Opensource Firewall

One of the most ignored hardware in a small business network is the router. Yet, routers are no different than desktops when it comes to addressing vulnerabilities: they require periodic maintenance that includes updating the firmware running on them. That might be a little troublesome for those who purchase a name brand enterprise router but not the support services that often cost thousands on an annual basis. If your IT budget is very tight, you may even resort to buying a consumer-grade router (Linksys ring a bell?), or worse yet settle to use an ISP-supplied equipment (how about ActionTec anybody?), in which case you are limited in upgrade options.

Here is an idea

Build your own router with the latest choice of operating systems freely available.

True, this is a daunting task, or not feasible at all for businesses with no in-house IT expertise. Nevertheless, you can hire a local IT guy to convert one of your old PCs lying around in the office to a state-of-the art enterprise-grade router with VPN services. And thanks to a number of open source operating systems available, you never pay a dime for software updates.

When open source systems are mentioned, Linux is generally the name that comes up first. Don't overlook the BSD (as in FreeBSD, OpenBSD, or NetBSD) incarnates that were borne out of the venerable BSD 4.4. Linux has a comprehensive in-kernel firewall called, Netfilter. You can use the low level command line tool, iptables, or the simpler ufw to define your network security policy and corresponding rules. The newer kernels have another tool called nftables to address minor inconveniences. Before this tool, IPv4 and IPv6 rules had to be defined with different tools, and there was no straightforward way of defining tables without using ipset. The new tool, nftables, addresses these points at the expense of incompatible syntax. An unusual feature of the Netfilter architecture is that it is extensible with additional kernel modules.

My personal favorite system for security purposes is FreeBSD. With that, you get three different choices:

ipfw (the defacto choice)

  • Fits in nicely within Netgraph architecture in the kernel
  • Can be used to filter L2 traffic (e.g. MAC filtering)

pf (ported from OpenBSD)

  • Quickly being adopted by other systems (e.g. macOS)
  • Built-in support for QoS

ipfilter (legacy solution)

  • Favored by Juniper
  • Was the defacto packet filter before licensing controversy

links