CompactPCI-Based BSD Firewalls? 9
Legend asks: "I am looking into implementing a BSD based firewall at my place of employment. I have been looking at different solutions, from Nokia, and Cisco, but they seem quite expensive, and the Cisco solution is nothing more than a router, with some extra software, and the Nokia, nothing more than a PC, with extra software. I have decided to build my own PC/BSD based firewall, with FreeBSD, or OpenBSD, however, I am looking for the perfect hardware for this project. CompactPCI looks like a great choice, but I am wondering if anyone has run *BSD on this hardware, and if there are any pitfalls to it. CompactPCI seems like it would be the perfect firewall solution, compact flash based boot drives, hot-swappable processors, up to eight PCI slots for NICs." Sounds like a nice idea for an always-on PC appliance. Although we covered some of the issues with BSD Firewalls in an
earlier article it would be interesting to know of your thoughts on CompatPCI and how well it can stand up to this kind of use.
Re:Out of the pan (Score:1)
Re:Out of the pan (Score:1)
Back to my other point, you could probably sell these things to other companies who are balking at the current retail firewall hardware. But really, that's neither here nor there...
Dancin Santa
Why CompactPCI? (Score:1)
Advantech [advantech.com] supplied a full line of CompactPCI chassis and system boards at very reasonable prices. They also carry PC104, and other custom SBCs.
Crystal PC [crystalpc.com] supplies ISA-based computer systems in various rackmount configurations. Especially useful if you need 20 or 30 of the same box in a rack. They specialize in 1U and "toolbox" computers.
Diversified Technologies [dtims.com] supplies PCI SBCs, cPCI SBC, and an array of chassis.
I would also like to take a minute and caution you against using *BSD (or Linux) as a firewall. While it is true that they came be designed for less, and that you have greater control, it also means you have greater responsibility to maintain these system. The advantage to a Cisco PIX is that the OS is not well know and not available for download. In the case of BSD, there are many more exploits available. Worse, you need to worry about both OS exploits and Firewall software exploits. In the case of the PIX, the OS is the firewall, and exploits are far fewer. While it may be more expensive, think of the cost to your business that a breach would cause. After you factor in the extra work, extra maintenance, and lower security, you'll find a PIX is much more cost effective.
--
He had come like a thief in the night,
OS exploits not such a big deal (Score:1)
Also, advocating security through obscurity ain't such a good idea. Where's your obscurity going to get you when you have a dedicated attacker on your hands?
Good reasons to use *BSD instead of PIX. (Score:4)
The disadvantage to the Cisco PIX is that the OS is not well known and not available for download, so you will never know what exploitable holes exist. Meanwhile, Cisco engineers and any uber-crackers who have obtained copies of PIX source code can root you at will :-)
Sure, BSD has had a few holes, but most of those are related to software you don't need installed on your firewall. Or you load OpenBSD, and eliminate the majority of OS exploits from the problem pool.
Reasons not to roll your own. (Score:3)
If you aren't doing this to save money, then you might just want to try to find small form-factor hardware that will run Secure Computing's Sidewinder firewall [sidewinder.com].
Sidewinder is based on a customized version of BSD, runs on normal PC hardware, and has most of the features you'd put in if you designed your own firewall, plus it comes with a GUI so you can delegate maintenance to lesser mortals. But Sidewinder isn't cheap.
I enjoy building my own OpenBSD firewalls, but for nearly any commercial purpose, I purchase commercial firewall products from major vendors.
Good Starting point (Score:2)
Disclaimer: that's my site. Contact me through email if you need assistance, I'd be happy to help you with details..
-John
No shortcuts (Score:1)
We now have a Nokia firewall with CheckPoint Firewall 1 and an intrusion detection system in a locked box (thanks to Al Gore for inventing the Internet and lockboxes) that is monitored 24/7 by a security center with a dedicated encrypted connection. The Nokia is a little more than a PC, with extra software. There is quite a bit of OS hardening, management capabilities, etc. in the box itself. Obviously this did set us back a little bit but it doesn't compare to what is at stake for us. We are competing for the same people as the other area banks and if people lose confidence then we are going to be hurting.
It all boils down to what you are protecting. If you are even considering PIX, Checkpoint, etc then maybe you have something worth protecting. If you are only saving a few thousand dollars then you should really reconsider the advantages of support, maintenence, time, etc. and focus on the other areas of security.
It sounds like you are determined to continue with this so I would suggest that you build a second machine with a differeent OS to protect yourself. There's a good article [daemonnews.org] using OpenBSD as transparent bridging firewall. The article suggests using it as a firewall it front of a router but it would work as well as a firewall in front of another firewall. Using different OSs will make it harder to get through both even if they both BSD (Open, Free, Net) or even Linux. I'm looking at using OpenBSD bridge firewalls between all my branch connections and between the network and the modem pool. Using a commercial firewall that is managed gives me the time to lock the rest of the network down and jump on users for doing stupid things. Never underestimate the ability of a user to circumvent your security whenever they get a chance.
Why are you looking at small form factor? (Score:2)
But if you're going to build your own won't it be a lot easier to stick with standard PC hardware?
That way your time concentrates on the Firewall stuff, not struggling with unusal/slightly supported hardware.