|
Just like you were told in health class, you should always use protection. In the Internet world, this means putting a firewall between your servers and the Internet (and its bad guys). There are a plethora of choices for secure firewalls available on the market, from Cisco to CheckPoint, from NetScreen to Raptor. Unfortunately, it is not always possible to use one of those fancy commercial firewalls, due to any number of financial or logistic reasons. Fortunately, there are open-source alternatives that can address these issues.
The biggest factor constraining the implementation of a firewall is probably cost. Commercial firewall hardware products can start at $10,000 for a redundant set, and not everyone can afford that, especially given the current economic climate. Combine the cost with certain logistic issues, and commercial firewalls are doubly impractical. For example, does it make sense to spend $10,000 if you need to protect $4,000 worth of equipment? If you need to protect several dozen machines, spread across several locations, does it make good fiscal sense to deploy a commercial solution, one that would require a separate firewall for each location?
Bandwidth needs can also be a constraint, because many commercial firewalls have a limitation of 70 to 90 Mbps. This range serves as a good rule of thumb; however, it depends greatly on the type of traffic and the type of firewall used. There are firewalls that are capable of higher levels of traffic, but they can cost somewhere in the six-figure range.
To avoid some of these limitations, system administrators have developed a few alternatives to the firewall. One method is to use no firewall at all. This is fine, so long as you don't care about security and can sleep at night, knowing a decent hacker can use a cracked machine to invade others in the same network. A better alternative is to put ACLs (access control lists) on the routers that provide the connectivity to the installation. ACLs basically give routers much of the functionality of a firewall. However, in certain hosting situations, this can raise performance concerns. With the ACL configuration, if one site gets attacked, it could bring the router's performance down or knock it out completely, affecting other customers.
The Open-Source Alternative
If you don't have a generous hosting provider, an overflowing I.T. budget, or the desire to leave your servers flapping in the wind, you might want to consider another alternative: open-source, server-based firewalls. These firewalls are applications that run on various commercial and noncommercial Unix operating systems, such as Linux, Solaris, and FreeBSD. Like the commercial firewalls, they provide the basic functionality, such as packet filtering, stateful awareness (ZDNet defines "statefulness" as the ability of a network to ensure that all requests from a given client are processed through the same server), and NAT (network address translation), and they are free. These solutions require a nominal expenditure for additional equipment, if at all.
Server-based firewalls work by becoming part of the operating system's networking stack, the segment that handles network communications. Most commercial firewalls also work this way, although they are typically more specialized than a general operating system. For example, CheckPoint can run on top of Solaris or Windows NT/2000, although it takes over the machine completely and does not allow any other applications to be run. Nokia's firewalls run CheckPoint on a heavily modified version of FreeBSD. Firewalls such as PIX or NetScreen are written from the ground up as firewalls, and do not run on a regular operating system.
The open-source firewalls run on top of the operating system, just like CheckPoint or Nokia; however, they do not necessarily negate the rest of the machine's functionality. They are typically loaded in as a kernel module or compiled directly into the kernel.
|
