Build A Cheap But Effective Firewall
Fight the bad guys without busting your budget. Here's all you'll need to create a low-cost, super-secure firewall using Linux-based freeware and an old PC.
January 29, 2007
RECIPESavvy system builders are well aware that hordes of hackers stand ready to descend on your clients' operations and steal everything from personal identities to state secrets. Worse, some hackers are out to destroy your clients' valuable data—and your reputation along with it. So unless a system builder enjoys rebuilding disks, recovering data, and fielding downtime complaints, they should know at least a little something about firewalls. Namely, how firewalls work and how to select the best firewall for a specific installation.
In this Recipe, I'll explain both the options for firewall protection and the differences between hardware and software implementations. By the end, you should be able to point a client to the firewall that best fits their budget, complements their operations and, of course, provides them with the best possible protection.
I'll also show, in step-by-step fashion, how to build a configurable and secure Linux firewall from a recycled PC. Since the software I recommend is freeware, this will also allow you to offer incredible cost savings to your clients.
To start, let's look at the subject of firewalls in general, both the hardware and software varieties.
Hardware FirewallsAll computer users—from the largest enterprises to the one-person business or home user—need some form of security between their network and the outside world. A properly configured hardware firewall sits at the entrance to a network as the first line of defense against unwanted intrusions. It's like the lock on the front door of your home; you don't always know who you are locking out, but you're sure that bad guys are among them.
Similarly, a good firewall allows only approved sources to enter the network. It may also allow special or unrestricted access to one or more servers. But that raises a question: If you have a Web site, you may not always be sure where your traffic will be coming from, right? So how does a firewall offer both protection and flexibility?
To determine who gets access to a network and who gets turned away, a typical hardware firewall intercepts and inspects network traffic using a technique known as packet filtering. As messages come in from the network, the firewall examines the header of it TCP/IP packet to determine the source and destination addresses. It then compares this information against a set of predefined or user-created rules that determine whether the packet is to be forwarded (allowed to pass into the client's network) or dropped.
A more advanced technique, called Stateful Packet Inspection (SPI), has the firewall look at additional characteristics. These include a packet's actual origin; that is, does it come from the Internet or from the local network? Also, whether incoming traffic is a response to outgoing requests, such as a request for a Web page.
A hardware firewall need not be a dedicated device. The function of inspecting packets can be built into any hardware. In fact, most residential routers sold today have firewalls built in. Also, PCs running versatile Linux firewall software can be been installed to protect commercial and private networks.Hardware firewalls, especially those built into broadband routers, can be effective with little or no configuration, making them ideal for residential or small-business use. They can protect every machine on a local network. Most hardware firewalls have at least four network ports to connect other computers. Of course, for larger networks, more elaborate networking firewall solutions are available.
A downside of hardware firewalls is that simple packet filters, such as those found in common broadband routers, lack flexibility. The configuration of these routers, while easy to set-up, is often limited to very basic filtering. Also, it cannot always ascertain how dangerous traffic is from its limited look at packets. What's more, simple packet filtering won't allow administrators to set up special access for, say, a Web server or limit certain network traffic to specific machines on the network. And as hardware routers become more sophisticated to support features like DMZ pinholes, Dynamic DNS services, and Web proxy serving, configurations can become more complex and harder to maintain.
Software Firewalls
For many home users, the most popular form of network protection is the software firewall. This software offers protection from outside attempts to control or gain access to a computer. Depending on the software, the firewall may also protect against common Trojan programs, e-mail worms and other malware. Many software firewalls also offer user-defined controls for setting up safe file and printer sharing, as well as safeguards to block unsafe applications from running on the system. A good software firewall runs in the background and uses only a small amount of system resources.
One benefit: Unlike a hardware firewall living at the edge of a network, software firewalls can protect a PC from malicious software—and not just what it transmits in packets. The software protects an individual machine by knowing which programs are running, and by monitoring potentially dangerous applications, such as e-mail and Web browsing.The major downside to a software firewall: It protects only one computer, the machine the software is installed on, not an entire network. So to protect a network of machines with software firewalls, the software firewall must be installed and configured on each and every system. Maintaining individual software firewalls on networks with many PCs can be an awkward and time-consuming task.
It's no wonder that many network administrators seek to employ the benefits of both software and hardware firewalls. They do so by running simple configurations of firewall software on PCs (perhaps with automatic update or configuration capabilities) and using a hardware firewall to protect access to the network.
A Hardware Firewall for Small Businesses
So let's take a look at building a hardware firewall that's ideal for guarding the front door of a small-business network that need more protection than just a simple packet filter. There's no reason, by the way, why this solutoin could not be used for a large enterprise, too. Plus, it's so affordable you might want to build one for your home user clients.
This solution is based on open-source software called SmoothWall Express, created by the U.K.-based Smoothwall Open Source Project. This software offers many advanced features that growing businesses need, but won't find in router-based firewall implementations.Essentially, SmoothWall Express uses a special implementation of Linux to turn a PC into a dedicated hardware firewall. SmoothWall software prevents any unauthorized data to pass through the firewall. There are no services offered to the Internet and SmoothWall Express will not respond to the network messages that hackers use to identify potential targets. It is therefore simply invisible to the legions of script kiddies, hackers and crackers looking for a firewall to attack.
Ingredients
To install and operate SmoothWall Express successfully and affordably, you can use an old PC. There's no need to buy new hardware, so long as the old PC meets or exceeds these specifications:
Processor: Any Pentium-compatible processor, including Pentium I, II, III, IV, AMD 586 onwards, Cyrix, and IBM. Must be 150 MHz or faster.
Memory: At least 32 MB of RAM, but ideally 64 MB or more. With less than 64 MB of RAM, it may not be possible to run all services, especially the Web Proxy Server and the Intrusion Detection System. Also, additional RAM may be needed for optimal performance if the Proxy Cache and Intrusion Detection features are utilized.
Hard Disk: An IDE drive of 2 GB capacity is recommended. It may be possible to operate on as little as 540 MB of disk, although this may present capacity problems with proxy log files. Higher-capacity disks allow for more and larger log files to be stored; 2 GB or more is advised if there are a large number of users behind the SmoothWall Express; the more users and activity there are, the quicker the proxy log files grow.
CD-ROM: An IDE CD-ROM drive is recommended for ease of installation. While SmoothWall Express can be installed across a network, the installation is more straightforward when using a local CD-ROM drive. Using a bootable CD-ROM drive makes the installation even simpler. When you're ready, see SmoothWall's Hardware Compatibility List of supported CD-ROM drives.
Video Card: Any. Required only for initial installation; all subsequent administration is carried out remotely over the network.
Monitor: Any. Required only for initial installation; all subsequent administration is carried out remotely over the network.
Keyboard: Any. Required only for initial installation; all subsequent administration is carried out remotely over the network. In fact, if the PC's BIOS allows it to boot without a keyboard, then the keyboard will not be required for regular use of the system.
Mouse: Not required.
Network Card: At least one supported network card is needed to connect the SmoothWall Express to the protected local network. If the connection to the Internet is via a broadband device—such as a cable modem, Ethernet-presented ADSL, or another Ethernet-presented connection—then a second supported network card will be required. Again, see SmoothWall's Hardware Compatibility List for supported network cards.
Modem: If you're using a dial-up connection to the Internet, a supported modem must be present. See the Hardware Compatibility List for supported modems.
ADSL Modem: See the Hardware Compatibility List for USB connected and PCI card ADSL modems that are supported by SmoothWall Express.
ISDN: If connection to the Internet is via ISDN, then the system needs a supported ISDN card or external RS232 or USB connected adapter device.
Before You Get Started...
Take a moment to download and look over the SmoothWall Express Quick-Start Guide.
I'm assuming you're familiar with PC software and have a basic knowledge of TCP/IP networking. But full instructions can be found in the Installation and Administrator's Guides on the SmoothWall Express CD or from SmoothWall's Documentation Web page.
When you have a good feel for the procedure, download the software from the Get SmoothWall page, and you're ready to begin.Warning: Any data stored on the hard drive of the PC on which SmoothWall is to be installed will be overwritten as part of the installation. So you must back up any data you want to save now.
Next, to install SmoothWall Express, you must create a CD from the .iso image file that has been downloaded. All common CD-burning programs can do this. But it's vital to select the "create CD from Image file" option. The .iso image file image file is similar to a ZIP archive; it needs to be decompressed and expanded out to the individual directories and files that constitute SmoothWall Express. But if the more normal "create Data CD" option is used, then the .iso file will almost certainly be copied as a single file to the CD and will not install properly. So be sure to pick the correct option.
How to Install SmoothWall Express
Insert the SmoothWall Express CD into the CD-ROM drive of a Windows PC (Internet Explorer, version 5.5 or later, is recommended). The Autorun procedure lets you read the license; view/print the Installation and Administrator's Guide in Adobe Acrobat format; create boot floppy disks; browse the CD; and download Adobe Acrobat Reader.
View the Installation and Administrator's Guides using the Acrobat Reader. Print or save copies to the hard disk of your Windows PC, so you can refer to them during the installation.
Make sure the PC can boot from the CD-ROM drive. Most PCs from P166 onwards can be set to do this in their BIOS. If your PC is already set to boot from CD-ROM, skip ahead to step 5.
If the PC cannot boot from CD, you will need to create two boot floppies, which you'll use to start the installation process. Do this with either the Autorun procedure or by running the RawWriteWin.
Start with a powered-down PC. Load the SmoothWall Express CD into the CD-ROM drive of the target PC. Then power up the PC; it will boot from the CD.
You will be greeted by a prompt informing you that the installation of SmoothWall Express is about to start. Press the Enter key to proceed. Follow the installation process.
You will be prompted to choose the language you wish to use for the installation. English is the default.
Select the install software from CD-ROM options.
Confirm that the PC's hard disk is to be re-formatted. All existing data on the disk will be lost, so if you need to keep any data, cancel the installation of SmoothWall Express now.
Once the PC's hard disk has been prepared, the SmoothWall Express software will be copied across from the CD.
The software will probe the PC to determine what hardware is installed. It looks first for a Network Interface Card (NIC or LAN card), which is later used to connect SmoothWall Express to the local (protected) network. Virtually all PCI bus cards will be automatically recognized and configured, as will some (but not all) ISA bus cards. The Smoothwall Express Installation and Configuration Guide contains additional information on how to configure cards which cannot be automatically detected.
Supply a TCP/IP address for this card. Most small networks can safely use the default settings. Internal private addresses, such as this, are never exposed to the Internet.
A message is then displaying saying that the SmoothWall Express software has been successfully installed. Remove all CDs or floppy disks, and press the OK button to run Setup. The Setup menu should appear looking pretty much like this:
The Setup Program completes the basic configuration of SmoothWall Express. It lets you configure your keyboard layout, host name, DHCP server, system passwords, and any proxy server settings you need. It will then probe for and configure ISDN cards, USB hardware, and NICs. If the machine is connected to the Internet via either an Ethernet router or cable modem, you will need to configure a second NIC and select the GREEN + RED network configuration. If your Internet connection is via ISDN, USB ADSL, or a dial-up modem, then use the default GREEN (RED is modem/ISDN) network configuration.
Most ISPs don't use Proxy Servers, but if yours does, you will now enter its Hostname and IP port.
If an ADSL modem is to be used, you need to select the make/model and VCI/VPI parameters configured in the Setup program. Likewise, for an ISDN connection, the ISDN card must be either automatically probed or manually selected from the list. USB ISDN adapters cannot be identified by probing, so they must be selected and configured by hande. You'll also need to configure ISDN parameters such as the protocol and local phone number, too.
If the computer has an Ethernet connection to the Internet, you should either specify the IP address of the RED (Internet) interface as a static, public IP address or configure it to request a dynamic (DHCP) address from the router to which it is attached.
Setup finishes by rebooting the PC. Before confirming the reboot with the OK button, ensure that all the network cables are plugged in and that your modem or ISDN card (if present) is connected. After the reboot, when SmoothWall Express has been initialized and is ready for use, you should be presented with a simple Unix/Linux-style Login screen.
Configuration and Testing
Once again, SmoothWall Express includes an Administrator Guide, which you'll find either on SmoothWall Express' CD or from SmoothWall's Documentation Web page. It can help you through configuration questions and provide useful insight into how SmoothWall can be used with a variety of networks. It can also show you how to create well-protected network architectures for clients.Finally, don't forget to test your configurations. To test your hardware firewall security, you can use third-party test software. Or you can search the Internet for free online-based firewall testing services, such as the one from AuditMyPC.com. Either way, firewall testing is vital. It ensures that a system is always configured for optimal protection. Also, remember to monitor the firewall after it's been installed (or train the user how to do this), and be sure to download updates as they become available.
There's always another hacker out there waiting for you to let down your guard. With a well-configured firewall, you can stay a step ahead of the bad guys.
ANDY MCDONOUGH is a New Jersey-based musician, composer, voice actor, engineer, educator, and freelance writer.
You May Also Like