Beruflich Dokumente
Kultur Dokumente
written by: Lee Clemmer edited by: Bill Bunter updated: 5/17/2010 So you want to build your own firewall? Creating a firewall using your own hardware and free firewall software and applications is possible. This article examines what hardware and software components you need, firewall design basics, and how to configure, test, and deploy a strong DIY firewall.
Hardware Requirements
Most modern PCs have far more than enough RAM, CPU speed, and I/O performance to work as a firewall for all but the largest or heavily trafficked networks. Many large businesses did use off the shelf servers as their firewalls--I've worked at some of these companies and seen many such firewalls. A bargain PC won't be your best choice, however, for a couple of reasons. First, you will want to be sure that the motherboard has a high-performance bus controller and that there are enough expansion slots to accomplish what you want. A single free PCI slot simply isn't (usually) enough. Few expansion slots is often also a sign that the system wasn't designed for a long life and constant use. Less expensive motherboards simply are more likely to fail, and you don't want the system burning out in 6 months! Power supplies are another cause of failure, you will want a sturdy power supply that exceeds the minimum needs, provides very reliable output, and will have a long life--it's going to be running all the time.
Net-Security Myths Busted
PaloAltoNetworks.com/Techbusters
Watch the latest Network Security Episodes & Learn the Facts!
Ads by Google Next you should consider network interface (NIC) options. Most of the time your motherboard will have a single 10/100baseT Ethernet interface already built-in. This can either be a good thing or a bad thing. Sometimes these provide good performance--other times I've found they weren't as good as my added cards. The main point here is that you will want one network interface for each physical network: two at a minimum. One for your internal (or protected) network, and another for the external (or Internet) network. As you'll see in the design section, this is the minimum; you may want or need several more NICs. If you don't have that many expansion slots on your motherboard bus, there are cards that have multiple Ethernet interfaces on a single card (two, or even four). While this may seem like a neat idea, I don't usually recommend it because if that card fails, two (or four) networks go down rather than just one. Will you be able to replace a four-port card quickly if you don't own a spare? If you are trying to imitate one of the small appliance firewalls, you'll note that they often just have a single four-port Ethernet card, so it's not a horrible idea--just one that isn't ideal. You may want to use a gigabit (1000BaseT) Ethernet interface for your internal networks if you want or need the higher throughput. Home users might consider a Wi-Fi adapter for
the internal interface since they may not have or want cabling connecting the firewall to the ideal spot for their wireless router or hub. Routing can become complex, and we'll need to cover that in a follow-up article.
Creating a firewall using your own hardware and free firewall software and applications is possible. This article examines what hardware and software components you need, firewall design basics, and how to configure, test, and deploy a strong firewall. Do it yourself (DIY) free firewalls need certain firewall software components, firewall configuration, and you need to build your firewall and design it to meet your network and application requirements. Virtual Private Networking (VPN) functions, Network Address Translation (NAT), anti-spam, anti-malware, anti-virus, and other application protection packages are needed as well. Network design, firewall rules creation and testing, and firewall deployment are all discussed. Extras like high-availability (HA) and virtual IP addresses (VIP) are possible with the firewall you build.
Software Components
First you will need to choose an operating system platform for your firewall. Windows is a possibility, but most all of the Open Source firewall applications were designed to run on Linux (or other Unix variants in some cases). Some free firewall packages include the base Linux OS and install completely, without the need for selecting, downloading and installing or compiling individual components, configuring Web management or other controls, and so forth. This can be a big time saver and there are several excellent choices, such as Untangle's free version (more on Untangle below). The firewall components and applications you require include a core routing and protocol filtering component, which also can provide network address translation (NAT) functionality. TCP and UDP protocol management beyond basic port filtering is important as well, allowing or restricting particular applications or functions. An interface for creating and managing these rules, usually a Web interface for ease-of-use is also needed. These are required components for any system calling itself a firewall. Firewalls go far beyond this basic functionality, however. Almost all current firewalls provide virtual private network (VPN) functions. The firewall acts as a VPN endpoint and the rules component helps manage what remote VPN users or sites can and cannot access on the network. Intrusion Detection & Prevention (IDS/IPS) and reporting functions are key components as well. Good reporting visible via a Web interface, and with alerts sent via email is very important. A fullfeatured intrusion detection system (IDS) like Snort is a great component to integrate, see more about Snort in my review article here. Anti-Virus, other anti-malware, anti-spam and related components can be added, taking some of the burden off internal servers and PCs to protect themselves. Many choices for these components Check out this review of Untangle to see what their Open Source package has to offer for your firewall. If you don't want to assemble all the components yourself this is a good choice. Untangle's base package includes 12 Open Source firewall applications. These free applications provide more than the minimum firewall components, including anti-malware, anti-Spam, IDS, VPN and reporting functions. Advanced networking features including QoS and Voice over IP support provide tools for or ensuring bandwidth is available for sensitive applications such as VoIP) are present and easy to access and configure. Untangle's web management interface for these security apps is easy to learn and understand. Untangle also offers Untangle for Windows, a free firewall package which runs on a Windows XP computer.
Design Example
Network design, firewall rules creation and testing, and firewall deployment are all discussed. Extras like high-availability (HA) and virtual IP addresses (VIP) are possible with the DIY firewall you build. If you are working on the project for home use, you can likely create your rules, application protection settings, the rest of the firewall configuration, and put it in place to test what you've done as you go. For businesses, you will want to set up a test network and work out problems in advance before putting the firewall in place. It's even possible to configure two firewalls in a high-availability (HA) configuration, where if one crashes or is off the 2nd keeps the network and protection up and running. You can also set up multiple protected servers in a cluster or "pool" with a single name and IP address (VIP) load balances between them. These are advanced topics, but are all possible with the DIY firewall you are constructing.