First of all let me define what a firewall is and does. Here I will digress a bit from the commonly accepted wisdom, and will define a firewall as an access nexus in the digital communication infrastructure of any organization. That is, you build a firewall not only to protect your internal systems but to also be able to overall enhance your communication abilities.

This paper here is not a set of instructions of how to built an access nexus it is more like a white paper of things you should expect from such a device and be able to ask for them from you vendor. Please do tell them that they are currently availlable on Open Source Servers. Also keep in mind that the following items are by no means the full repertory of an access nexus. These are just some common solutions to every day problems. One can become very fancy indeed in the applications that the nexus can support, but let's take a handsome and logical set.

Let us take a case study of a Linux box, substiture for your favorite Unix like OS here, serving as an access nexus. You are all familiar with the three-fold implementation of networks, Public, Private and DMZ so I will not bore you any further with silly graphics. We also have to take into account that most companies are using a router as an access point to the internet. Our router has the ability of having access lists built in, so why do we still need a firewall to protect some of the machines and not others ?

• Extra Security

  The router does have its access lists but you can have another set of more specific lists using IPCHAINS or IPTABLES to further control access to your resources. Furthermore networks tend to exhibit growth patterns akin to two line programs. Once you plug in a second router your access lists on the first router are of little use, so it is a very good idea to redo all the access rules on the firewall too. As for the strictures of the list keep a balance, too tight and you make life hard for your users, too loose and you lose.

  
  
• Accessing the Internet

  First and foremost, a firewall must be able to do Network Address Translation (NAT,masquerading) so that you can plug in behind the firewall as many machines as you need to access the net. And of course there is the SOCKS protocol from NEC for even more strangeness. Socks is a NON transparent layer which allows NAT unfriendly applications to traverse the firewall for outside connections.

  
  
• Easier routing

With more than one routers you only need to add routing entries on the firewall itself and nowhere else your lan; clients will never know the complexity of the outside world, and they should not really care. All routing decisions should be made on the firewall if possible. Yes I do understand that there are a host of decent routing protocols for exactly this purpose, but in practice with all the weirness that goes about in any average company it is next to impossible to implement them. Also keep in mind that the cost of the routers for advanced routing applications can get quite out of hand.



• Intrusion Detection

  But we are still passing all the internet traffic for them through the firewall for a very simple reason: Intrusion Detection. No matter how powerfull a router is , it still cannot beat SNORT in detecting network abuses. There is a slew of tools to do analysis of snort alerts and of course my favorite one is snortlog.

  
  
• RSVP/CBQ Traffic Management

Now how do I manage the bandwith that my DMZ uses ? Suppose that bandwidth is expensive, which it is in most parts of the world, with a Linux box and CBQ one can immediately have a very finely tuned traffic management system with no cost and little effort. Just look for the cbqinit script! You can allocate downstream data rates , and upstream data rates very easily, keep in mind though that this kind of control is full duplex therefore 64K down and 64K up takes 128K from your leased line!



• VPN (Virtual Private Networking)

There is too much talk about VPNs , there are fine products like Free S/WAN which allow network to network secure connections based on the IPsec platform. There is also the simple, elegant and yet useful VTUND which allows the creation of virtual tunnels with significant less trouble than IPsec. For geographically dispersed users who need access to some resources on your net. Fire up PoPtoP and you can have these people access the resources you want them to have. As a note of good design use a different subnet in the IP address allocation scheme for PPTPD connections so you can finetune your IPCHAINS access rules ( see above notes). For example if your private net is 10.0.0.0/24 assign for pptpd addresses the range 172.16.11.0/24 and fine tune your ipchains accordingly. Also enable wtmp logging for PPPD or else you will never know which user connected when.



• Usage Monitoring

Traffic graphers like MRTG IPAC are wonderful tools that can give you graphs of the utilization of the network cards on your firewall and router. This way you can see patterns of utilization and make your predictions and purchases accordingly. Very simply it is a measurement tool for data, and as any scientist will tell you, there is nothing you can do without measurements. Also tools like ANTEATER, PWEBSTATS and WEBALIZER will give you a set of statistics that will help you understand the character of your lan and the download habits of your users.



• Live Traffic Monitoring / Net Debugging

Suppose now that you have a pesky little networking application that you need to debug. Tools like TRAFSHOW will enable you to link up your endpoints in no time at all. Many thanks to the original author of this application.



• Traffic logging

OK your network is fine, but what does it do when you are not there ? Enter NTOP an exceptional piece of software that logs almost everything and then some , of the traffic that passes through your system. I do have a gripe with NTOP though , it sets the interfaces into PROMISCUOUS mode by default and starts all the alarms ringing, you might want to fiddle with the source at the pcap_open_live function and switch 1 to 0



• Economy

  Smart Utilization of badwidth means that you must use a cache server like SQUID or even APACHE's built it caching mechanism to decrease the latency of web pages received by your users. As I stated before the target is the enhanced digital communication or communion if you prefer.

  
  
• Economy revisited

  How much do all these wonderfull things cost ? Nothing you have the source you can tinker and toy and make things work and be happy. Compare this with commercial grade appliances and software, sure they will be better, but how much better? Do you really get your money's worth for the cash you hand out ?

  
  
• Secure Remote Management

  Too much has been said about it , and too many bytes wasted. The bottom line is that OPENSSH rules and PUTTY rules also. You can administer this box from anywhere in the world and still be more or less secure since the data stream is encrypted. Better yet if you want to delegate administration to another user, install OPENSSL and WEBMIN and give these people a graphical front - end that enhances their experience :-)

  
  
• Standard Services

  Last but not least there are all these standard UNIX services like EMAIL, DNS, FAX and yes email retrieval can be secured by using an SSL WRAPPER like popSSL and a server side wrapper like Stunnel.

I will forego all rhetoric on the open source model and make some engineering remarks. You need a firewall/access nexus so that you can manage access to resources and data traffic. You must pass ALL your traffic through your access nexus so that you can know what goes where and does what. An access nexus should be as flexible as a swiss army knife, as maleable as puty and as resilient as a network engineer with a collapsed transatlantic backbone line :-)


Copyright and Copy 2001 Angelos Karageorgiou. Use freely but do not abuse. Please retain the Copyright notice.


<<BACK to my home page.