One of the most ignored hardware in a small business network is
the router. Yet, routers are no different than desktops when it comes to
addressing vulnerabilities: they require periodic maintenance that include
updating the firmware running on them. That might be a little troublesome
for those who purchase a name brand enterprise router but not the support
services that often cost thousands on an annual basis. If your IT budget is
very tight, you may even resort to buying a consumer-grade router
(Linksys ring a bell?), or worse yet settle to use an ISP-supplied
equipment (how about ActionTec anybody?), in which case you are limited
in upgrade options.
Here is an idea
Build your own router with the latest choice of operating systems
freely available.
True, this is a daunting
task, or not feasible at all for businesses with no in-house IT expertise.
Nevertheless, you can hire a local IT guy to convert one of your old PCs lying
around in the office to a state-of-the art enterprise-grade router with
VPN services. And thanks to a number of open source operating
systems available, you never pay a dime for software updates.
When open source systems are mentioned, Linux is generally the name
that comes up first. Don't overlook the BSD (as in FreeBSD, OpenBSD, or NetBSD)
incarnates that were borne out of the venerable BSD 4.4.
Linux has a comprehensive in-kernel firewall called,
Netfilter. You can use the low level command line
tool, iptables, or the simpler ufw to define your network security policy
and corresponding rules. The newer kernels have another tool called nftables
to address minor inconveniences. Before this tool, IPv4 and IPv6 rules had to
be defined with different tools, and there was no straightforward way of
defining tables without using ipset. The new tool, nftables, addresses
these points at the expense of incompatible syntax. An unusual feature of
the Netfilter architecture is that it is extensible with additional kernel
modules.
My personal favorite system for
security purposes is FreeBSD. With that,
you get three different choices:
ipfw (the defacto choice)
- Fits in nicely within Netgraph architecture in the kernel
- Can be used to filter L2 traffic (e.g. MAC filtering)
pf (ported from OpenBSD)
- Quickly being adopted by other systems (e.g. macOS)
- Built-in support for QoS
ipfilter (legacy solution)
- Favored by Juniper
- Was the defacto packet filter before licensing controversy