Linksys Firewall/router
Charles Steinkuehler
cstein at newtek.com
Wed Nov 7 01:50:59 CST 2001
> Preference is relative. Using a hardware firewall is definitely the
> simplest was to provide protection to a single (or a group of)
> workstation(s).
>
> A properly configured software firewall (whether it be ipchains/iptables
or
> Zone Alarm or Black Ice) can be just as effective. Most of the time, the
> software firewalls (especially so with Linux) provide greater flexibility
> with what you can do when it comes to filtering traffic, logging
> connections, etc.
Remember...unless you're spending the REALLY big $$$, a 'hardware' firewall
is really just a tiny software firewall in a black box. The software is
simply embedded (usually on a small flash chip), the CPU is typically
something small, slow, and cheap (with limited RAM), and the operating
system is probably either custom or something you've never heard of (unless
you work with embedded systems).
The main benifit of the 'black box' is ease of use. If you can plug in the
power cord and some network cables, you've pretty much configured your
firewall. That's also the big drawback...while these systems are usually
somewhat configurable, you can't really do much but port-forward some
protocols to internal machines. Dealing with multile static IP's, true DMZ
support, VPN Gateway functionality, and many other advanced features are all
generally beyond the capabilities of these canned firewalls. If the limits
don't bother you (ie no plans to run server systems), you're not adverse to
ponying up the $$ (these boxes arn't really that expensive anymore), and
you're not the type who like to 'tinker' and would rather do it yourself,
the firewall boxes are a really great solution. With a few simple checks
(make sure you set the passwords to something OTHER than the defaults, and
turn off as much port-forwarding from the outside world as you can,
especially if any of it defaults to on), you're pretty secure.
If you're the type who likes to tinker, you can get (really) minimal linux
distributions (most boot from a single floppy) pre-configured to perform
most of the same functions as your typical cable/dsl firewall. Since it's
actually linux, however, you can add multiple network cards, create true
DMZ's (even if you've only got one IP, you can port-forward to a DMZ
machine, and get the security benifit of having your public servers on an
isolated net from your workstations), add VPN software, ssh remote access,
snmp statistics gathering, and just about whatever else you might want. Of
course the hardware required to support this is extravagent from the
perspective of the typical cable/dsl firewall box, but still pretty minimal
by today's stanards (a 486/pentium class CPU, 8-32 Megs of ram, and some
sort of bootable storage...floppy, HD, CD, flash-disk, &c)...plus a couple
NIC's. I typically run old Pentium systems, which let me use PCI 10/100
NIC's (much easier/faster than ISA cards), and have enough CPU power to
encrypt VPN traffic.
For software, take a look at freesco, coyote, share-the-net, or my personal
favorite: the LEAF project at SourcForge (I build one of the more popular
distributions). I've got a release-candidate version out of both a CD and
floppy disk based firewall image. Just tell it which NIC's you're using,
and you'll have a pre-configured masquerading firewall with DHCP server for
automatically configuring your local systems, a local DNS cache to speed up
name resolution, and a small web-based status display/log viewer:
http://leaf.sourceforge.net/devel/cstein/DiskImages/Dachstein.htm
The floppy disk even self-extracts for you...
Charles Steinkuehler
charles at steinkuehler.net
More information about the Kclug
mailing list