Review: Security firewall distributions

Firewalls underpin the security of any network, controlling the flow of data in and out. Where once they were simple in premise and execution, today they are just one component of a collection of services to monitor, track, limit and sometimes alter data to ensure the security of a network.

Today, off-the-shelf firewall products are almost exclusively Linux-based, precisely because Linux excels at the task. Firewall distributions are pre-packaged Linux distributions with a focus on firewall and gateway duties, containing all the necessary tools and services to make it easy to setup a box to protect your network. These are almost always bundled with web-based remote configuration interfaces that are so good that many once purely free firewall distributions have made the jump to corporate products.

In these cases the original distribution, as is the case with GPL (GNU Public License) code that underpins Linux, remains free -- you can download and install the full product on your own hardware. Money is made, however, by selling enterprise-grade technical support, commercial add-on modules (like third-party anti-virus), and hardware appliances that come pre-installed and ready to go with minimal effort.

It's a system that works well, as the free versions of the software can often be used without restriction for smaller businesses that don't need enterprise-level support, or by enterprise IT staff who first want to try before buying and even setup the software to see how it performs on the network.

The following distributions represent some of the popular firewall and gateway products on the market. Some are community-driven only with no commercial counterpart, while others offer the full gamut of enterprise support services and off-the-shelf hardware appliances.

ClearOS
www.clearcenter.com


ClearOS is a great example of the dual free and commercial firewall products that can be had.

ClearOS is a prime example of a Linux-based gateway and firewall distribution that comes in two flavours: ClearOS Community, a free edition for hobbyists and developers, and ClearOS Professional for business and production use. In truth both versions are very similar -- as the core functionality is freely available in Linux itself -- with the professional version mainly offering paid support services and optional paid add-ons such as Kaspersky anti-malware, Google Apps synchronisation, or server backup and auditing. Technically there is no restriction for using the free Community edition in a production environment if you're able to support it with your own staff. The Professional version can be installed on your own hardware or be cloud-hosted for as a minimal cost, or pre-made ClearOS Professional appliance (aka clearBOX) can be purchased that come in three levels depending on expected network load.

All administration is via a web interface, which is clean and intelligently laid out. With a focus on being everything from an advanced firewall to a multi-role gateway with advanced functions like packet inspection, it also includes a marketplace of apps to tailor a server to your needs. See www.clearcenter.com for ClearOS professional and www.clearfoundation.com for ClearOS Community.

Endian
www.endian.com

Like ClearOS, Endian also provides a free version of Endian UTM -- its commercial Linux-based security gateway OS -- called Endian Community Edition that can be installed on your own hardware. The community edition lacks certain features, which is to be expected, like official support but is still promoted by Endian for use by small businesses or non-profits, and none-the-less maintains all of the core functionality of Endian UTM.

The enterprise edition can be deployed as a virtual or hardware appliance, and Endian offers a range of boxes designed for use by a range of business sizes from just a handful of users up to thousands of seats, though prices aren't listed on the website. Professional support is provided in three levels from standard to 'premium', the latter of which extends the warranty on a hardware appliance.

Beyond typical stateful firewall functionality Endian includes web and mail security, anti-virus, Wi-Fi hotspot management (captive portal with features like ticketing and bandwidth control), and detailed logging and reporting among other features. Again management is performed through a web-interface which, while comprehensive, isn't quite as slick as ClearOS.

The latest version, Endian Firewall 3.0, has only just been released and can be downloaded from the Community section of the website. And if you try Endian and [i]really[/i] like it, there's even a merchandise store with shirts and mugs. Guess a man's gotta love him some firewalls.

IPCop
www.ipcop.org

With clearly the best name on the planet for a firewall, IPCop is a free non-commercial distribution designed for home and small business users. There's no paid support options or hardware appliances here, unlike ClearOS or Endian, but if you and your team know what you're doing then isn't likely to be an issue.

More than this, IPCop is also designed for lower-end hardware, coming in relatively compact in size compared to ClearOS or Endian. In fact there's a 'Flash' installation option that presumes you'll be installing it to a flash-based medium, and tweaks the OS to perform minimal writes in order to extend flash memory life. Paired with a low-power box, you can setup quite a potent firewall with minimal cost and resource usage.

As far as a free community-supported distribution goes, IPCop's web-based interface is both extensive and excellent, providing access to advanced firewall features, common services like web filtering and traffic shaping, and logs and reporting through an easy to use interface design.

There aren't any official add-ons like anti-virus or Wi-Fi hotspot controls like some of the other products covered here, but then it's a completely free and compact distribution aimed squarely at doing one job really well, allowing you to use other products to cover other services as you see fit. About the only downside to IPCop is that the latest stable release is over a year old.

Join the CSO newsletter!

Error: Please check your email address.

Tags firewalls

More about AstaroCitrix Systems Asia PacificGatewayGatewayGoogleKasperskyKVMLinuxMicrosoftRed HatSophosUntangle

Show Comments