Budget Firewall

Open-source Firewall: A Few Models

There are two common scenarios for using open-source and freeware-type firewalls. Each scenario depends on a particular situation and the desired result.

The first scenario is a server-based firewall solution. This is when the firewall code runs on each individual server, making each machine responsible for its own protection. This is good when cost conservation is crucial, because no additional hardware or commercial software is required. It works well for the small-to-medium hosting operation, such as a Web access or e-mail provider, with 10 or fewer servers.

This scenario also handles high-bandwidth situations extremely well. Take the example of a site with multiple servers pushing about 100 Mbps between them. A firewall capable of protecting a group of servers at this traffic level could easily cost in the high six-figures. Putting the firewall code on each individual server distributes the firewall load to the individual machines, so no one device handles all of the traffic. Even at high levels of traffic, a machine's own firewall can usually handle whatever level of traffic the machine itself can generate without any trouble.

The drawback to this type of scenario is that, with any more servers, maintaining the rule sets for all the firewalls can become a logistic headache and even a security hazard. A setup like this requires that every machine must run an OS that has a firewall application available, in order to be protected. This means that some types of OS will not be suitable for use in the server environment, despite potentially having other desirable features. Even with these drawbacks, this is probably the most common usage for open-source firewalls.

A more traditional method is to assign a single machine to be a dedicated firewall, in much the same way that commercial firewalls are implemented.

This is useful when there are a number of devices needing protection. For most installations, the machine need not be a powerhouse. A Pentium II-class computer running at around 300 MHz or more should be plenty for most traffic levels. This type of machine can be put together very inexpensively, usually for much less than $1,000. For higher traffic levels (20 Mbps or more, generally speaking) a higher-class machine may be required, but even then the cost is very low.

In a typical office situation, the firewall device protects machines behind the firewall by using something often called one-to-many NAT or IP masquerading. This prevents inbound communication directly to the office computers, but still allows them to make outbound connections. In an office environment, it is rarely necessary to allow access to desktop computers from outside the private network. Often, the office machines sit on a non-routed RFC 1918 address space (such as the 10.0.0.0/8 network), and are all assigned to a single public IP address on their way out. All outbound connections come from the same IP address, no matter which computer initiated the connection, and inbound connections are prohibited.