Enterprise open source firewall appliance software!
I needed to setup a content filtering firewall a few weeks ago for an office of about 50 people. The existing firewall was a Sonicwall Pro 4060 which is a very solid firewall and is more than adequate for 50 computers. Sonicwall also has a content filter application that installs on the Pro 4060. The drawback to using Sonicwall’s filter is the price. Their filter is billed on a recurring yearly subscription, and would cost about $2,000 per year to use. $2,000 per year was far beyond the budget for such a project, so I went to look for an open source or lower cost setup, hopefully without any annual fee. My first thought was a custom Linux-Debian computer made only to function as a firewall. After some research and a few recommendations, I found a great out-of-the-box Linux operating system, Untangle, that is designed specifically for dedicated firewall applications. This was a much better solution that custom configuring a Linux server.
The following is a quick guide on how to setup a Enterprise class firewall for a small to medium sized business. How good your firewall performs is dependent on the hardware that you use, but if you copied the specs of the one that I setup, it should easily handle 100+ computers and servers.
Tyan transport GS12 or GS14 – $100 – $500 (Used – New)
Intel Pentium 4 – 3.4Ghz HT – $30 – $75
4Gb DDR2 RAM $150 (Cheaper if bought on eBay)
Additional Ethernet card – $50 – $200 (Optional for DMZ)
Total – $300 – $900 (depending on configuration and cost of components.)
The Tyan transport GS12 and GS14 are perfect servers for a dedicated firewall. They both are small, sub-1U rack mountable, and they take Pentium 4 processors with hyper-threading. The come standard with 2 Ethernet connections, and have a PCI card slot so a 3rd Ethernet card can be added for a DMZ port. The GS14 supports on-board RAID and SATA drives, and used a better processor core (LGA775) so we went with it. We bought a brand new GS14 for under $400 and it came with all of the installation hardware, rails, CPU heat-sink, power and internal connections, and everything else we needed, minus the CPU, RAM, and hard drive. We opted for a 3.4 Ghz Pentium 4 processor with Hyper-threading, and the Pentium D is also supported. Because of potential cooling issues with the Pentium D and the fact that there is not a lot of room for airflow inside a 1U case, we went with the Pentium 4. We maxed out the RAM at 4GB, and installed it with an 80Gb SATA RAID 1 hard drive setup. We’re only using this as a content filter, but in this configuration it could easily scale to be a primary firewall for a medium size business. My guess is that this setup could handle an office of 50 – 500 computers depending on web usage, bandwidth and what applications are being used within the firewall.
For the software:
I was recommended to checkout the Untangle internet gateway which was exactly what I was originally looking for. Untangle is an open source firewall operating system based on Linux, and includes a firewall, web filter, content and application filter, virus, phishing and spyware blocker, intrusion prevention, and a full VPN server. It also includes advanced logging and reporting, which is essential to ensure that a network is actually secure. All of these features can be configured using a nice graphical interface which also includes a remote management console. This software is designed to replace existing high-end firewall appliances.
As far as installation, the Operating System ISO file can be downloaded here. The operating system installs very easily like most Linux OS’s. There are simple questions during the install, and the entire process took about fifteen minutes.
Once installed the next step was to configure the network on the firewall. There are two basic ways to install use this system as a firewall with a number of additional advanced configuration options.
Firewall as Primary / Router:
The first is to use it as a primary firewall and DHCP server. You would use this option if it was going to be the only, or primary firewall in a network.
Firewall as Bridge:
The second option is to install the firewall as a bridge, where it sits between the primary firewall and the primary network switch. In our case we were setting it up as a bridge, which was a little confusing because the IP address is the same on both the external and internal network port, but works perfectly once you understand that minor detail.
Once the network is setup, the firewall is ready to be configured. For the initial setup, I recommend just connecting one port to the network, and configuring everything from there. Since both ports have the same IP address, it can cause problems if you connect them both to a single switch. Once connected, you can install individual packages, or install all of them at once. Each package can be also individually configured or deactivated. Here’s some screenshots of the management console. Everything can be configured to the smallest detail. Some of the settings will require some solid networking knowledge to properly configure, but there is nothing that I was looking for that was not in the console.
Once you have the firewall configured as you want, you should plug a single computer into the other network port and do some testing to make sure that it is working properly. Make sure you use a cross-over cable if you plug a computer directly into the firewall. Since there is no network switch, a standard Ethernet cable will not work from the firewall directly to a computer.
Assuming that everything is working correctly, you can now switch over to using the new firewall. You don’t need to reboot it or anything, just plug the correct network ports on the firewall into the correct nodes on your network and you’re good to go.
If you consider that a new firewall appliance (Sonicwall, Firebox, Cisco, Barracuda, Astaro, etc.) with similar specs, not including any filtering subscriptions, would easily cost $5,000+, then this is a really cheap alternative. Add in the content, virus, spam, and spyware filters, and you are easily adding a recurring cost of $5,000+ per year on top of the $5,000 price tag.
You may need someone to setup and manage this for you, but most businesses that I know of would love to save $5,000 per year for web security and end up with a much better and more configurable system. Someone with moderate networking knowledge could easily set this system up and maintain it. Untangle offers professional support and better virus scanning packages if you need a little more support and protection. They also offer fully built Untangle servers if you don’t want to set one up yourself.
Overall, Untangle gets a 10/10 from me. Saved thousands of dollars, and it took less than an hour total to setup. Truly a remarkable piece of software.
Subscribe to the RSS feed and have all new posts delivered straight to you.