LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Soft Firewall vs "Boxed firewall" (http://www.linuxquestions.org/questions/linux-security-4/soft-firewall-vs-boxed-firewall-506383/)

gracon52 11-30-2006 09:35 PM

Soft Firewall vs "Boxed firewall"
 
Implementing a "private" 100Mb backbone between trusted institutions. Each institution already has their own ISPs and firewall filtering devices in place. The backbone will be provided by a commercial provider but just linking these 10 institutions. The institutions have their own IP schemes and want to keep it that way for now.

They will definitely want a NATing setup probably with some firewall protection between each other. We will leave the content filtering to the ISP side of the world. We will want the NATing device to block normal attacks and limit the viri propagation if possible.

Looking for suggestions for "off the shelf" or build our own.

jimbo1954 12-01-2006 05:57 AM

Well, there's a lot of "depends" in there!

What sort of traffic do you expect to shift between the institutions on the backbone? How much data will you shift? What is the relative "trust" between the entities on the backbone? and the clincher...What is your budget?

In broadest terms, assuming no trust between the entities on the backbone, you need each entity to have an "Internet-Grade" firewall between it and the common backbone.

If you are going to grow your own, then a Linux box with Shorewall/Netfilter installed, all other services pruned off and usual hardening carried out is a good, low-cost option. I have been using this kind of firewall between my network and the Internet for years, and it's pretty robust. It has all the necessary functions, like NAT and so forth, and also can be configured for HTTP hijacking, so if you use Squid, Dansguardian, etc, this is a good option.

If you are going for an "off the shelf" box, then there are a number of options, my favourite being the Cisco PIX, which (IMHO) used to be pretty poor, but has got better and more manageable over the last few years. Of course, you will pay for the name, and could go for any number of other proprietary firewalls, but overall, I would "grow your own". It is a solid, low-cost option, it scales well as demand increases, there is a lot of good documentation (esp for Shorewall).

There's a side issue here, that should not be neglected. If you build a firewall from scratch, you are forced to understand what you are doing and how it works. This can be a lot better than simply buying a box, spending 10 mins reading the manual, deploying the box, and forgetting it. There are many badly deployed firewalls out there, because folk don't understand how they work and how to get the best out of them. Grow you own box, and you have no option but to learn how to make it work!

gracon52 12-01-2006 06:15 AM

Response with Gratitude
 
Luckily I have competent people who know what they are doing with Linux. The link between institutions is somewhat trusted. What I am trying to say is that we are not sure if it needs "internet" strength but these are academic institutions being linked. So if one student decides to attack another institution for whatever reason or if one institution gets a virus....

Thanks for the response.:newbie:

jimbo1954 12-01-2006 06:38 AM

No Question, then, in my mind, that you need Shorewall. Your Linux folk will be able to manage it really well, really precisely. The issue of whether the institutions have a strong trust relationship or not is not an issue, just use a firewall that *does* give Internet-quality protection, and you can always "wind the wick down" to a lower strength.

As an alternative, I have deployed Firestarter in the past, and where you don't need complex functions like redirects, it works and is *real* easy to use, being completely GUI

HTH

b0uncer 12-01-2006 06:43 AM

Quote:

As an alternative, I have deployed Firestarter in the past, and where you don't need complex functions like redirects, it works and is *real* easy to use, being completely GUI
I thought Firestarter was a front-end of one kind for iptables (netfilter), which controls the Linux firewall (and more). True, Firestarter is "completely GUI" in the sense that any user should not need to do anything on console, but it's not the whole firewall system - just a way to configure it.

jimbo1954 12-01-2006 07:51 AM

You are right, Firestarter is a front-end, but so is Shorewall, and I believe most of the "firewalls" available are "human-friendly" ways of configuring Netfilter or IPTables functions which are embedded in the Linux Kernel (and can be a real *dog* to configure from the CLI) .

The thing with Shorewall is that it delivers a balance between ease of configuration and detail capability. Firestarter, OTOH, sacrifices a little in detail configuration for an easy-to-use interface (which is in no way a criticism of Firestarter: If you want that simplicity of configuration, there's a good chance that intricate detail of config will be unnecessary to you, anyway)

I like them both!

chort 12-01-2006 01:32 PM

Personally, if you're connecting to multiple institutions I would make certain to get it right. You don't want to be the name in the headlines when another institution gets hacked through your site, or worse if your private data is hacked from access through this network. Unless you have experts in netfiltering working for you, I would not leave it to them to "roll their own". There is a time and place for doing things yourself, and that's either when you're the master of that knowledge domain and nothing fits your requirements, or when you're working with non-critical assets and don't mind getting it wrong a few times to learn.

Considering most security breaches these days come from insiders or somewhat-trusted partners, i.e. parties with elevated access, I would not "settle" for something less than high-grade security over a semi-private link. In a way, you want better technology protecting your partner links and internal network than you do to the Internet. Internet firewalling is pretty simple: block everything, let e-mail & http (to specific servers) through. That's pretty much it. When you're dealing with partner links, you often expose "squishy" applications that don't have very hardened security, such as databases, EDI systems, proprietary applications, scientific systems, etc, etc... Since you're allowing access to a lot more services, and the services are in general, less secure than typical Internet-facing services, there's a lot more danger.

Any way, I would go with a commercial solution and make sure to evaluate it first to prove that it meets your requirements. That doesn't mean that you have to go with a Juniper/Checkpoint/Cisco, but I wouldn't roll your own for something like this. I hear that Astaro is a very good security gateway for a reasonable cost. There are probably some other similar products out there from small companies who built commercial offerings on Open Source technology. I know there are a couple of companies offering firewalls built on OpenBSD, for example.

Sertys 12-03-2006 06:10 PM

The problem with institutions(and academic ones too) is that they want something, they want it badly, got the money to buy it, they want it fast but don't know what are going to do with it. So they just try to refer to you for a solution. I had such a case with a uni around which wanted to invest like 10k$ in a juniper router to handle their 10+10mbit connectivity, just because one of the guyz heart once, 'at "Juniper rocks". And 100mbit/s is a cap where you can virtually do anything within linux+netfilter+tc and a decent machine. With the proper staff on campus it's as easy as 1,2,3. Build a reliable solution and charge them as you've sold them an "internet-grade" router.

sarajevo 12-04-2006 12:49 AM

Hi,

I think the good solution for something like this is iptables/netfilter solution, more at www.netfilter.org
Implementing iptables firewall require a good understanding of all proccesses and how it works, but belive me when you learn that and understand how it works, implementing firewall will be a joke and fan, I mean you will enjoy scripting them. So I think it worth spend time to learn it.
Good place to start is
http://iptables-tutorial.frozentux.n...-tutorial.html
and it worth every minute you spend lerning it.

Best wishes

Regards

chort 12-04-2006 02:36 AM

Quote:

Originally Posted by Sertys
The problem with institutions(and academic ones too) is that they want something, they want it badly, got the money to buy it, they want it fast but don't know what are going to do with it. So they just try to refer to you for a solution. I had such a case with a uni around which wanted to invest like 10k$ in a juniper router to handle their 10+10mbit connectivity, just because one of the guyz heart once, 'at "Juniper rocks". And 100mbit/s is a cap where you can virtually do anything within linux+netfilter+tc and a decent machine. With the proper staff on campus it's as easy as 1,2,3. Build a reliable solution and charge them as you've sold them an "internet-grade" router.


That's silly. That's like saying everyone should build their own house, because all you need to do is lay the foundation, put up the frame, and slap on some sheetrock. Just because it's possible to build something doesn't mean you should.

The time to do things yourself is when you have enough knowledge that you'll never need outside support. Why do you think corporations spend thousands and hundreds of thousands of dollars (even hundreds of millions) on commercial products? In most cases it's not because they couldn't build it themselves, but rather it's quicker, less prone to error, and much better supported to buy it from someone else. When something break at 4AM, you don't want to be the one admitting you don't know how to fix it and you can't reach anyone who does. You want to have tech support on the other end of the phone walking you through things.

I'm not saying netfilter is bad technology; there are plenty of commercial firewalls built on netfilter (such as Astaro). I'm saying you shouldn't do something yourself if it's not something that you're an expert at (in an institutional or corporate setting). Playing network admin at home is a totally different story than being a real network admin with SLAs, uptime requirements, and a pager that wakes you up in the middle of the night when things go wrong.

jimbo1954 12-04-2006 05:20 AM

I'm troubled by the approach that says if you want a reliable, supportable solution, you have to buy someone's commercial solution. For example:how do you think Cisco started? It was a couple of engineers (man and his wife/partner), if memory serves me, messing round with a Unix box in the lounge at home, to see if they could do something *better*. If you always go with the commercial solution, you end up with Windoze... 'Nuff Said?

This is a "Sales" thing: The salesmen have the talk, but not the in-deth engineering understanding. They have found that they can talk up a sale, not by extolling the virtues of a (possibly cheaper) solution, but by using FUD (fear, uncertainty and doubt), even when there is no real problem. It's all to do with risk avoidance. Remember the saying: "Nobody ever got fired for buying IBM" from the 80's... I do!

An engineers solution (like the home-grown Shorewall router) may be equal or better than the one the salesman is selling, but engineers are notoriously tongue-tied and unable to present their case, so we see this situation mirroring the situation with Linux as a whole, where a *clearly* adequate, possibly superior solution is foregone simply becauise someone comes along and says "Oh you can't do that, think of the risk...." If human beings had never taken risks, we would still be in the primeval slime.

fotoguy 12-04-2006 06:13 AM

I think everyone has made some valid points regarding both a linux box and a commercial appliance. So I don't think you could really make a decission based on eveyone's opinions, since they will all have merits and drawbacks.

I think the only way to come to a decision is to invest some time and money in a feasibility report. Since both linux box and hardware appliance are candidates for the project, you have something to research.

And as chrot has pointed out, there are lots of things that need to be taken into account, some additional things that also need to be considered. the impact on key stakeholders, impact on current software (applications and operating systems), rixk management, buget, quaility control/management.

Even though this may seem like something fairly small, I can become quite a headache if something was to go wrong, planning may help to minimise the risk. Plus management always like to see paperwork. If they can see it in writing, they are more likely to approve it.

chort 12-04-2006 10:12 AM

Quote:

Originally Posted by jimbo1954
I'm troubled by the approach that says if you want a reliable, supportable solution, you have to buy someone's commercial solution. For example:how do you think Cisco started? It was a couple of engineers (man and his wife/partner), if memory serves me, messing round with a Unix box in the lounge at home, to see if they could do something *better*. If you always go with the commercial solution, you end up with Windoze... 'Nuff Said?

And who bought Cisco gear for the first couple of years? Pretty much no one, that's who. When you develop a new product, you have to give it away for free for the first half-dozen customers or so, because no one will trust it being the very first customer. Remember, I'm not talking about the technology, I'm talking about the supportability.

Quote:

This is a "Sales" thing: The salesmen have the talk, but not the in-deth engineering understanding. They have found that they can talk up a sale, not by extolling the virtues of a (possibly cheaper) solution, but by using FUD (fear, uncertainty and doubt), even when there is no real problem. It's all to do with risk avoidance. Remember the saying: "Nobody ever got fired for buying IBM" from the 80's... I do!
It's not pure FUD. A lot of it is risk-management. Who will be responsible when things break? It's never a question of if things will break, but when.

Quote:

An engineers solution (like the home-grown Shorewall router) may be equal or better than the one the salesman is selling, but engineers are notoriously tongue-tied and unable to present their case, so we see this situation mirroring the situation with Linux as a whole, where a *clearly* adequate, possibly superior solution is foregone simply becauise someone comes along and says "Oh you can't do that, think of the risk...." If human beings had never taken risks, we would still be in the primeval slime.
Why take a risk when you don't have to? Let's put all the company's mail servers on Slackware! Great, do it! Oh no... we patched the kernel and now the smtpd processes are crashing every 30 minutes, what do we do? I guess the mailservers will be out of service until one of us figures out how to get it working with the new kernel... could be hours, days... who knows?

vs.

When we applied that security patch our ApplianceServ mailservers started crashing. We got support on the phone and they said this is happening all over. We need to change one of the config settings and now the problem is solved.

Case 1: Do it yourself. Unknowable time to resolve issues. No SLA. Issues could drag on for days with no solution.
Case 2: Commercial product. Fixed SLAs dictating how long it will take to respond to issues of varying severity. Escalation path if issues aren't fix. Vendor will ship replacements if a timely solution isn't possible.

Now if you were in charge of running anything important, what would you choose: Case 1, or Case 2?

Here are the basic problems with building something yourself:

1. Support. Who else (besides the builder) knows how to troubleshoot the application? What kind of assurance do you have that any issue will be resolved within an acceptable time-frame?

2. Patches and upgrades. If the original builder leaves, can the application be upgrades and/or patched for security probems or new features? How much would this cost?

3. Documentation. Commercial vendors provide hundres, to thousands of pages of documentation for their products. How much is an engineering going to document? You'll be lucky if they comment the code, let alone write a manual for admins.

You'll notice that the above 3 things are basically what all the "Linux OS companies" do. The OS itself is free, but you pay a support contract for those 3 things. Why would a company bother to pay for those things when they could just use the OS for no cost? Because it's a risk. It's worth it to spend some money for support, because it's very likely there will be problems, and the cost of a few problems going unresolved is higher than the cost of purchasing a support contract.

I know that #2 happens all the time (because I've been to companies where it has happened). Companies frequently have "that one genius guy" write custom applications for critical things, then that guy quits or gets fired and they have no way to fix the application. Then they need to bring in a consultant for $$$ to try to understand the original application and be able to modify it, or they need to pay a vendor $$$$ to migrate from that un-supportable application to a commercial one. That is painful.

Bottom line: The cheapest solution by aquisition cost is usually not the cheapest solution in the long run.

jimbo1954 12-04-2006 11:04 AM

Hey Chort, don't bite my head off! Man, you should have been around when the latest thing was co-axial cable! 'Way back then, I worked for a networking company that was one of the biggest networking manufacturers around, and even *we* couldn't support the kit sometimes! The stuff was so new that we were getting code cut in the US yesterday, applied and run on the customer network today. That's how things were, then. it's a lot like Linux is now...

I guess I just have a great disregard for the smoke and mirrors, snake oil and FUD comming out of some manufacturers. Oh, and by the way, thanks for the harsh approach to engineers documentation. Perhaps I'm unusual, I don't think so, but I, like many Linux integrators, document as well or better than commercial, because I have to be able to support my appliances, and I have a memory impaired by too much coffee :)

Its all a bit like the development of the aeroplane, I guess. I was round when everyone was doing the network equivalent of barnstorming and flying by the seat of the pants. It was risky, it was fun, and we laid the basis for the networks of today, which are some might say are like the airlines of today, sterile, boring and corporate. I'll continue to barnstorm, and rely on my own engineering ability...you're happy your way, I'm happy mine, and we'll probably never agree.

BTW sorry! I just realised I'm so far off-topic I'm in outer space, so I'll shut up now!

chort 12-04-2006 12:06 PM

Quote:

Originally Posted by jimbo1954
Its all a bit like the development of the aeroplane, I guess. I was round when everyone was doing the network equivalent of barnstorming and flying by the seat of the pants. It was risky, it was fun, and we laid the basis for the networks of today, which are some might say are like the airlines of today, sterile, boring and corporate. I'll continue to barnstorm, and rely on my own engineering ability...you're happy your way, I'm happy mine, and we'll probably never agree.

That may be the best anology you can make. I would say that it's exactly like the aerospace industry. How many passengers used air-travel when all the aircraft were one-offs built by hand by the actual designer? A few thousand? It wasn't until the process of designing and building aircraft became very formalized and repetitive that a significant number of people actually trusted flying, and even then it took arguably 40 years for it to become really mainstream.

Even though you can still build your own aircraft by hand (and it's really not beyond the capabilities of most adults), how many people fly in them? Maybe several thousand? Certainly under 100,000. The people that fly in homemade aircraft, are they consumer passengers, or hobbiest? They're hobbiests, i.e. people who do it just for the fun of it. No one would actually pay to fly from point A to point B in a homemade aircraft.

Do people pay to fly because they are saps? No, they do it because it would cost them more in time & effort (which translates into lost wages) to train to be a pilot, build and maintain an aircraft, pay to store it somewhere, pay for the fuel, file flight plans, check weather, have to be awake and alert while flying, etc, etc than it would cost to simply pay Southwest $200 a flight so they can arrive at the airport an hour before take-off without a care in the world, and sleep or work the entire flight. Some people elect to fly themselves, but it's not due to cost savings, it's due to fun (I actually work with a guy who does this). Heck, even Sun recently did away with their own corporate jet and decided that their executives will fly on commercial and chartered airlines. It's simply not worth the cost of maintaining their own aircraft and staff to do a job that the could pay someone else to do more efficiently.

I would argue that the same is true of software. If you want a fun hobby for the weekend, build your own netfilter firewall (I did, and I even have a Netscreen in my garage that I could have used for free). If you want to protect something of value, buy the firewall. Sure it's the same technology underneath, but in the commercial product it's been formalized, it has a demonstrable track-record, and it has promises of support to back it up, with penalties should that support fail.

Sorry for making this thread so long and off-topic, but the point I would like to get across is this: There's a difference between giving advice to an individual about how they should handle their own personal network, that they run as a hobby, and giving advice to an institution that has responsibilities and serves a large number of users. What is appropriate to tell an individual for handling their pet project is not necessarily appropriate for an institutional environment.

I know a lot of FOSS advocates are really excited and don't want to miss an opportunity to hype Linux, and other Open Source technologies as solutions for any problem, but if you want anyone to take you seriously the community as a whole really has to consider the advocacy they are spouting and whether or not it makes sense for their target audience. Telling a CEO or Provost that they should let their staff write some application from scratch with no guarantees, rather than paying a few thousand dollars and getting something that is backed up by a successful organization that sells such a product as a business will not really make much sense to them.


All times are GMT -5. The time now is 04:34 AM.