Page 1 of 3
Savvy system builders are well aware that hordes of hackers stand ready to descend on your clients' operations and steal everything from personal identities to state secrets. Worse, some hackers are out to destroy your clients' valuable data—and your reputation along with it. So unless a system builder enjoys rebuilding disks, recovering data, and fielding downtime complaints, they should know at least a little something about firewalls. Namely, how firewalls work and how to select the best firewall for a specific installation.
In this Recipe, I'll explain both the options for firewall protection and the differences between hardware and software implementations. By the end, you should be able to point a client to the firewall that best fits their budget, complements their operations and, of course, provides them with the best possible protection.
I'll also show, in step-by-step fashion, how to build a configurable and secure Linux firewall from a recycled PC. Since the software I recommend is freeware, this will also allow you to offer incredible cost savings to your clients.
To start, let's look at the subject of firewalls in general, both the hardware and software varieties.
All computer users—from the largest enterprises to the one-person business or home user—need some form of security between their network and the outside world. A properly configured hardware firewall sits at the entrance to a network as the first line of defense against unwanted intrusions. It's like the lock on the front door of your home; you don't always know who you are locking out, but you're sure that bad guys are among them.
Similarly, a good firewall allows only approved sources to enter the network. It may also allow special or unrestricted access to one or more servers. But that raises a question: If you have a Web site, you may not always be sure where your traffic will be coming from, right? So how does a firewall offer both protection and flexibility?
To determine who gets access to a network and who gets turned away, a typical hardware firewall intercepts and inspects network traffic using a technique known as packet filtering. As messages come in from the network, the firewall examines the header of it TCP/IP packet to determine the source and destination addresses. It then compares this information against a set of predefined or user-created rules that determine whether the packet is to be forwarded (allowed to pass into the client's network) or dropped.
A more advanced technique, called Stateful Packet Inspection (SPI), has the firewall look at additional characteristics. These include a packet's actual origin; that is, does it come from the Internet or from the local network? Also, whether incoming traffic is a response to outgoing requests, such as a request for a Web page.
A hardware firewall need not be a dedicated device. The function of inspecting packets can be built into any hardware. In fact, most residential routers sold today have firewalls built in. Also, PCs running versatile Linux firewall software can be been installed to protect commercial and private networks.
Hardware firewalls, especially those built into broadband routers, can be effective with little or no configuration, making them ideal for residential or small-business use. They can protect every machine on a local network. Most hardware firewalls have at least four network ports to connect other computers. Of course, for larger networks, more elaborate networking firewall solutions are available.
A downside of hardware firewalls is that simple packet filters, such as those found in common broadband routers, lack flexibility. The configuration of these routers, while easy to set-up, is often limited to very basic filtering. Also, it cannot always ascertain how dangerous traffic is from its limited look at packets. What's more, simple packet filtering won't allow administrators to set up special access for, say, a Web server or limit certain network traffic to specific machines on the network. And as hardware routers become more sophisticated to support features like DMZ pinholes, Dynamic DNS services, and Web proxy serving, configurations can become more complex and harder to maintain.
For many home users, the most popular form of network protection is the software firewall. This software offers protection from outside attempts to control or gain access to a computer. Depending on the software, the firewall may also protect against common Trojan programs, e-mail worms and other malware. Many software firewalls also offer user-defined controls for setting up safe file and printer sharing, as well as safeguards to block unsafe applications from running on the system. A good software firewall runs in the background and uses only a small amount of system resources.
One benefit: Unlike a hardware firewall living at the edge of a network, software firewalls can protect a PC from malicious software—and not just what it transmits in packets. The software protects an individual machine by knowing which programs are running, and by monitoring potentially dangerous applications, such as e-mail and Web browsing.
The major downside to a software firewall: It protects only one computer, the machine the software is installed on, not an entire network. So to protect a network of machines with software firewalls, the software firewall must be installed and configured on each and every system. Maintaining individual software firewalls on networks with many PCs can be an awkward and time-consuming task.
It's no wonder that many network administrators seek to employ the benefits of both software and hardware firewalls. They do so by running simple configurations of firewall software on PCs (perhaps with automatic update or configuration capabilities) and using a hardware firewall to protect access to the network.
A Hardware Firewall for Small Businesses
So let's take a look at building a hardware firewall that's ideal for guarding the front door of a small-business network that need more protection than just a simple packet filter. There's no reason, by the way, why this solutoin could not be used for a large enterprise, too. Plus, it's so affordable you might want to build one for your home user clients.
This solution is based on open-source software called SmoothWall Express, created by the U.K.-based Smoothwall Open Source Project. This software offers many advanced features that growing businesses need, but won't find in router-based firewall implementations.
Essentially, SmoothWall Express uses a special implementation of Linux to turn a PC into a dedicated hardware firewall. SmoothWall software prevents any unauthorized data to pass through the firewall. There are no services offered to the Internet and SmoothWall Express will not respond to the network messages that hackers use to identify potential targets. It is therefore simply invisible to the legions of script kiddies, hackers and crackers looking for a firewall to attack.
1 | 2 | 3 | Next >>