The Old Joel on Software Forum: Part 3 (of 5) - Small LAN firewall recommendations?

Small LAN firewall recommendations?

Dear JOSers,

I hate to bother you with something so trivial, but after one too many easily preventable hacker problems at my workplace I've decided to put a firewall in front of our office LAN. It's about 10 computers, connected to the larger building LAN which, for arcane reasons, is not itself firewalled.

My boss is not thrilled with my initial suggestion - finding a junk computer with two ethernet cards, a floppy drive, and nothing else - as I will be leaving soon and he has nobody who wants to maintain a floppy-based Linux system. He believes that firewall software would be a viable solution, but I cannot bring myself to trust the stuff somehow, and would rather have one box to maintain rather than 10 software installations. Therefore we have decided to buy one of those little ready-made firewall boxes for our office.

The stores are full of cheap little boxes that do wireless and firewalling, or do NAT and firewalling, and stuff like that, and claim to have friendly user Web interfaces. There's so many of them, but unfortunately there seems to be no easy way to find out which one would do what I need it to do.

I need to firewall (port filtering is mandatory, stateful firewalling would be a nice bonus but isn't necessary), but I don't need wireless and I won't be using NAT - every box inside the firewall has it's own IP. The machines inside the firewall need to be able to get IP addresses by DHCP - the firewall can't block them. I'd be plugging 10 machines or so into the firewall through a large switch that I already have - so the firewall only needs one port on each side. And a friendly, yet sophisticated Web interface is a must.

Any suggestions? I hope not to have to buy some box blindly and then find out that it only does NAT, or it blocks DHCP, or it won't work with more than N machines, or whatever.

Trollumination
Sunday, November 30, 2003

I know this goes against not wanting to do it with Linux, but if his main objection is maintainance, have you looked at www.ipcop.org ?

It is a Linux based firewall distro, complete with nice web interface. It does everything you need.

Damian
Sunday, November 30, 2003

Various companies sells what seems pretty professional looking perimeter firewall appliances. They run for more or less a grand I think. Check Nokia for one that somehow fits CheckPoint in it.

Li-fan Chen
Sunday, November 30, 2003

We use a Sonicwall and have never had any problems with it. Also, the support is great, if you need it, but it will cost you (not sure how much).

Wayne
Sunday, November 30, 2003

If your boss doesn't feel confortable with using anything other than Windows since you'll be leaving soon... what about a basic W2K or XP host running just ISC to act as Internet gateway, and a good software firewall like Kerio 2.1.5?

Frederic Faure
Sunday, November 30, 2003

We're looking for something cheap and self-contained. This isn't a major-traffic server installation, we'd rather spend $100 than $1000. Linux is not an special barrier - my boss fully understands that most of the little firewall boxes for sale do contain a Linux-like system in ROM, and we do use Linux for some things. It's just that nobody is likely to want to be editing tarballs on a special Linux boot floppy should major configuration changes be required in the future.

I'm thinking one of those little Linksys boxes. Netgear makes some, but they burned us on a cute little print server that claims to operate two printers but can really only control one without crashing. I don't want to buy Netgear again.

Problem is that all the marketing materials and specs are geared towards people who want to hook a few machines up to a single cable modem and share a single IP. We need to hook up like 10 machines through an Ethernet switch that we already have, each having its own IP on the building network (some static, some DHCP) - the firewall should just sit between and block ports. I don't want to buy a device and find it only does NAT, or doesn't pass DHCP through, or something like that.

Trollumination
Monday, December 1, 2003

Smoothwall, ipcop and other similar tools consist of an ISO you burn to CD and stick into a suitable PC, when you boot it formats the HDD and turns the PC into a self-contained firewall configured in much the same was as small hardware boxes via a web-browser.

Updating these is much the same as updating the firmware on a hardware box download and patch - the fact that they happen to be linux based is almost irrelevant - except when you want to do "clever" stuff at which point you won't suddenly find that the people who built the small hardware box didn't include that feature because most people don't need it.

Murph
Monday, December 1, 2003

Having just upgraded my own firewall to satisfy a client's requirements, let me weigh in on this.

My first firewalls were 386/486 boxes running NetBSD or OpenBSD with packet filtering and NAT software. The initial packet filter was given to me by a colleague in Montreal, and I added configuration ability to it. The NAT was Darren Reed's IPFilter. This requires a bit of kernel hacking, but: I UNDERSTOOD THE SECURITY POLICIES that it implemented.

A couple of years ago I replaced the 486 with a LinkSys box. The reasons were twofold: first, the hardware is more reliabile, having no moving parts. Second, you get a 4-port 100 Mbps switch, which enabled me to run 100 Mbps Ethernet on my LAN.

Problem: LinkSys doesn't document their security implementation at all. Tell me: how can you have stateless filtering with NAT? NAT requires that you keep some connection state. Clearly, LinkSys doesn't keep it all, but what do they do exactly? At a packet level, what does "IPSec pass through" do, exactly? I tried calling tech support, but the techs don't even understand my questions.

I am now using a NetGear box, recommended by the client, and it claims better security, with stateful filtering and VPN tunnel support, but again, the exact security policies are not documented.

So, a question for you is: how important is it to be 100% SURE about the security policy? How does your firewall handle fragment overlay attacks as described in RFC1858? Is it important that you know? If you want to be ABSOLUTELY SURE then your options are the $1000+ boxes such as SonicWALL, or learning about IP at the low level and getting a Linux or BSD box to implement exactly what you want.

David Jones
Monday, December 1, 2003

Does anyone have an idea on how much difference there is in power consumption between an old repurposed computer acting as firewall and one of those Linksys type appliances? My guess is you could be looking at 150$+ a year easily (european energy prices).

Just me (Sir to you)
Monday, December 1, 2003

Please let me ask Mr. David Jones and anyone else who knows this stuff well a few fundamental questions:

1) Why is it important that one would know the exact low level implementation of a firewall? I greatly respect the ability to set up a dedicated firewall on a separate box, but what does this buy the typical business that a <$150 Linksys or Netgear solution doesn't? I am not posing this as a hostile smartass, rather, I honestly don't see the benefit and additional protection this affords. I thought simply that a firewall blocked or allowed certain ports under certain conditions.

2) What is a true firewall buying in terms of user protection that NAT doesn't? NAT is a brick wall and doesn't typically allow servers to be run from inside the firewall but why is allowing that so desirable in a typical end user multiple workstation network situation?

3) Variation of #2: what does it buy the user organization to have a real IP address for each workstation, vs. NAT?

I have never understood these things. It's important for the reason that COTS implementations and simple to configure solutions like NAT open up the boundary of protection for lots of low end users that a custom firewall application on a dedicated PC doesn't. More importantly, I don't feel that a lot of research into low level firewall implementation will be accessible (read: cost be low enough) to smaller business users. IE, I could *do* it, the question is, would anyone pay me to do it?

This impacts what I may recommend to a client in the immediate future. Thanks for reading.

Bored Bystander
Monday, December 1, 2003

In the spirit of schizophrenically answering my own questions ;-), it occurs to me that some sophisticated hackers may have means of tricking the firewall implementation in common consumer grade firewalls.

How, is beyond me (and I understand the "buffer overrun" concept very well in the Windows context.)

Bored Bystander
Monday, December 1, 2003

Just a side note, it's pretty easy now days to set up a PC-based appliance to do just firewalling without moving parts. Most of the small format motherboards with a flash-based boot disk (instead of 2.5" notebook drive) will have increased reliability. The Cyrixs ones rarely need any fans anywhere.

Li-fan Chen
Tuesday, December 2, 2003

Bored Bystander,

The whole point of a firewall is to centralize and enforce a security policy. Once the firewall is in place, it is no longer critical that each machine behind it be secured in exactly the same way.

However, it is not sufficient to merely build a fort. You must also defend it. Here, you cannot necessarily trust that your vendor has your best interests at heart. If you want to honestly claim that your network is secure, both to yourself and your customers, then you need to know about network security, keep up with the latest threats, determine if you may be vulnerable, and then remedy any problems.

You cannot do this if you do not know how your firewall behaves. Unfortunately, the vendors of the $100 firewalls are going after a basic home market, and not a business market that has greater concerns. As such, they do not document their devices as well as the vendors of the $5000 firewalls do.

If you have a burglar alarm installed in your home, wouldn't you poke around the doors and windows to determine if someone could break in without tripping a sensor? Knowing how your firewall behaves in response to stealth packets is the same thing.

The big deal about NAT is that it allows an organization to share a few external IP addresses across the internal network. There are two main benefits:

1. By keeping the internal network topology secret, you frustrate hacking attempts. However, security by obscurity is not a good idea by itself, and does not replace a layered defense system.

2. ISPs generally charge more for multiple static IP addresses, since address space is limited. NAT is the main reason why we are able to remain with IPv4 today and yet not run out of space.

Having a real IP address per workstation enables certain firewall-unfriendly protocols. However, this is not a major concern - the major unfriendly protocols (such as FTP) are typically proxied to patch over the problems, and the remainder (such as gaming) are not desirable on an enterprise network.

David Jones
Tuesday, December 2, 2003

I was using Linksys and Belkin small appliance routers with my home DSL connection (1.5 down/384 up, dsl-verizon.net). Both appliances became unreliable very quickly. I replaced them with an old PIII I had laying around and downloaded SmoothWall Express (freely available). My router is now pretty much fully functional and always up and running perfectly. Even though I dedicated a machine to it, its more than worth it, in my opinion.

Larry Treachler
Sunday, January 4, 2004