First of all let's define what a firewall is but a bit differently. Here I will digress a bit from the commonly accepted wisdom, and will define a firewall as an access nexus in the digital communication infrastructure of any organization. That is you build a firewall not only to protect your internal data but to also be able to overall enhance your communication abilities. This paper here is not a set of instructions of how to built an access nexus it is more like a white paper of things you should expect from such a device and be able to ask for them from you vendor. Please do tell them that they are currently availlable on Open Source Servers.
Let us take a case study of a Linux box, substiture for your favorite
Unix like OS here, serving as an access nexus. You are all familiar with
the three-fold implementation of networks, Public, Private and DMZ so I
will not bore you any further with silly graphics.
We also have to take into account that most people are using a router , let's
say a Cisco, as an access point to the internet. Our router has the ability
of having access lists builit in, so why do we still need a firewall to
protect some of the machines and not others ?
The router does have its access lists but you can have another set of more specific lists using IPCHAINS or IPTABLES to further control access to your resources. Furthermore networks tend to exhibit growth patterns akin to two line programs. Once you plug in a second router your access lists on the first router are of little use, so it is a very good idea to redo all the access rules on the firewall too. As for the strictures of the list keep a balance. Too tight and you make life hard for your users, too loose and you lose.
With more than one routers you only need to add routing entries on the firewall itself and nowhere else your lan clients will never know fo the complexity of the outside world, and they should not really care.
First and foremost, a firewall will be able to do Network Address Translation (NAT) therefore you can plug as many machines as you need on the net behind it. Then we have the DMZ on another card on the firewall. All hosts on the DMZ have 2 network cards to allow them to talk directly to the private net. And of course there is the SOCKS protocol from NEC for even more strangeness in the applications.
But we are still passing all the internet traffic for them through the firewall for a very simple reason: Intrusion Detection. No matter how powerfull a Cisco is , it still cannot beat SNORT in detecting network abuses. There are s slew of tools to do analysis of snort alerts and of course my favorite one is snortlog.
Now how do I manage the bandwith that my DMZ uses ? Suppose that bandwidth is expensive, which it is in most parts of the world, with a Linux box and CBQ one can immediately have a very finely tuned traffic management system with no cost and little effort. Just look for the cbqinit script !
There is too much talk about VPNs , there are fine products like SWAN which allow network to network secure connections. But let's make it simpler suppose that you have geographically dispersed users who need access to some resources on your net. Fire up PoPtoP and you can have these people access the resources you want them to have. As a note of good design use a different subnet in the IP address allocation scheme for PPTPD connections so you can finetune your IPCHAINS access rules ( see above notes). Also enable wtmp logging for PPPD or else you will never know which user connected when.
Traffic graphers like MRTG IPAC are wonderful tools that can give you graphs of the utilization of the network cards on your firewall and router. This way you can see patterns of utilization and make your predictions and purchases accordingly. Very simply it is a measurement tool for data, and as any scientist will tell you, there is nothing you can do without measurements. Also tools like ANTEATER, PWEBSTATS and WEBALIZER will give you a set of statistics that will help you understand the character of your lan and the habits of your users.
Suppose now that you have a pesky little networking application that you need to debug. Tools like TRAFSHOW will enable you to link it in no time at all. Many thanks to the original author of this applicaiton.
OK your network is fine, but what does it do when you are not there ? Enter NTOP an exceptional piece of software that logs almost everything, and even more , of the traffic that passes through your system. I do have a gripe with NTOP though , it sets the interfaces into PROMISCUOUS mode by default and starts all the alarms ringing, you might want to fiddle with the source at the pcap_open_live function and switch 1 to 0
Smart Utilization of badwidth means that you must use a cache server like SQUID or even APACHE's built it caching mechanism to decrease the latency of web pages received by uor users. As I stated before the target is the enhanced digital communication or communion if you prefer.
How much do all these wonderfull things cost ? Nothing you have the source you can tinker and toy and make things work and be happy. Compare this with commercial grade appliances and software, sure they will be better, but how much better? Do you really get your money's worth for the cash you hand out ?
Too much has been said about it , and too many bytes wasted. The bottom line is that OPENSSH rules and PUTTY rules also. You can administer this box from anywhere in the world and still be more or less secure since the data stream is encrypted. Better yet if you want to delegate administration to another user, install OPENSSL and WEBMIN and give these people a graphical front - end that enhances their experience :-)
Last but not least there are all these standard UNIX services like EMAIL, DNS, FAX and yes email retrieval can be secured by using an SSL WRAPPER.
I will forego all rhetoric on the open source model and make some engineering
remarks. You need a firewall/access nexus so that you can manage access to resources and
data traffic. You must pass ALL
your traffic through your access nexus so that you can know what goes where
and does what. An access nexus should be as flexible as a swiss army knife,
as maleable as puty and as resilient as a network engineer with a collapsed
transatlantic backbone line :-)