Open Source Firewall Appliance Round 2
A few years ago I blogged about using the Untangle firewall to replace a Sonicwall or similar firewall appliance.
Since then, Untangle has come a long way. I would like to revisit the untangle appliance as it has undergone numerous improvements, and in my opinion is now a fully capable replacement for an off-the-shelf firewall appliance.
Hardware update…
For a solid, and completely silent firewall for a business environment, here’s my current recommendation (Prices are for new components. Refurbished or used could result in a 30% – 50% reduction in price).
Server – ASUS rs100
Processor – Intel Core 2 Duo
RAM – 4Gb (2x2GB) DDR2667: ~$90
Hard Drive – WD RE3 or equivalent
(200 – 500GB) SATA: ~$100
Total cost is under $600. This would be comparable to a $3000+ Sonicwall or similar appliance and would be significantly more quiet.
If you need more ports, a quality 4 port PCI-E Ethernet card
This is still a low-end server, but is silent and would work well for a moderate sized office. If you have the budget and usage to require it, you could put this on a dual quad-CPU server and put 32Gb or more ram on it. Additionally for any datacenter usage, you don’t need to worry about sound, so a more robust server could probably be setup for the same cost.
Unlike most human related computer activities, packet inspection and other firewall activities are very processor intensive. The faster the processors, the better a firewall appliance will perform. If you do decide to build a Untangle or other firewall appliance, keep this in mind. Embedded processors like Atoms, or VIA’s are not a good match for a firewall, even through they are designed to fit in compact sized enclosures. They work well for what they’re designed to do, but they are not designed for this.
Current hardware recommendations are as follows:
| CPU | RAM | DISK | NIC | |
|---|---|---|---|---|
| Minimum | 800 MHz | 512 MB | 20 GB | 2 (inline) |
| 1-50 PCs | P4 | 1 GB | 80 GB | 2+ NICs |
| 51-150 PCs | Dual Core | 2 GB | 80 GB | 2+ NICs |
| 151-500 PCs | 2+ Cores | 2+ GB | 80 GB | 2+ NICs |
| 501-1500 PCs | Quad Core x64 | 4 GB | 80 GB | 2+ NICs |
| 1500+ PCs | 4+ Cores x64 | 4+ GB | 80 GB | 2+ NICs |
VPN
Something I didn’t discus in my last article was the VPN. Untangle comes bundled with openVPN. There is no limit other than that of your hardware for the number of VPN users your appliance can support. It is extremely easy to add, suspend and remove VPN users. VPN users are sent a custom key and connection for them to install on their computer. The VPN also supports site-to-site VPN allowing 2 or more offices to virtually share the same network no matter their distance from each-other.
Open VPN is much simpler than any VPN software I have used on either the client or host side. It makes VPN administration and setup a breeze. If you have used cisco, sonicwall or other VPN services, this will be a breath of fresh air in administration and setup.
Feature Improvements
When we started using Untangle, it was not designed to handle advanced protocols including some VPN services, and multi-protocol traffic like VOIP (Voice over IP) phone services.
I am happy to say that Untangle now fully supports multi-protocol traffic like VOIP or Ipsec. Some types of traffic will require custom configurations, but so far I haven’t found any sort of traffic that Untangle has problems with.
Untangle also now support firewall bypassing for high-availability applications, and supports a form of QOS (Quality of service). The QOS is very configurable, but still not quite a user friendly as other platforms. It is however usable despite some potential complicated setups. QOS is essential for running VOIP and other mission-critical applications. It can also be used to throttle down bandwidth eating services like online video.
OS Upgrades
Untangle is now offered in a 64bit operating system, something to satisfy the larger memory requirements for more robust servers. It is still a small custom Debian-linux build. The total install file size is around 500Mb, which is a fresh breath compared to the 3 – 4Gb sizes of many current Linux distributions.
There is also a Windows version for those who don’t have a dedicated server to run untangle on. In this case, Untangle works as a re-router, controlling the routing and traffic of a network, but on an existing windows XP computer.
Conclusion
Untangle has moved from an aspiring concept, to a true contender to established firewall appliances. At this point, I can’t see any reason why a business would spend the extra money on a Sonicwall or similar appliance. Pair this with OpenDNS, and you have a reliable system that can block websites on a DNS level, and a full featured firewall for spam, intrusion, phishing, viruses, and just about every other threat your users will encounter on the internet.
Untangle resources
Untangle Downloads (32bit, 64bit, and Windows)
Untangle guide (Wiki)
The Untangle Blog
If you don’t want to built an appliance yourself, there are plenty of approved untangle hardware vendors.
Business seasonality, and search trends for your marketing
Chances are if you are an online retailer your have some seasonality to your business. This mainly depends on the type of products you sell, and the general type of people that purchase your products. As a B2B’ish industry we see major volume decreases near every holiday.
Where does your business fit-in?
The once a year rush…
The every holiday surge…
The B2B…
Or the product launch…
With Google’s and others’ free tools on the internet, a small business owner can get very good insight into business seasonality, and shopping search trends. If you have good relationships with your suppliers and manufacturers, it’s often possible to design pre-release campaigns for upcoming products. Search engines place some weight on the first websites to write about specific products or services. If you’re that website, you can gain considerable traction in natural search rankings, and possibly a huge sales boost once the product is launched. This is just one example of how trends like this can be used, but the possibilities are endless and the data is free.
MySQL 5.1 now supported on Cpanel / WHM
Just found out this morning that MySQL 5.1 is now officially supported on cpanel.
MySQL 5.1 offers some major improvements in some areas to MySQL 5.0. MySQL 5.1 was released over a year ago and it’s been a long wait for those cpanel users needing 5.1 features.
Upgrading is not as easy as the 4.0 – 5.0 upgrade but looks to be a reasonable procedure.
Having a SUNny day without Microsoft
If you’re another person who is constantly fed up with Microsoft products and the cost that comes with them, you’re not alone. I still stand by my recommendation of avoiding Microsoft products before you become their slave, but I must admit, there’s still a number of them that I use.
Since I wrote that article about 2 years ago, not much has changed with Microsoft. I will say that their new online version of Office looks to be a vast improvement over Google docs or any other online based office software. Nevertheless, I think it’s time to take a serious look at dumping Microsoft for SUN. Microsoft’s 3 year Vista, Windows 7, XP saga has been nothing short of exhausting, and may very well be a fatal blow to Microsoft’s reputation.
SUN is emerging as a driving force behind free and Open Source software development, and I think that most businesses could thrive exclusively on SUN software and services. Besides the core Java programming language, let’s take a look at the free and open source products that SUN is supporting.
Framework for a Good Product Page
I was inspired by the Anatomy of a Usable Website, and decided to make a similar guide for a product page. I had previously written a post regarding product descriptions, which still apply here as well.
Download the full PDF version »
This is meant to be a framework for creating an ecommerce product page. There are of course many additional things that could be put on a product page, but these are the essentials that every page should have. The more features that a product page has, the more likely a user won’t notice them.
In the end, websites benefit from clean and well organized content.
Could your ecommerce site kill somebody
I was recently looking at Google Maps for some route information to find a driving time near my hometown in Colorado.
Google Suggested that I drive over a pass called Schofield pass. While this could be just any old pass, but it’s not.
Schofield Pass is one of the most dangerous roads in Colorado. It is a 7ft wide rocky mess of a trail with a 500ft cliff on one side and a solid rock wall on the other. It has been called the most dangerous pass in Colorado, and boasts a near-vertical 27% grade in some places. Over 20 people have perished on it in past 30 years. Just a few months ago we saw an abandoned Suburban on it, who’s owner thought it safer to forget about his vehicle than to risk the descent. Until cleaned up in the recent years, the river below was littered with the remains of Jeeps, and Trucks that didn’t make it. Oh, and going up is 100x harder than going down, which is what Google Maps was suggesting.
Here’s a Youtube Video that shows very well, just how bad Schofield Pass pass is. And yes, this is a “road” that people drive Jeeps of 4wd’s over.
So I got to thinking, how many similar passes in Colorado could Google be suggesting people to use. I found an additional 2, very dangerous passes, in about 5 minutes of looking.
Pearl Pass is the first, and Ophir Pass is the second.
Just a small section of Pearl Pass:
Ophir pass is the easiest:
Now all of these routes are in somewhat obscure locations, but the areas that surround them are visited by millions of tourists every year. It would be extremely easy for someone to pull up directions for a scenic drive on google maps, and … Someone actually tried to drive Schofield in an 18 wheeler some time ago.
So if you are a software, information, or anything else company, it may be a good idea to make sure your program isn’t gearing up to kill somebody. Based on the usage, I would bet that Google Maps has already done so somewhere!
Are EV SSL certificates insecure?
Today Intrepidus Group reported that EV SSL certificates are susceptible to a “Man-in-the-Middle” attack.
Zusman and Sotirov call their attack “SSL Rebinding” and claim that it can be used to sniff sensitive data as it leaves the user’s browser or to conduct a browser cache poisoning attack against EV SSL Web sites.
This is a major blow to EV SSL certificates and their significantly higher price tag. Something like this is significant enough, that if you are using an EV SSL, it may be a good idea to downgrade until the exploit is fixed.
Moving programming and script posts to new blog
The scripts and php or programming related articles are going to be moved to my new blog: http://www.saynotoflash.com/. The comments on those posts will be transferred as well.
I think that while valuable, the programming posts are not aligned with the direction that I want this blog to go.
Future php, and programming related posts will also be added to the new site instead of this one.
Thanks
Multi process PHP execution
Moved to: http://www.saynotoflash.com/archives/multi-process-php-execution/
The biggest sites make simple mistakes
Google messed everything up a few months ago. MSN’s done it now. Mistakes like either of these are completely unacceptable. Make sure you always understand what the affects of your actions are before you go and make changes that break everything. A little attention to detail could have prevented both of these.
