Unified Threat Management Systems (UTMS), Open Source Routers and Firewalls Tim Hooks Scott Rolf
Session Overview The Linux Kernel is particularly adept at routing IP traffic and lends itself for use as the operating system for building not only your own router, but also routers that include firewalls and intrusion detection. Performance of these systems often outstrips that of proprietary products. Well-known packages include Astaro, Untangle, pfsense and IPCop.
Untangle www.untangle.com Included Free Web Filter Virus Blocker Spam Blocker Ad Blocker Attack Blocker Phish Blocker Spyware Blocker Firewall Routing & QoS Intrusion Prevention Protocol Control OpenVPN Reports Available for Fee Live Support esoft Web Filter Kaspersky Virus Blocker Commtouch Spam Booster WAN Balancer WAN Failover Policy Manager AD Connector PC Remote Remote Access Portal Branding Manager
Untangle Deployment Options Router: Dedicated server that performs routing & firewall services Transparent Bridge: Dedicated server that drops seamlessly behind existing routers & firewalls Re-Router : Adds network-wide protection while running on an existing desktop (runs on Windows) Runs on bare-metal install, or on Windows XP, or in VMware.
Untangle Pro and Cons PROS Cost Commercially Support Serves multiple functions CONS Cost not free! Supports limited number of NICS/networks
Questions on Untangle? Give it a try, you can build a box in about 20 minutes.
IPCop www.ipcop.org The Bad Packets Stop Here. Now we re talking, think of IPCop as free replacement for your Cisco PIX (just add your own standard PC). There are plenty of add-ons for this product also: URL filter with predefined categories Advanced Proxy OpenVPN ClamAV Update Accelerator for Windows Update caching BOT Blockout all Traffic used to specify which ports and addresses can be used for outgoing traffic
IPCop Installation Again, very straight forward and quick. Download an iso file, build cd, boot to cd and it installs. Pick add-ons, install and configure
IPCop Pros and Cons Pros Free except for hardware Online community of support Continually developed and enhanced Cons Not much commercially available support Must learn something about linux to use, not much, but at least a little
Questions on IPCop?
Astaro www.astaro.com Solution based on open source software Buy appliance or image and pick your own hardware Web filtering Anti-virus Very good failover capabilities built in Price based on size of data pipes
Questions on Astaro?
pfsense
pfsense in a nutshell open source firewall based on FreeBSD and the pf firewall (packet filter) 3 Editions LiveCD, Embedded & Full install
Deployment Types Boarder Firewall to the Internet Internet Proxy LAN Router WAN Router Packet Sniffer DHCP Server VPN Server Makes a great firewall for your home or remote war room!!!
Hardware 10-20Mbs -> 266 MHz CPU 21-50Mbs -> 500MHz CPU 201-500Mbps -> 2GHz w/ pci-x or e nic 501+Mbpz -> 3GHz CPU Embedded version can run on Soekris, Nexcom, Hacom and Mini ITX hardware
VPN Throughput 4Mb -> 256MHz 10Mb -> 500MHz
What makes it so special? Supports multiple Internet Connections Captive Portal Wake on LAN Packet Sniffing Statistical Graphing Simplified ruleset due to use of aliases It s free!!! (and offers more then many commercial firewall appliances)
What else can it do? Add on packages are being developed all the time. Automated backups FreeSwitch VOIP IGMP Proxy Nagios client Radius support Instant Messaging Inspector SIP Proxy Stunnel Avahi (think Bonjour) antivirus proxy Squid BGP OpenVPN support cflow integration Intrusion detection spam removal
How to do I set it up? 1. Find a computer with 2 network cards. 2. Boot from the live cd and assign the outside and inside interfaces. 3. Your done.
System Menu
Interfaces Menu
Firewall Menu
Services Menu
VPN Menu
Status Menu
Diagnostics Menu
NAT Outbound
RRD Graphs
Check it out at www.pfsense.com
Questions on pfsense? Other questions? Comments? Thanks for attending.