Linux and Firewalls
In my own network at home, I have come full circle. I started out with a Linux box as a firewall. At the time in about 1997, my “broadband connection” was an ISDN line coming into an external ISDN modem. It was a practical matter of the only solution being available that would handle that correctly.
Later, I started using various things — a Nexland 800 Pro Turbo, a clustered pair of Nokia IP440s, a single Nokia IP120, an IP40, but now I am back to a Linux, running on a Nokia IP110 that I converted to run Debian Linux (64mb of RAM is barely sufficient for IPSO and FireWall-1 4.1, let alone NG).
Why the about-face? In my case, I simply don’t need the functionality of even an IP40 — I just need a basic firewall, nothing more. None of the “firewall” or “broadband router” boxes you can buy at your local electronics store are flexible enough for my needs.
My situation is complicated by the fact my wife wants her “own” network seperate from mine so my “experimentation” doesn’t affect anything she might be wanting to do. To resolve that, I have her connected to a Nokia IP30 along with the laser printer. Unfortunately, I also have to access the laser printer.
I suppose I can just allow traffic between the two firewalls, but the idea of running “internal traffic” over an external segment doesn’t appeal to me. When I had an IP40 for me and an IP30 for my wife, I did a VPN between the firewalls. The problem with that approach is one of throughput. Anytime I wanted to print, it took way longer due to the lack of VPN throughput on the IP30.
I solved this problem by plugging the IP40′s DMZ interface into my wife’s IP30 and some routing/configuration settings. This was working fine until I startred using my BroadvoxDirect line. I was able to make outgoing calls, but unable to receive them because the IP40 “timed out” the translated connection from the Sipura too soon and does not provide a way to adjust the timers. The IP40 had to go.
I could have just as easily put in a Check Point VPN-1/FireWall box with either Windows, Linux, use Secure Platform (basicaly Linux), or a Nokia box. Acquiring licenses is a trivial exercise, given where I work. But then I’ve gotta manage eval licenses every month and possibly deal with more than one machine to manage my security infrastructure. In a corporate environment, that’s not a bad thing, but for my house, it’s more trouble than it’s worth. The IP30/40 boxes are nice in that I didn’t have to worry about licenses–they are permanent ones. They can also be managed with a web browser, which is a bonus.
At the end of the day, I decided that a return to Linux would be best. I can run it on obsolete hardware like an IP110 with adequate performance, I can manage it relatively easily fom an SSH client, it’s fairly secure, and a little more flexible. Best of all, it’s free as in beer and as in speech. Hard to argue with that…