Firewalls
From MissionTechWiki
Contents |
Description
A firewall is a device that protects one network from the activity on another. Generally they are used to protect an office network from the Internet. Wikipedia has an article on Firewall (networking).
Firewalls can operate to stop unwanted traffic entering a network (ingress filtering) and exiting a network (egress filtering).
Hardware Firewalls
These are dedicated off the shelf equipment that include a firewall component. They may be simple home firewall devices include in broadband routers, or specially designed corporate devices.
There are several manufacturers that create hardware firewalls and some are combined with routers and even Wireless Access Points (WAPs)
- Sonicwall (link: http://www.sonicwall.com)
- Netgear (link: http://www.netgear.com)
- Cisco (link: http://www.cisco.com)
Personal Firewall
This is a software application that can be installed on your PC (one comes with XP) that aims to protect your PC from the network that you connect to. This can be very important for missionaries with laptops who connect to various networks, including wireless networks.
- Windows XP firewall only blocks incoming connections, it does not stop malicious software on your PC from connecting to the Internet (egress filtering).
- ZoneAlarm is a common personal firewall which is available free for personal use.
- Comodo firewall highly rated free firewall that replaces the Windows firewall (disables the Windows firewall on installing).
PC based firewall distributions
There are a number of Linux and BSD distributions that are designed to be dedicated firewalls.
Some are
- IPCOP - has plugins available that can be useful. e.g.
- advproxy is a web proxy that can perform filtering and cache windows updates.
- IPCop's Add On Server plugin will allow the use of many different plug-ins.
- DansGuardian is a well-recommended very flexible Content Filter. DG is installed with the CopPlus plugin.
- EFW which is a derivative of IPCOP that includes a number of other features which can be added to IPCOP, eg web content filtering and spam filtering. It also includes egress filtering by default.
- m0n0wall is a BSD based firewall with an emphasis on embedded installations.
- PFsense - a variant of m0n0wall based on FreeBSD which offers more features. Can handle routed (public) IP addresses in addition to NAT. PFsense can also handle Internet aggregation and fail-over.
- SmoothWall Express - a NAT firewall based on Linux which has a large support base and a number of plug ins such as Dans Guardian (a content filter).
- Untangle - This is an all-in-one software appliance that tries to simplify your life. It works by having a LOT of modules, from web content filtering to bandwidth reporting, that are very simple to install and configure. They have a lot of free offerings, and some subscription based modules that provide more options than their free counterparts. The down-side to Untangle is that it often requires a reboot (which takes some time) to apply security patches.
Linux Server Distributions include firewalling
These Linux distributions include a firewall component, but include other services which would normally be on a separate machine.
The preferred design for a firewall is to limit the applications on the machine to minimise any impact of an attack on the machine itself, and to minimise the tools available for attacks from the machine. These distributions violate that principle as a compromise on complexity for small organisations (less equipment is required, there is less to manage, and firewall setup requires less knowledge).
- SMEserver is a small office server which includes a basic firewall that limits external access to only those services which are enabled for public access.
- Clark Connect - a Linux firewall which includes a small business server for mail, file serving, etc. The basic version is free.
- The Linux Router Project describes how to create a firewall that can run off a floppy.
(Actually, to be truthful, don't all Linux distributions contain a firewall component? These might have tools to help set things up and monitor it, but all distributions contain a firewall.)
Filtering without a firewall
[www.opendns.com OpenDNS] offer a free filtering service and comes recommended by people on the iccm-tech mailing list. You change your DNS servers to point at theirs and they filter out sites they consider offensive. The service is free because they put their own adverts on search results when you use google. It doesn't offer the fine-grained control you make like (good sites on bad servers).