Build A Cheap But Effective Firewall

RECIPESavvy system builders are well aware that hordes of hackers stand ready to descend on your clients' operations and steal everything from personal identities to state secrets. Worse, some hackers are out to destroy your clients' valuable data—and your reputation along with it. So unless a system builder enjoys rebuilding disks, recovering data, and fielding downtime complaints, they should know at least a little something about firewalls. Namely, how firewalls work and how to select the best firewall for a specific installation.

In this Recipe, I'll explain both the options for firewall protection and the differences between hardware and software implementations. By the end, you should be able to point a client to the firewall that best fits their budget, complements their operations and, of course, provides them with the best possible protection.

I'll also show, in step-by-step fashion, how to build a configurable and secure Linux firewall from a recycled PC. Since the software I recommend is freeware, this will also allow you to offer incredible cost savings to your clients.

To start, let's look at the subject of firewalls in general, both the hardware and software varieties.

Hardware FirewallsAll computer users—from the largest enterprises to the one-person business or home user—need some form of security between their network and the outside world. A properly configured hardware firewall sits at the entrance to a network as the first line of defense against unwanted intrusions. It's like the lock on the front door of your home; you don't always know who you are locking out, but you're sure that bad guys are among them.

Similarly, a good firewall allows only approved sources to enter the network. It may also allow special or unrestricted access to one or more servers. But that raises a question: If you have a Web site, you may not always be sure where your traffic will be coming from, right? So how does a firewall offer both protection and flexibility?

To determine who gets access to a network and who gets turned away, a typical hardware firewall intercepts and inspects network traffic using a technique known as packet filtering. As messages come in from the network, the firewall examines the header of it TCP/IP packet to determine the source and destination addresses. It then compares this information against a set of predefined or user-created rules that determine whether the packet is to be forwarded (allowed to pass into the client's network) or dropped.

A more advanced technique, called Stateful Packet Inspection (SPI), has the firewall look at additional characteristics. These include a packet's actual origin; that is, does it come from the Internet or from the local network? Also, whether incoming traffic is a response to outgoing requests, such as a request for a Web page.

A hardware firewall need not be a dedicated device. The function of inspecting packets can be built into any hardware. In fact, most residential routers sold today have firewalls built in. Also, PCs running versatile Linux firewall software can be been installed to protect commercial and private networks.Hardware firewalls, especially those built into broadband routers, can be effective with little or no configuration, making them ideal for residential or small-business use. They can protect every machine on a local network. Most hardware firewalls have at least four network ports to connect other computers. Of course, for larger networks, more elaborate networking firewall solutions are available.

A downside of hardware firewalls is that simple packet filters, such as those found in common broadband routers, lack flexibility. The configuration of these routers, while easy to set-up, is often limited to very basic filtering. Also, it cannot always ascertain how dangerous traffic is from its limited look at packets. What's more, simple packet filtering won't allow administrators to set up special access for, say, a Web server or limit certain network traffic to specific machines on the network. And as hardware routers become more sophisticated to support features like DMZ pinholes, Dynamic DNS services, and Web proxy serving, configurations can become more complex and harder to maintain.

Software Firewalls

For many home users, the most popular form of network protection is the software firewall. This software offers protection from outside attempts to control or gain access to a computer. Depending on the software, the firewall may also protect against common Trojan programs, e-mail worms and other malware. Many software firewalls also offer user-defined controls for setting up safe file and printer sharing, as well as safeguards to block unsafe applications from running on the system. A good software firewall runs in the background and uses only a small amount of system resources.

One benefit: Unlike a hardware firewall living at the edge of a network, software firewalls can protect a PC from malicious software—and not just what it transmits in packets. The software protects an individual machine by knowing which programs are running, and by monitoring potentially dangerous applications, such as e-mail and Web browsing.The major downside to a software firewall: It protects only one computer, the machine the software is installed on, not an entire network. So to protect a network of machines with software firewalls, the software firewall must be installed and configured on each and every system. Maintaining individual software firewalls on networks with many PCs can be an awkward and time-consuming task.

It's no wonder that many network administrators seek to employ the benefits of both software and hardware firewalls. They do so by running simple configurations of firewall software on PCs (perhaps with automatic update or configuration capabilities) and using a hardware firewall to protect access to the network.

A Hardware Firewall for Small Businesses

So let's take a look at building a hardware firewall that's ideal for guarding the front door of a small-business network that need more protection than just a simple packet filter. There's no reason, by the way, why this solutoin could not be used for a large enterprise, too. Plus, it's so affordable you might want to build one for your home user clients.

This solution is based on open-source software called SmoothWall Express, created by the U.K.-based Smoothwall Open Source Project. This software offers many advanced features that growing businesses need, but won't find in router-based firewall implementations.Essentially, SmoothWall Express uses a special implementation of Linux to turn a PC into a dedicated hardware firewall. SmoothWall software prevents any unauthorized data to pass through the firewall. There are no services offered to the Internet and SmoothWall Express will not respond to the network messages that hackers use to identify potential targets. It is therefore simply invisible to the legions of script kiddies, hackers and crackers looking for a firewall to attack.

Ingredients

To install and operate SmoothWall Express successfully and affordably, you can use an old PC. There's no need to buy new hardware, so long as the old PC meets or exceeds these specifications:

Before You Get Started...

Take a moment to download and look over the SmoothWall Express Quick-Start Guide.

I'm assuming you're familiar with PC software and have a basic knowledge of TCP/IP networking. But full instructions can be found in the Installation and Administrator's Guides on the SmoothWall Express CD or from SmoothWall's Documentation Web page.

When you have a good feel for the procedure, download the software from the Get SmoothWall page, and you're ready to begin.Warning: Any data stored on the hard drive of the PC on which SmoothWall is to be installed will be overwritten as part of the installation. So you must back up any data you want to save now.

Next, to install SmoothWall Express, you must create a CD from the .iso image file that has been downloaded. All common CD-burning programs can do this. But it's vital to select the "create CD from Image file" option. The .iso image file image file is similar to a ZIP archive; it needs to be decompressed and expanded out to the individual directories and files that constitute SmoothWall Express. But if the more normal "create Data CD" option is used, then the .iso file will almost certainly be copied as a single file to the CD and will not install properly. So be sure to pick the correct option.

How to Install SmoothWall Express

Configuration and Testing

Once again, SmoothWall Express includes an Administrator Guide, which you'll find either on SmoothWall Express' CD or from SmoothWall's Documentation Web page. It can help you through configuration questions and provide useful insight into how SmoothWall can be used with a variety of networks. It can also show you how to create well-protected network architectures for clients.Finally, don't forget to test your configurations. To test your hardware firewall security, you can use third-party test software. Or you can search the Internet for free online-based firewall testing services, such as the one from AuditMyPC.com. Either way, firewall testing is vital. It ensures that a system is always configured for optimal protection. Also, remember to monitor the firewall after it's been installed (or train the user how to do this), and be sure to download updates as they become available.

There's always another hacker out there waiting for you to let down your guard. With a well-configured firewall, you can stay a step ahead of the bad guys.

ANDY MCDONOUGH is a New Jersey-based musician, composer, voice actor, engineer, educator, and freelance writer.