _________________________ Today is the tomorrow you worried about yesterday.
Top

#172085 - 2006-12-27 05:56 PM Re: Need suggestions for (Linux) firewall [Re: Gargoyle]
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	Firewalls and routers do not have to be on the same box. There are several ready-made Linus firewalls available. _________________________ There are two types of vessels, submarines and targets.
Top

#172088 - 2006-12-27 06:49 PM Re: Need suggestions for (Linux) firewall [Re: Sealeopard]
Richard H. Richard H. Administrator Registered: 2000-01-24 Posts: 4946 Loc: Leatherhead, Surrey, UK	Originally Posted By: Sealeopard Firewalls and routers do not have to be on the same box. They do you know (with one exception). It's easy to fall into the trap of thinking that a router is something like a dedicated Cisco XYZ, however this is not the case. The Cisco XYZ is a router because if has routing functionilty built in, and that's what you primarily use it for. However a router is just a device that routes, so it might just as well be a firewall appliance, a Linux server or indeed a Windows server. A firewall is a router (with one exception). It has to be, otherwise it cannot move packets between different subnets and/or interfaces. So a firewall and router must be on the same physical unit. The exception? Well, when the firewall is on the DTE such as an end users desktop PC of course it doesn't need to route because the data has arrived at it's destination. In this case however it is not really a firewall, more of a chocolate fire-guard $;\)$
Top

#172091 - 2006-12-27 07:58 PM Re: Need suggestions for (Linux) firewall [Re: Mart]
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	Mart My 2 cents / .10 euros $;\)$ Your inexpierience with Linux is what could potentially open up a hole in the system. Linux regardless of flavor also needs updates and patching otherwise you may find that someday someone else is now managing your box for you but you might not know because you don't have the experience to fully manage and keep up on top of it. I would go with an all-in-one solution as well if possible. Not that you could possibly mess something up on one of them as well, but probably less likely.
Top

#172092 - 2006-12-27 08:55 PM Re: Need suggestions for (Linux) firewall [Re: NTDOC]
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	Originally Posted By: NTDOC Mart Your inexpierience with Linux is what could potentially open up a hole in the system. Linux regardless of flavor also needs updates and patching otherwise you may find that someday someone else is now managing your box for you but you might not know because you don't have the experience to fully manage and keep up on top of it. .... Yeah that is one of my fears also. It all needs to be done by mid February 2007 and learning "everything" about Linux and its security stuff in 7 weeks is a bit to much to ask for imho. Quote: .... I would go with an all-in-one solution as well if possible. Not that you could possibly mess something up on one of them as well, but probably less likely. I'll look into several possible solutions to see what fits me and my company best. For now I'm looking around for some alternatives for our current firewall that we can not manage and therefore are almost unable to re-use it in our coming new network setup. Been looking at Smoothwall because a colleague of mine had a Smoothwall firewall on his corporate network when we took over the company. I downloaded an evaluation version of Suse 10 enterprise server today and will also bee doing some testing with that. My first choice would be something like the Symantec Gateway Security 5400 series. This would be my personal favourite but looking around and doing some testing wont hurt. So far thanks for the suggestions and comments guys. _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#172094 - 2006-12-27 09:10 PM Re: Need suggestions for (Linux) firewall [Re: Mart]
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	Suse Linux: 10.0 I found no issues with firewall, but I did on the 10.1 beta it would not set some features due to a configuration bug in the module. Symantec Device: Nice specs and all, support is dismal (imho) and at $8 to $10K I would really consider a CISCO similar unit Support is far superior from Cisco speaking from first hand experience.
Top

#172102 - 2006-12-28 03:07 AM Re: Need suggestions for (Linux) firewall [Re: NTDOC]
Gargoyle Gargoyle MM club member Registered: 2004-03-09 Posts: 1597 Loc: Valley of the Sun (Arizona, US...	And as a CCSP if you do go with Cisco, I can help out as well. _________________________ Today is the tomorrow you worried about yesterday.
Top

#172103 - 2006-12-28 03:36 AM Re: Need suggestions for (Linux) firewall [Re: Gargoyle]
Sealeopard Sealeopard KiX Master Registered: 2001-04-25 Posts: 11165 Loc: Boston, MA, USA	I don't disagree that a firewall has some basic routing abilities as part of the firewall design. See e.g. http://www.petri.co.il/csc_routers_switches_and_fw_%E2%80%93_Learn_how_they_are_different.htm . Rather, they are complimentary and nay be integrated into a single device. I'd differentiate between then by way of functionality, don't buy a firewall if you need a router and vice versa, unless you go for integrated devices. _________________________ There are two types of vessels, submarines and targets.
Top

#172107 - 2006-12-28 09:41 AM Re: Need suggestions for (Linux) firewall [Re: Gargoyle]
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	Thanx Gargoyle. I'll look into the options and Cisco is definitely an option on my list. I worked with the PIX 515E some time ago and at first it was a bit hard but I learned by just doing it and following the manuals and tips from other users. If help is needed I'll let you know. _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#172116 - 2006-12-28 12:50 PM Re: Need suggestions for (Linux) firewall [Re: Sealeopard]
Richard H. Richard H. Administrator Registered: 2000-01-24 Posts: 4946 Loc: Leatherhead, Surrey, UK	Quote: I don't disagree that a firewall has some basic routing abilities as part of the firewall design. See e.g. http://www.petri.co.il/csc_routers_switches_and_fw_%E2%80%93_Learn_how_they_are_different.htm . Rather, they are complimentary and nay be integrated into a single device. I'd differentiate between then by way of functionality, don't buy a firewall if you need a router and vice versa, unless you go for integrated devices. I wrote a long response to this, then decided that it would bore the pants off anyone not interested in the innards of these devices $\:\)$ In a nutshell, the link you provided is a very good example of how to mislead people into confusing the form and function of network equipment by being too simplistic. If you can identify a firewall appliance which does not comprise both firewall and router function I'll eat the party hat from my Christmas Cracker! If you're interested in discussing further, PM me and we'll take it offline.
Top

#172154 - 2006-12-29 07:12 AM Re: Need suggestions for (Linux) firewall [Re: Richard H.]
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Originally Posted By: Richard If you can identify a firewall appliance which does not comprise both firewall and router function I'll eat the party hat from my Christmas Cracker! m0n0wall does have a bridge mode. :p I haven't seen anyone mention ISA server. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#172155 - 2006-12-29 07:47 AM Re: Need suggestions for (Linux) firewall [Re: Les]
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	Quote: I haven't seen anyone mention ISA server Maybe because Microsoft has tarnished their name for so long now on security that many aren't willing to give them a shot at it. $\:D$ But whether you like them or not they do have what appears to be a good writeup about it. http://www.microsoft.com/technet/isa/2006/perf_bp.mspx .
Top

#172160 - 2006-12-29 10:05 AM Re: Need suggestions for (Linux) firewall [Re: Mart]
Björn Björn Korg Regular Registered: 2005-12-07 Posts: 953 Loc: Stockholm, Sweden.	Originally Posted By: Mart Currently we are just looking into alternatives for our old firewall. Smoothwall is definitively an option if I can get some supported NIC's. Squid would also be an option. is'nt squid a proxy? Well, smoothwall, monowall, ipcop is distro's in favor of acting as a reasonable filter. even better is that you can set up spamassassin and other filters for mail, http-filtering and ftp-filtering, just a few clicks $\:\)$ How big env. are we talking about here anyway? Edited by Björn (2006-12-29 10:16 AM) _________________________ as long as it works - why fix it? If it doesn't work - kix-it!
Top

#172161 - 2006-12-29 10:06 AM Re: Need suggestions for (Linux) firewall [Re: Les]
Björn Björn Korg Regular Registered: 2005-12-07 Posts: 953 Loc: Stockholm, Sweden.	Originally Posted By: Les Originally Posted By: Richard If you can identify a firewall appliance which does not comprise both firewall and router function I'll eat the party hat from my Christmas Cracker! m0n0wall does have a bridge mode. :p I haven't seen anyone mention ISA server. Can it be because money was an issue? $\:D$ _________________________ as long as it works - why fix it? If it doesn't work - kix-it!
Top

#172162 - 2006-12-29 10:18 AM Re: Need suggestions for (Linux) firewall [Re: Les]
Richard H. Richard H. Administrator Registered: 2000-01-24 Posts: 4946 Loc: Leatherhead, Surrey, UK	Quote: I haven't seen anyone mention ISA server. No. I wonder why. It can certainly perform the function as documented in their best practices... Quote: Internet Edge Firewall Organizations with enterprise-scale capacity requirements may consider deploying an ISA Server computer as a dedicated Internet edge firewall acting as the secure gateway to the Internet for all corporate clients. I like that "may consider" $\:\)$ MS Windows is a victim of it's success, with criminally minded organisations spending an awful lot of time finding exploits. While Windows appears to have many more problems than other products, I think that this is more likely to be a combination of both the popularity which means that there is a more concerted effort to find exploits and the fact that any exploit discovered has a high impact and visibility. The complexity of an general purpose OS means that it is harder to secure and fix when compared to dedicated hardware devices running something like IOS or PIX. Cisco still get it wrong, and their equipment still occasionally has security problems. However the issues are fewer and further between, and tend to be denial of service rather than the exposure of internal network or data. For these reasons anyone who "may consider" using ISA as their first line of defense might also consider alternative employment. Behind a decent firwall I think that ISA is mature enough now to deploy without particular worry. For example, I think that it's a good option for a caching proxy in Windows-only shops that don't require the full-on features of something like Squid. In the future, when Windows has finally lost it's reputation of being insecure and buggy I'm sure we'll all be looking at it again in security contexts with a less jaundiced eye.
Top

#172163 - 2006-12-29 10:31 AM Re: Need suggestions for (Linux) firewall [Re: Richard H.]
Björn Björn Korg Regular Registered: 2005-12-07 Posts: 953 Loc: Stockholm, Sweden.	well, a sound solution regarding firewalls is perhaps something like this: Code: internet \| \| \| \| FW-------- FW/DMZ -- WEB/ETC \| (\| ) \| (\| <- vpn ) \| (\| ) FW------------ Cli-net \| \| \|- Cli-net \| \|---------------VPN-net serv-net or something similar. Edited by Björn (2006-12-29 10:31 AM) _________________________ as long as it works - why fix it? If it doesn't work - kix-it!
Top

#172164 - 2006-12-29 10:38 AM Re: Need suggestions for (Linux) firewall [Re: Björn]
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	[quote=Björn .... How big env. are we talking about here anyway? .... [/quote] Our network is not that big. We have about 40 workstations in our main office in Rotterdam and 15 in a branch office in Amsterdam. The branch office works on terminal sessions and can access the internet locally and by using a terminal sessions. The local internet access is secured by the firewall used in the building in which we are renting a floor. We have no access to that firewall but all is working as it should and all unneeded ports are closed. As far as I know they use a Cisco PIX on the building internet access. Our main office is the office that will be moving to a new location soon. This move is also the trigger for a partial rebuild of our network. This rebuild includes the firewall/proxy we currently use (old Squid on even older Linux flavour). We need a firewall we can mange ourselves without calling an external company to do some changes and forking out some cash to them for the work they did. Usually it takes about a week before the changes are done. Two or three weeks are also common. Obviously this sucks and therefore we decided to scrap the current firewall when a new firewall is setup and working as it should. MS ISA server would also be an option. I did not even think of it. I’ll add it to the "ToLookInto" list. _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

Page 1 of 3

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Who's Online

0 registered and 581 anonymous users online.

Newest Members

Audio, Hoschi, Comet, rrosell, PatrickPinto
17880 Registered Users

Generated in 0.075 seconds in which 0.025 seconds were spent on a total of 13 queries. Zlib compression enabled.

click tracking