CentOS - Nov 2005 - [OT] Corporate Firewall

Hey,

The company I work for is in the market for a new firewall.  Right now 
we're hosting all of our own stuff (on CentOS servers) behind an old 
checkpoint firewall.

I think Checkpoint is overkill for our needs and very expensive, plus I 
don't like the "per-user" charges of some commercial solutions. 
What do
you guys suggest that we upgrade to?  Here are some of the features that 
I would like:

1) decent gui, either web based or a local client

2) usage graphs based on protocol.  So if our tiny T1 is saturated, I 
want to be able to find out what's eating up the bandwidth

3) VPN-friendly for a couple of road-warriors.  There won't be any 
remote offices so no server-to-server setups, just remote clients.

4) we have a DMZ and about 30 machines on the local network.  Everyone 
has a "normal" IP address, meaning that no one is behind NAT.  So it 
needs to handle this (which is pretty basic stuff)

5) high-availablity.  So if I buy two machines, one can successfully die 
and the other take over.

6) no per-user charges.  If the company hires a dozen people next year, 
we shouldn't have to "upgrade" our license.

Right now we're looking at some open-source stuff like pfsense, 
m0n0wall, etc...  But I'm totally open to an affordable commercial 
firewall appliance.

Thanks for you help.

--Ajay

On Wed, Nov 09, 2005 at 11:23:59PM -0800, Ajay Sharma
wrote:
> I think Checkpoint is overkill for our needs and very expensive, plus I 
> don't like the "per-user" charges of some commercial
solutions.  What do
> you guys suggest that we upgrade to?  Here are some of the features that 
It depends very much on you and how much knowledge and work you're prepared
to put into it.  Pretty much everything you want can be done with a hardened
CentOS 4.x box and a couple of extra packages.  There is one exception, which
I will address below.
> I would like:
> 
> 1) decent gui, either web based or a local client
 
If you use Shorewall (http://www.shorewall.net) there is a webmin gui module for
administration.
> 2) usage graphs based on protocol.  So if our tiny T1 is saturated, I 
> want to be able to find out what's eating up the bandwidth
There are a number of packages on Freshmeat that will do this.

> 3) VPN-friendly for a couple of road-warriors.  There won't be any 
> remote offices so no server-to-server setups, just remote clients.
 
OpenVPN will handle this no problem (Windows and Linux clients) it also
integrates well with shorewall.  (http://openvpn.net/)
> 4) we have a DMZ and about 30 machines on the local network.  Everyone 
> has a "normal" IP address, meaning that no one is behind NAT.  So
it
> needs to handle this (which is pretty basic stuff)
Standard stuff - no problem.
 
> 5) high-availablity.  So if I buy two machines, one can successfully die 
> and the other take over.
This is where you could have a problem - if you want hot failover, with
no interruption to service, I don't think the current state-of-the-art is
capable of handling it.  The problem is synchronising the iptables state
tables between the two machines.  There is a project working on this, but
I'm not sure what the present status is - have a look on
http://www.linux-ha.org/
> 
> 6) no per-user charges.  If the company hires a dozen people next year, 
> we shouldn't have to "upgrade" our license.
 
No problem there either.


-- 
Cheers! (Relax...have a homebrew)

Neil

THEOREM: VI is perfect.
PROOF: VI in roman numerals is 6.  The natural numbers < 6 which divide 6 are
1, 2, and 3. 1+2+3 = 6.  So 6 is a perfect number.  Therefore, VI is perfect.
QED
                                                    -- Arthur Tateishi

http://www.mikrotik.com   They have a demo online you can check out.  
Read about it here. http://www.mikrotik.com/2index.html (left side of page)

The initial learning curve isn't to hard to get around, but once you 
understand it, its a breeze to work with.  Took me a long weekend.  
Definately worth looking into

The rest inline........

Ajay Sharma wrote:
> Hey,
>
> The company I work for is in the market for a new firewall.  Right now 
> we're hosting all of our own stuff (on CentOS servers) behind an old 
> checkpoint firewall.
>
> I think Checkpoint is overkill for our needs and very expensive, plus 
> I don't like the "per-user" charges of some commercial
solutions.
> What do you guys suggest that we upgrade to?  Here are some of the 
> features that I would like:
>
> 1) decent gui, either web based or a local client
They have a great local client gui called winbox.  Works under wine if 
you have linux stations.
>
>
> 2) usage graphs based on protocol.  So if our tiny T1 is saturated, I 
> want to be able to find out what's eating up the bandwidth
They have graphing built in but for traffic on interfaces and queues.  
You can set up queues based on mangle rules with no limits and graph 
these as well.  Otherwise they have a tool called torch, where you can 
view traffic in real time and use filters to find your bandwidth
hog.
>
>
> 3) VPN-friendly for a couple of road-warriors.  There won't be any 
> remote offices so no server-to-server setups, just remote clients.
Does ipsec PPTP and L2TP. Very easy to setup.
>
> 4) we have a DMZ and about 30 machines on the local network.  Everyone 
> has a "normal" IP address, meaning that no one is behind NAT.  So
it
> needs to handle this (which is pretty basic stuff)
>
does that
> 5) high-availablity.  So if I buy two machines, one can successfully 
> die and the other take over.
>
VRRP- Very redundant router protocol.  Built in........
> 6) no per-user charges.  If the company hires a dozen people next 
> year, we shouldn't have to "upgrade" our license.
>
And last but not least.  Runs on any i386 based pc and the software 
costs $45-$65 a license which gives you a year of updates. Buy multiple 
year licenses and the price goes down.
Renew prices are cheaper than new.
> Right now we're looking at some open-source stuff like pfsense, 
> m0n0wall, etc...  But I'm totally open to an affordable commercial 
> firewall appliance.
>
> Thanks for you help.
>
> --Ajay
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

We are using SonicWall Pro4060, firewall  in our organization, National 
Geophysical Research Institute, Hyderabad. We have been using SonicWall 
for the last five years (Pro4060 is new got recently). You can try IPCOP 
or SmoothWall, free downloads, these are pretty good also.

Sivaraman.

Ajay Sharma wrote:
> Hey,
>
> The company I work for is in the market for a new firewall.  Right now 
> we're hosting all of our own stuff (on CentOS servers) behind an old 
> checkpoint firewall.
>
> I think Checkpoint is overkill for our needs and very expensive, plus 
> I don't like the "per-user" charges of some commercial
solutions.
> What do you guys suggest that we upgrade to?  Here are some of the 
> features that I would like:
>
> 1) decent gui, either web based or a local client
>
> 2) usage graphs based on protocol.  So if our tiny T1 is saturated, I 
> want to be able to find out what's eating up the bandwidth
>
> 3) VPN-friendly for a couple of road-warriors.  There won't be any 
> remote offices so no server-to-server setups, just remote clients.
>
> 4) we have a DMZ and about 30 machines on the local network.  Everyone 
> has a "normal" IP address, meaning that no one is behind NAT.  So
it
> needs to handle this (which is pretty basic stuff)
>
> 5) high-availablity.  So if I buy two machines, one can successfully 
> die and the other take over.
>
> 6) no per-user charges.  If the company hires a dozen people next 
> year, we shouldn't have to "upgrade" our license.
>
> Right now we're looking at some open-source stuff like pfsense, 
> m0n0wall, etc...  But I'm totally open to an affordable commercial 
> firewall appliance.
>
> Thanks for you help.
>
> --Ajay
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dr. T. V. Sivaraman, Scientist,
National Geophysical Research Institute,
Uppal Road, Hyderabad - 500 007. INDIA.
Telephone: 91-40-23434644 (Office), 91-40-23434828 (Home)
FAX: 91-40-23434651, 91-40-27171564
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Email: tvsraman at ngri.res.in, tvsraman_45 at yahoo.com
Web: www.ngri.org.in
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.centos.org/pipermail/centos/attachments/20051110/c5c829de/attachment.html>

Ajay Sharma <ssharma at revsharecorp.com> wrote:
> Hey,
> The company I work for is in the market for a new firewall.
How big of a company?
How much do you want to lock-down access?

Traditionally, people take 3 approaches: 

1. Allow everything out (SOHO 'Ritters)

2. Allow everything out by default, then block destination
ports (SMB 'Ritters)

3. Allow nothing out by default, then open destination ports
(a "real" setup)

Ideally, even in a small-to-medium business (SMB), you should
do #3 and deny _all_ access in _both_ directions, and then
only open on explicit ports as necessary.

This includes not even allowing out 53 (domain), 80 (http)
and 443 (https).  I use dedicated, internal DNS servers and a
proxy server, and only those dedicated systems can get out. 
I also like to setup a SOCKS5 proxy for other protocols,
including SSH.  That way I know about those connections, and
some arbitrary Malware can't simply establish a tunnel
without my knowing about it.

I would at least do such and block those ports even for #2. 
But all it takes is someone to run something on a
non-standard port and they can go right through #2 -- hence
why I do #3.
> Right now we're hosting all of our own stuff (on CentOS
> servers) behind an old checkpoint firewall.
Eeewwwww.  ;->
> I think Checkpoint is overkill for our needs and very
> expensive,
Actually, it might be underkill!
> plus I don't like the "per-user" charges of some commercial
> solutions.
You'll find that still remains true of the top-2 appliances
under $5,000 -- SonicWall (VxWorks-based,
http://www.sonicwall.com/) and WatchGuard (Linux-based,
http://www.watchguard.com/).  25, 100, etc... user licenses
are typical as well.
> What do you guys suggest that we upgrade to?
Depends on size, budget, etc...

I mean, you can go as little as IPCop (http://www.ipcop.org)
and tie it down tight -- such as blocking all outgoing, and
redirecting select ports to internal DNS, proxy and other
servers.  IPCop has IDS and everything else built-in, but
it's a pretty "canned" solution overall.  E.g., last time I
checked, it still used SNAT/DNAT to private IPs for the DMZ
and LAN -- although you _can_ setup 1:1 NAT or "pool" public
IPs.

Or you can spend from hundreds to upwards of $20,000+ on a
Nokia (Linux-based with optional Checkpoint features)
product.  In financial environments, I've typically trusted
Nokia's solutions.

http://www.nokiausa.com/business/security/1,8189,fwall,00.html

Network Associates and Symmantec also sell Linux-based
gateway appliances with scanning features, let alone a huge
3rd party market has been built up around firewalls with
SPAMAssasin and ClamAV built-in for inbound SMTP.  A
consideration if your SMTP server(s) are in the DMZ.
> Here are some of the features that I would like:
> 1) decent gui, either web based or a local client
One thing to remember with a web-based client -- don't use
the same browser profile (and all its cookies) that you use
to surf the web with.
> 2) usage graphs based on protocol.
A managed layer-2/3 switch on your network would provide a
far better solution for this -- probably at a lower price.

Cisco has some excellent 5000 series SMB switches for a
couple thousand with lots of such capabilities, as well as
built-in PIX.  I didn't know if you were a Cisco shop.

And if that's still too costly, the NetGear FSM7328
(http://www.netgear.com/products/details/FSM7328S.php) has an
entry-level layer-3 switch (RIPv1/v2, including port-to-port
switching across VLANs of different subnets) with 4xGbE,
24x100M that has full SNMPv3, RMON, etc... for under $400
(double the 100M ports with the FSM7352S for a couple hundred
more).  You can also setup a monitoring port to tap your
internal IDS to.

As you can see, there are a _lot_ of considerations here --
many outside the real of your "gateway device."  ;->
> So if our tiny T1 is saturated, I want to be able to find
> out what's eating up the bandwidth
You can do that with an intelligent layer-2 (or layer-3)
switch for your _entire_ LAN, not just the Internet
connection.
> 3) VPN-friendly for a couple of road-warriors.
You can do VPN at the gateway, or you can pass it through to
a VPN device behind the device (possibly into a limited
access DMZ).
> There won't be any remote offices so no server-to-server
> setups, just remote clients.
I was going to say, if you start doing more than 1 subnet,
then having a layer-3 switch is a _huge_ advantage.  If
anyone is remotely considering connecting two networks, plus
having roaming users, then those networks could really use a
layer-3 switch.

Including the recent thread on routing issues with a VPN and
multiple subnets.  ;->

[ Oh if I could only take a baseball to some of my "smaller"
clients in the past that said, "why do I have to pay over
$500 for only a few GbE ports when I can get a Linksys 8-port
GbE for under $100?"  Grrrrrr.  Thank God for NetGear's
entry-level FSM7328S product, or I'd _never_ get routing
problems solved at this firms! ]
> 4) we have a DMZ and about 30 machines on the local
> network.  Everyone has a "normal" IP address, meaning that
> no one is behind NAT.
That's one area where IPCop doesn't really care for.  I've
never tried it without using private IPs.  But you can setup
public IPs to 1:1 NAT, as well as pool connections.
> So it needs to handle this (which is pretty basic stuff)
> 5) high-availablity.  So if I buy two machines, one can
> successfully die and the other take over.
With IPCop, you can save all settings to a floppy and build a
replacement, or download/upload settings.  But no, it doesn't
have heartbeat/failover capabilities.

Other software solutions in Linux do offer them, and there
are devices that such.

But if you're really worried about that, then you should
_also_ be worried about the router beyond your gateway
device.  It should do Hot Standby Routing Protocol (HSRP)
otherwise you're fail-over design will be incomplete.

And then what about your internal network, DMZ, etc...?

I mean, what's the sense of building redundancy at the
gateway if the router beyond the gateway can still fail (let
alone you don't know if it has!), or the ports of the LAN
have, etc...

E.g., you _could_ consider an "all-in-one," dual-unit product
that is the external routers, gateway, internal switch
ports/router, firewall, IDS, etc... all-in-one, that fails
over between 2 devices.  I'm clearly looking at the Cisco
5000 series now, and it ain't so cheap with those features. 
;->
> 6) no per-user charges.  If the company hires a dozen
> people next year, we shouldn't have to "upgrade" our
> license.
Then forget a lot of products.  The key is that depending on
the features you want, some might be per-user -- especially
if they are software/firmware of gateway/firewall/IDS/etc...
appliances.
> Right now we're looking at some open-source stuff like
> pfsense, m0n0wall, etc...  But I'm totally open to an
> affordable commercial firewall appliance.
I could make far better recommendations if I knew how many
users (current and possible), components of your network that
you have or want to implement (you have IDS, right? ;-), how
much you are willing to tie down your outgoing access (e.g.,
internal DNS, proxy, etc... servers), etc... and what other
networking hardware you are currently using (e.g., does your
internal switch currently have SNMP/RMON capabilities?).

And especially your budget.

Given your list of desires for a gateway device, I think you
might be overlooking a lot of things that you should probably
do outside of the gateway device.


-- 
Bryan J. Smith                | Sent from Yahoo Mail
mailto:b.j.smith at ieee.org     |  (please excuse any
http://thebs413.blogspot.com/ |   missing headers)

"T. V. Sivaraman" <tvsraman at ngri.res.in>
wrote:
> We are using SonicWall Pro4060, firewall in our
> organization, National Geophysical Research Institute,
> Hyderabad.
As I mentioned, SonicWall (VxWorks-based) and WatchGuard
(Linux-based) are the "big 2" SMB firewall/VPN vendors for
products costing $200-$5,000.  SonicWall has per-user charges
for many of their features, typically at the 25 and 100 user
price-points.

You'll find most appliances have this as well -- especially
for added features.
> You can try IPCOP or SmoothWall, free downloads, these are
> pretty good also.
Last time I checked, IPCop prefers private IPs.  I could be
wrong though.  And it can be solved with 1:1 NAT and or
SNAT/DNAT public IP pooling options (which might actually be
better than using "raw" public IPs).


-- 
Bryan J. Smith                | Sent from Yahoo Mail
mailto:b.j.smith at ieee.org     |  (please excuse any
http://thebs413.blogspot.com/ |   missing headers)

Ajay Sharma wrote on Wed, 09 Nov 2005 23:23:59 -0800:
> Right now we're looking at some open-source stuff like pfsense, 
> m0n0wall, etc...  But I'm totally open to an affordable commercial 
> firewall appliance.
I suggest taking a look at the Snapgear devices, now bought by Cyberguard 
(-> www.snapgear.com). They deliver excellent value for the money. When I 
bought mine about three years ago or so it was the only device under $1000 
where you could switch off NAT and enable transparent/bridged routing of 
public IP addresses. I don't know if it still is. They actively maintain 
the firmware (an embedded Linux version) and just delivered a completely 
rewritten interface, new kernel and much more functionality. The one thing 
from your list which is missing is traffic graphing, however, you can add 
this with ntop on one of your machines.

Kai

-- 
Kai Sch?tzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
IE-Center: http://ie5.de & http://msie.winware.org

Wow.  Thanks for all the suggestions guys.  I went to bed with a list of 
requirements and now I have a ton of more options to research.

One thing, has anyone used Astaro?  I was looking at their "security 
gateway 220" product last night and it looked like it fit my needs:

http://www.astaro.com/firewall_network_security/asg220

It doesn't have the failover, but everything else was there.

There were other emails in regard to "size of the company" and other 
stuff which I'll answer:

  - there's about 30 people here now, and we plan to add about 10 more 
next year.

  - our firewall has a default deny in and out.  So we have to open up 
ports for access and internally we have our own DNS and email so those 
ports are closed.

  - we don't proxy any services.

  - I'm already a super busy admin/programmer so I kinda don't want to 
babysit this thing (which is bad considering it's a fundamental 
component of the network).  In any case, I'd rather buy a product and 
keep it updated then have to build a home-grown type of solution.

Again, thanks for all your help.

--Ajay

Ajay Sharma wrote:
> Hey,
> 
> The company I work for is in the market for a new firewall.  Right now 
> we're hosting all of our own stuff (on CentOS servers) behind an old 
> checkpoint firewall.
> 
> I think Checkpoint is overkill for our needs and very expensive, plus I 
> don't like the "per-user" charges of some commercial
solutions.  What do
> you guys suggest that we upgrade to?  Here are some of the features that 
> I would like:
> 
> 1) decent gui, either web based or a local client
> 
> 2) usage graphs based on protocol.  So if our tiny T1 is saturated, I 
> want to be able to find out what's eating up the bandwidth
> 
> 3) VPN-friendly for a couple of road-warriors.  There won't be any 
> remote offices so no server-to-server setups, just remote clients.
> 
> 4) we have a DMZ and about 30 machines on the local network.  Everyone 
> has a "normal" IP address, meaning that no one is behind NAT.  So
it
> needs to handle this (which is pretty basic stuff)
> 
> 5) high-availablity.  So if I buy two machines, one can successfully die 
> and the other take over.
> 
> 6) no per-user charges.  If the company hires a dozen people next year, 
> we shouldn't have to "upgrade" our license.
> 
> Right now we're looking at some open-source stuff like pfsense, 
> m0n0wall, etc...  But I'm totally open to an affordable commercial 
> firewall appliance.
> 
> Thanks for you help.
> 
> --Ajay
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

*if* you have a cisco router connecting you to your ISP you could always
look at adding the firewall feature set to it? 
> The company I work for is in the market for a new firewall.  Right now
> we're hosting all of our own stuff (on CentOS servers) behind an old
> checkpoint firewall.
> 
> I think Checkpoint is overkill for our needs and very expensive, plus I
> don't like the "per-user" charges of some commercial
solutions.  What do
> you guys suggest that we upgrade to?  Here are some of the features that
> I would like:
> 
> 1) decent gui, either web based or a local client
> 
As of 12.4 you get a decent(ish) web based GUI. (see www.cisco.com/go/sdm)
> 2) usage graphs based on protocol.  So if our tiny T1 is saturated, I
> want to be able to find out what's eating up the bandwidth
Cisco's can export netflow stats into something like ntop for analysis.
Although better still you can configure your self a nice CBWFQ Quality of
Service policy so people can't eat bandwidth needed by other services.
> 3) VPN-friendly for a couple of road-warriors.  There won't be any
> remote offices so no server-to-server setups, just remote clients.
Cisco has a VPN client.
> 4) we have a DMZ and about 30 machines on the local network.  Everyone
> has a "normal" IP address, meaning that no one is behind NAT.  So
it
> needs to handle this (which is pretty basic stuff)
Not a drama.
> 
> 5) high-availablity.  So if I buy two machines, one can successfully die
> and the other take over.
> 
Cisco has many ways of doing high availability (depending on how your ISP
connection comes in) but then a router doesn't have as many working parts as
a PC based solution so is less likely to go wrong.
> 6) no per-user charges.  If the company hires a dozen people next year,
> we shouldn't have to "upgrade" our license.
Not sure how the licence on cisco VPN client works but you certainly
wouldn't have to upgrade your licence for more internal hosts.

To put my two cents in, I have been investigating m0n0wall
(http://m0n0.com/) for about six months now.  I have it running on my home
firewall (pc engines WRAP platform http://pcengines.ch) and have loaded it
on a number of old Nokia IP330 boxes for testing.

A fork of the project to also look at is pfSense (http://pfsense.com/) which
is based on m0n0wall.  pfSense is much more flexible in terms of add-on
packages, is designed with a failover option, and multi-WAN support to name
a few things.  Then again how much do you want loaded on a firewall which is
a topic for a whole different discussion.

There is active development on both projects and both seem very usable.

Andrew