Firewall Technology

From linsec.ca

Jump to: navigation, search

There are a number of different parts of a firewall, above and beyond the firewall itself. Obviously the firewall, and the technology used to construct it is of premier importance. But many people are extending their firewalls to have more purpose than just protecting a computer or network from outside systems. This is true even of firewall appliances; no longer are they strictly devices of penetration protection (ie. preventing unauthorized access). These devices provide services like content filtering, DMZ support, and more. Whether the technology used is basic or advanced (or even whether it works properly or sufficiently) in a number of these devices is an item for debate. The real determining factor is cost; if you want a flexible/powerful appliance, be prepared to pay big bucks for it.

Using a computer with two or more network cards can be the most efficient firewall you could possibly invest in. A custom-tailored firewall system where you have the utmost control is a definite boon. Popular operating systems to create firewall systems are Linux and OpenBSD, while others can work just as well. A number of smaller Linux distributions exist for the sole purpose of providing a firewall-oriented operating system; distributions such as Multi Network Firewall (based on Mandrakelinux), Shorewall, Astaro, and many others.

By using a BSD or Linux-based operating system, you can install certain add-ons and have the firewall reflect your needs. For instance, if you were to buy a firewall appliance that strictly did it's job as just a firewall, with perhaps port-forwarding and DMZ support thrown in, you might think you're doing alright. Then, a few years later, you have kids and find you desire a content-filtering firewall. Some may argue the time spent using the first appliance you purchased is worth the money spent, and justify buying a new appliance with the new features they seek. Others, like myself (to whom, incidentally, this exact thing happened and has learned from his mistake) will re-use old(ish) hardware and build their own firewall, using a favored distribution or flavor of *NIX, and tailoring it to meet their needs.

Perhaps having your firewall handle a DMZ, or multiple DMZ's, is important to you and you'd like a firewall able to handle it. Perhaps using a web cache is of importance, or content filtering. By designing your own firewall system, you can do all of this and more.

Prudence, and observing traffic on varying mailing lists, tells me to add a caveat to this. While some services running on your firewall system would be ok, such as a web proxy like Squid and so forth, there are other services that should not be run on your firewall system. Some will likely disagree with me and insist a firewall system should be exclusive to the firewall. If this is at all possible, I would suggest trying to keep the firewall system as thin and lightweight as you can. If not, some services should be considered acceptable. Services like a mail server, public web server, FTP service, and so on should not be made available, or even installed, on a firewall system. These are services that have no business being on your firewall as they could very well compromise the entire system, and potentially the entire network you're attempting to protect. However, services such as a web proxy, or content filtering system, should be considered acceptable, if you do not have the hardware available to run those services in tangent with, yet physically apart from, the firewall itself.

There are a number of different firewall "technologies" on Linux and BSD. The BSD systems use ipfw, while Linux 2.2 systems use ipchains and 2.4+ Linux systems use iptables. Unless you absolutely must use it, use a Linux 2.4 kernel with iptables as it does stateful packet filtering. Ipchains, on the other hand, is stateless and not nearly as flexible as iptables.

Here we will look at the different firewall programs in an attempt to understand how to configure and use them. For iptables and ipchains, there are many frontends to help make maintenance and configuration of your firewall rules easier to handle. Some of these may be examined as well.

We will also take a look at some other services you may wish to integrate into your firewall, or tie into your firewall, such as content filtering.

Retrieved from "http://www.linsec.ca/Firewall_Technology"
Personal tools
Toolbox