Review: Security firewall distributions
- 20 February, 2014 13:49
Firewalls underpin the security of any network, controlling the flow of data in and out. Where once they were simple in premise and execution, today they are just one component of a collection of services to monitor, track, limit and sometimes alter data to ensure the security of a network.
Today, off-the-shelf firewall products are almost exclusively Linux-based, precisely because Linux excels at the task. Firewall distributions are pre-packaged Linux distributions with a focus on firewall and gateway duties, containing all the necessary tools and services to make it easy to setup a box to protect your network. These are almost always bundled with web-based remote configuration interfaces that are so good that many once purely free firewall distributions have made the jump to corporate products.
In these cases the original distribution, as is the case with GPL (GNU Public License) code that underpins Linux, remains free -- you can download and install the full product on your own hardware. Money is made, however, by selling enterprise-grade technical support, commercial add-on modules (like third-party anti-virus), and hardware appliances that come pre-installed and ready to go with minimal effort.
It's a system that works well, as the free versions of the software can often be used without restriction for smaller businesses that don't need enterprise-level support, or by enterprise IT staff who first want to try before buying and even setup the software to see how it performs on the network.
The following distributions represent some of the popular firewall and gateway products on the market. Some are community-driven only with no commercial counterpart, while others offer the full gamut of enterprise support services and off-the-shelf hardware appliances.
ClearOS is a great example of the dual free and commercial firewall products that can be had.
ClearOS is a prime example of a Linux-based gateway and firewall distribution that comes in two flavours: ClearOS Community, a free edition for hobbyists and developers, and ClearOS Professional for business and production use. In truth both versions are very similar -- as the core functionality is freely available in Linux itself -- with the professional version mainly offering paid support services and optional paid add-ons such as Kaspersky anti-malware, Google Apps synchronisation, or server backup and auditing. Technically there is no restriction for using the free Community edition in a production environment if you're able to support it with your own staff. The Professional version can be installed on your own hardware or be cloud-hosted for as a minimal cost, or pre-made ClearOS Professional appliance (aka clearBOX) can be purchased that come in three levels depending on expected network load.
All administration is via a web interface, which is clean and intelligently laid out. With a focus on being everything from an advanced firewall to a multi-role gateway with advanced functions like packet inspection, it also includes a marketplace of apps to tailor a server to your needs. See www.clearcenter.com for ClearOS professional and www.clearfoundation.com for ClearOS Community.
Like ClearOS, Endian also provides a free version of Endian UTM -- its commercial Linux-based security gateway OS -- called Endian Community Edition that can be installed on your own hardware. The community edition lacks certain features, which is to be expected, like official support but is still promoted by Endian for use by small businesses or non-profits, and none-the-less maintains all of the core functionality of Endian UTM.
The enterprise edition can be deployed as a virtual or hardware appliance, and Endian offers a range of boxes designed for use by a range of business sizes from just a handful of users up to thousands of seats, though prices aren't listed on the website. Professional support is provided in three levels from standard to 'premium', the latter of which extends the warranty on a hardware appliance.
Beyond typical stateful firewall functionality Endian includes web and mail security, anti-virus, Wi-Fi hotspot management (captive portal with features like ticketing and bandwidth control), and detailed logging and reporting among other features. Again management is performed through a web-interface which, while comprehensive, isn't quite as slick as ClearOS.
The latest version, Endian Firewall 3.0, has only just been released and can be downloaded from the Community section of the website. And if you try Endian and [i]really[/i] like it, there's even a merchandise store with shirts and mugs. Guess a man's gotta love him some firewalls.
With clearly the best name on the planet for a firewall, IPCop is a free non-commercial distribution designed for home and small business users. There's no paid support options or hardware appliances here, unlike ClearOS or Endian, but if you and your team know what you're doing then isn't likely to be an issue.
More than this, IPCop is also designed for lower-end hardware, coming in relatively compact in size compared to ClearOS or Endian. In fact there's a 'Flash' installation option that presumes you'll be installing it to a flash-based medium, and tweaks the OS to perform minimal writes in order to extend flash memory life. Paired with a low-power box, you can setup quite a potent firewall with minimal cost and resource usage.
As far as a free community-supported distribution goes, IPCop's web-based interface is both extensive and excellent, providing access to advanced firewall features, common services like web filtering and traffic shaping, and logs and reporting through an easy to use interface design.
There aren't any official add-ons like anti-virus or Wi-Fi hotspot controls like some of the other products covered here, but then it's a completely free and compact distribution aimed squarely at doing one job really well, allowing you to use other products to cover other services as you see fit. About the only downside to IPCop is that the latest stable release is over a year old.
IPFire is one of the more popular compact distributions with a great interface.
With competition from IPCop, the similarly named IPFire aims to be the ultimate easy-to-use turnkey firewall distribution. Sitting somewhere between a completely free non-commercial offering like IPCop and hybrid free community and commercially supported version like Endian or ClearOS, IPFire doesn't itself provide a hardware appliance option but can be purchased pre-installed on hardware and with professional support through third-party Lighting Wire Labs (www.lightningwirelabs.com). There are various levels of support contract available, and similarly a selection of appliances from compact, low-power mini-servers to a heavy duty rack-mount. Perhaps helping the low-power compact option, IPFire supports ARM as well as x86 hardware. Alternatively hypervisors from VMWare and Xen to Microsoft's Hyper-V and Red Hat's KVM are supported as well.
As with other products here, configuration and management is via a web-interface that is cleanly laid out and provides access to setting up firewall rules, QoS, Wi-Fi access, VPN services, content filtering, intrusion detection, and web filtering based on the popular open-source Squid caching proxy. It also sports its own package update system called Pakfire, that also doubles as a package manager to install new features.
IPFire is actively developed and, at the time of writing, the latest IPFire 2.13 update 75 had just been released.
pfSense is a FreeBSD-based distribution that gives the Linux firewalls a run for their money.
pfSense is a security-focused open-source firewall derived from m0n0wall, itself a firewall-based FreeBSD distribution (and in that sense is the only FreeBSD based distribution covered here among the Linux cohorts). If you're familiar with BSD, ‘pf' is the name of BSD's packet filter system (as opposed to the Linux ‘iptables'), which among other features including bandwidth control and NAT performs packet filtering for firewall duties. Indeed, between FreeBSD and Linux camps, there's much contention about which packet engine is more efficient, versatile and powerful. Ultimately, both are very good at what they do.
Just as Linux can be daunting to uninitiated, FreeBSD is similar and so pfSense provides a customised firewall distribution with a web-based interface so you don't need to get your hands dirty (the pfSense documentation promises you'll never need to use a command line).
And, beyond the standard stateful firewall functions you'd expect, pfSense also includes a few tricks up its sleeve like load balancing, captive portal to force authentication (as with public Wi-Fi hotspots), and its ability to filter connections by the incoming client's OS (for example to allow Linux machines while blocking Windows ones regardless of IP or other firewall rules.)
Beyond this, and much like IPCop, pfSense is a focused on firewall and router duties and so doesn't include optional modules like anti-malware or cloud services like ClearOS and similar commercially-focused products. It does, however, provide commercial support options that include free configuration backup of the server at the pfSense portal, and access to extensive official documentation on making the most of a pfSense install.
Hardware requirements are also quite low, making it possible to install pfSense on low-power servers and on flash media for embedded systems.
All up, it's yet another refined and viable option for a dedicated firewall server that's free to use, with paid support only if you need it.
Smoothwall has made leaps and bounds with its latest 3.0 release, including sporting an improved interface.
Smoothwall is so popular you've probably already heard of it, and not without good reason. Originally a free open-source distribution (as [i]Smoothwall Express[/i]) much like IPCop or IPFire, it later evolved to become an enterprise solution (www.smoothwall.com) with commercial support options and paired hardware appliances.
Smoothwall breaks its products down into three core offerings -- the Web Access Manager (WAM), designed for the roles such as public access and (according to the website) the hospitality industry where the focus is more on bandwidth and application control; the Secure Web Gateway (SWG) with its real-time content filtering and mobile endpoint management features; and Unified Threat Management (UTM), building on SWG with advanced firewall features. The products also sport load balancing, anti-spam and anti-malware, P2P file sharing blocking, and social media control to limit or define the use of social media in the workplace.
In the past Smoothwall's web-interface wasn't quite as attractive as some of the other products covered here, but the most recent version has revamped this and it's now much easier on the eyes and easier to use.
As with other hybrid free and commercially-focused products we're looking at here, you can use Smoothwall Express for free in a production environment supported by your own IT resources, or as a means to test the product meets your needs before opting for commercial support or a hardware appliance.
Sophos brings its experience and reputation to bear on its own Linux-based firewall product.
Formerly Astaro Security Gateway before being acquired by Sophos, this router distribution provides a stateful firewall along with packet inspection, web content filtering, anti-spam and anti-virus, intrusion prevention, and load balancing among other features. On the Sophos website it's marketed as Sophos UTM, primarily as a hardware appliance with optional modules for web, email and wireless protection. However, under 'Free Tools' on you can download two versions of the Sophos UTM operating system stand-alone to run on your own boxes.
This includes a completely free and fully functional version, albeit limited to 50 IP addresses and billed as the 'Home Edition', though it would certainly be ideal for small businesses too. The other free version is titled Essential Firewall and has no IP address limits, but lacks some of the more advanced features of the full Sophos UTM version. This can be extended with modules from the full version at a price depending what you need.
Either of these are easily viable options for a small business using in-house support for a completely free solution.
For hardware appliances there are eight levels of devices, levelled by firewall throughput and maximum concurrent connections to suit various enterprise requirements. Alternatively, as with most other products we're covering here, Sophos UTM can be installed as a virtual appliance, or hosted in the cloud.
With the catchphrase ‘This is where network threats go to die' Sophos is confident its product does live up it to the brand name it bears.
Untangle has two core products -- the Next Generation (NG) Firewall, and Internet Control (IC) appliance. It's interesting to note that the latter is doesn't include a firewall component, and focuses instead on web filtering, endpoint management, and bandwidth control. The NG Firewall product however provides a stateful firewall along with routing, intrusion prevention and anti-virus features and can be had as one of three software packages -- Lite, Standard and Premium -- which provides various levels of pre-installed functionality. The Lite version is free to download and use, includes all the core functionality of firewall, intrusion prevention, web filtering and application control, and can still be easily upgraded once installed through paid-for packaged add-ons. As with other examples of freely downloadable firewall products here, commercial support is not included in the Lite version.
Hardware appliances are also available, ranging from low-end boxes for small business to powerful rack-mounts for enterprise.
Untangle is unique among the products covered here in that, in addition to providing a remotely accessible web-based GUI -- which is among the most impressive we've seen here -- it also includes a full graphical desktop for the machine itself, rather than booting to a command-line. This makes managing the machine directly a little bit more user-friendly, and certainly helps initial setup and configuration of an install.
Finally a wide range of installable add-ons are available, some free and some paid-for, to extend the functionality of a an Untangle server to suit your business needs.
Vyatta is yet another example of an open-source firewall gone commercial, and here vyatta.org provides the free unsupported edition while vyatta.com (now www.brocade.com) adds commercial level support, official updates, and subscription-only benefits.
Beyond the expected stateful firewall features -- common to all these products, as it's a core feature of Linux itself -- Vyatta adds web filtering, load balancing, and fail-over support, remote accessible web-based GUI, VPN support and QoS-based traffic management. The web filtering option uses URL blacklisting, with pre-defined filters for known spyware and other optional categories that make it easy to block particular traffic with a minimum of configuration effort. Setting it apart, however, from the other products covered here is that the web-based UI -- the standard mechanism for setting up and configuring these firewall distributions -- has only been made available to the subscription version of the operating system. The free version must be configured from the command-line.
There is however a strong focus on providing support for virtualised installations, with the main Vyatta 5400/5600 vRouter product being a software router designed to be deployed on a wide range of supported hypervisors from VMWare and Microsoft Hyper-V to Citrix Xen and Red Hat KVM.
Zeroshell is unique in that aims to be a compact distribution small enough for embedded devices, yet still provide essential features like a stateful firewall, load balancing and fail-over support, QoS and traffic shaping, and captive portal for Wi-Fi networks. Unlike other products here however, Zeroshell is designed as a live distribution, meaning it can simply runs directly from the media, no installation on a hard drive required.
And, despite the name -- and while it's still possible to configure it via a command shell -- Zeroshell still provides a web-based interface. It's not as pretty as some of the others we've seen here, but it's still comprehensive and remarkable given the small footprint Zeroshell provides. Zeroshell is heavily community driven with extensive guides available from other Zeroshell users, while a community-made add-on called Zerotruth (www.zerotruth.net) provides captive portal support for Wi-Fi hotspots.
There are no commercial support options or hardware appliances, but then again it's such a compact distribution -- needing less than 100M of RAM -- that it will run on the smell of an oily rag. If only oily rags had processors.
While likely not ideal for anything larger than small businesses, and certainly some experience with Linux would be beneficial, Zeroshell is a great way to cut your teeth on firewall distributions, and its small size and focus on low-resource usage make it ideal for embedded applications. It's also regularly updated, with the latest version 3.0 just released in January of this year.