Network Security January 200616

OPEN SOURCE FIREWALLS

On the other hand, open source firewallssuch as those that ship with Linux andFreeBSD are viewed by many as primitiveand overly simplistic. These firewalls his-torically have worked well in small-scaledeployments such as SoHo situations andhost-based protection.

“Open source firewallssuch as those thatship with Linux andFreeBSD are viewedby many as privativeand overly simplistic”

However, due to the work of manydevelopers, the open source firewall alter-natives have become feature rich competi-tors to their commercial brethren. Thesefirewalls are now suitable for use in amuch wider range of situations and arebetter suited for complex and demandingenvironments. While the open sourcefirewalls still may not be for everyone,they are certainly beginning to make adifference.

Enterprise features on ashoestring budgetSecurity engineers look for a variety offeatures when scoping out a firewall. Inorder to determine if the open sourcefirewalls are right for you, you must firstunderstand the features that you want.Above all other features, reliability has tobe the priority. If the firewall protecting

your networks crashes constantly and hasperformance problems, it does not matterhow feature-rich it is. Assuming your firewall is generally reli-

able, the next thing to be concerned aboutis the ‘stateful filtering’ of the firewall. Instateful filtering, the firewall keeps track ofactive connections going through thedevice rather than simply looking at theTCP flags in the packet. Older firewallsdid basic packet filtering where packetswith the ACK bit set were assumed to bepart of an active TCP session. Stateful fil-tering has been common in the commer-cial firewall space for the last decade, how-ever it is only in the last few years that theopen source firewalls have obtained thisfunctionality.

However, part of the problem with state-ful filtering is that it can use a great deal ofmemory to keep track of all the packets.So even though the open source operatingsystems were late to the party, they havebeen able to create robust stateful filteringengine that leverages the fact that modernmachines have much power powerfulCPU’s and more memory than firewallsfrom ten years ago.

The Hot-Warm set-upAlso, there are a variety of features that alllend themselves to building a highly avail-able firewall cluster. The idea of a highlyavailable cluster is that two firewalls work-ing together should be able to provide ahigher quality of service than one firewallcan. If one fails, the other one can pick upthe slack. There are several types of highlyavailable setups. In a Hot-Warm set-up,

the secondary firewall has a configurationthat is synchronized with the main firewallbut it does not automatically take over forthe main firewall in the event of a prob-lem. An administrator (or scripts) muststill bring the second firewall online. AHot-Warm architecture will generally takea few minutes to an hour to get completelyonline and running.

In a Hot-Standby architecture, the sec-ondary firewall will automatically becomethe primary firewall in the event of a fail-ure of the main firewall. The clusteraccomplishes this by sending a heartbeat(or some other type of status information)between each other. If the heartbeat disap-pears or there is indication of a problem,the standby firewall will become the hotfirewall. In order to become the hot fire-wall, the standby firewall must obtain theIP address and MAC address of the prima-ry. Usually firewalls in a cluster will have ashared IP and MAC address pair called theservice address that is passed to what everthe active device is. When failover occursin this architecture, active connectionsthrough the firewall cluster will be lost butnew connections work fine on a nearinstantaneous basis.

“Open source firewallssuch as those thatship with Linux andFreeBSD are viewedby many as privativeand overly simplistic”

In more advanced set-ups, the hot andstandby firewalls are actually exchanginginformation between each other regardingwhat flows are active through the firewallboundary. This type of architecture allowsfor not just automatic failover but ensuresany active sessions are maintained throughthe failure process.

Linux firewallsWhat is great about the current opensource solutions is that they offer all thefeatures you expect from an enterprisefirewall product. Take Linux, for exam-ple. The Linux operating system makes agood foundation for a firewall. It can beconfigured in a minimalistic fashion andafter 14 years of development is a stable

Open source firewall alternatives Bruce Potter

When most enterprises start examining options for firewalls, theyinstinctively consider the major commercial firewall vendors. Productofferings such as Cisco’s Pix, Checkpoint’s Firewall-1, and FortiNet’sFortiGate all bubble to the surface. These firewalls have historically pro-vided security and network engineers real enterprise functionality: highthroughput, stateful filtering, ease of management, automatic failover,and highly reliable operation. For larger enterprises, these the cost ofthese firewalls are easily outweighed by their benefits. However, formany the price may be burdensome or the feature set may simply bemore than is needed.

January 2006 Network Security17

OPEN SOURCE FIREWALLS

platform that is a reliable performer inthe datacenter. The primary firewall foruse in the 2.6 kernel of Linux is callediptables. Iptables has been in the Linuxkernel is the 2.4 kernel and has becomequite stable and feature rich. It providesall the expected stateful filtering of ses-sions as well as some Quality of Servicecapabilities and dynamic reconfiguration.There are many third party tools that canbe used to configure the firewall oradministrators can use the built in tools.

For failover, there are also manyoptions. The Linux Virtual Server (LVS)project - at linuxvirtualserver.org - provides a mechanism to handle IP andMAC address sharing between multiplehosts. LVS is used not just for firewalls,but can be used in webserver farms, data-base clusters, or any other environmentthat needs highly available services.Another project, IPVS, can synchronizeactive network connections between two hosts to provide transparent failurebetween servers. Again, while not special-ly designed just for firewalls, LVS andIPVS when used in conjunction with iptables gives Linux the capability to run in a Hot-Standby architecture. And with Linux’s huge supported hardware base and well known adminis-tration techniques, many enterprises findswitching to a Linux firewall solutionsstraightforward.

“In more advancedset-ups, the hot andstandby firewallsexchange informationregarding what flowsare active through thefirewall boundary”

It should be noted that some commer-cial firewall products run on Linux. Forinstance, Checkpoint’s Firewall-1 will rununder some versions of Linux, howeverFirewall-1 is not using any of Linux’s opensource firewall code.

FreeBSD and OpenBSDThe open source BSD-based distributionsare not as popular as Linux. However,they are generally better suited for use as

a network device. The BSD-based operat-ing systems come from a very well trav-elled codebase that has a solid core and arobust network stack. While Linux had tobuild a stack from scratch over the years,the BSD systems have been able to useproven code and technology to make areliable platform.

“Many enterprisesfind switching to a Linux firewall solutions straight-forward”

OpenBSD1 is a BSD-based operatingsystem that seeks to be as secure as possi-ble. OpenBSD’s focus on security makesit a great choice for firewalls because fire-walls are often the focus of attack.OpenBSD has been through several fire-walls over the years, but the latest firewalloption, pf, is remarkably flexible andpowerful. PF is stateful firewall withoptions to divert packets out of the fire-wall and to other interfaces and applica-tions. PF has Network AddressTranslation (NAT) and Quality ofService controls built in allowing admin-istrators to easily configure OpenBSDinto complex architectures.

From a high availability perspective,OpenBSD supports a program calledCARP which handles automatic failover ofa shared IP and MAC address between twohosts. CARP is modelled after other net-work failover mechanisms such as Cisco’sHot-Standby Router Protocol (HSRP) butis not encumbered by the patent issuesthat other failover mechanisms must dealwith.

OpenBSD also supports synchronizedpacket information through pfsync, allow-ing two firewalls to share data on whatdata streams are currently active. The com-bination of CARP and pfsync allowOpenBSD to operate in a Hot-Standbysetup ensuring that even the failure of ahost does not stop network traffic fromflowing.

OpenBSD’s most limiting factor is itshardware support; with the primary focusbeing on stability and security, it has morelimited support for hardware than otheroperating systems and only recently addedmulti-processor support. For this reason,

OpenBSD may not be suitable for largerscale installations that require advancedhardware and bigger hosts to handle theload.

FreeBSD2 is probably the most wellknow of the open source BSD’s. FreeBSDfocuses on stability and performancewhich makes it a better option for largerscale firewall installations thanOpenBSD. From a firewall perspective,FreeBSD offers quite a variety of optionsincluding its native firewall, ipfw.However, both pf and CARP have beenported to FreeBSD and are able to runwith very little configuration. While ipfw is a good stateful firewall, FreeBSDreally performs best in an enterprisewhen paired up with pf and CARP likeits OpenBSD cousin.

Parting shotsThe open source firewalls are generally a valid alternative for the low- and now mid-level firewall needs. The oneweakness these firewalls have is in scalable configuration and auditing. The tools that exist to manage opensource firewalls are still lacking. If youonly need to manage a few firewalls (a dozen or so) the open source solutionsmay still be a good fit for you. However,as your installations grow, the lack ofability to manage firewall rules in acoherent and consistent fashion willbecome an administrative burden.

“OpenBSD’s most limiting factor is itshardware support”

However, that may not be the case for long. The open source operating systems have gone from a small nichesolution to something that can work inall but the biggest enterprises in a shortperiod of time. Don’t be surprised ifenterprise firewall management andauditing tools are developed in the nextfew years making Linux, OpenBSD, andFreeBSD even more attractive solutionsthan before.

References1 http://www.openbsd.org/ 2 http://www.freebsd.org/