Virtualizing your Linux Firewall - Revision history

Kamran: /* Disadvantages */

2011-04-04T10:46:48Z

Disadvantages

← Older revision		Revision as of 10:46, 4 April 2011
Line 95:		Line 95:

	===Disadvantages===		===Disadvantages===
-	* Virtualization overhead: Virtualization means, that there must be a Hypervisor ~~(XEN: Domain-0)~~, to host all virtual machines. The hypervisor itself consumes certain amount of resources, mainly RAM, and CPU. If the size of RAM is already low/small on the physical host, there is little left for VMs to run efficiently. This is equally true for any computer system which is low on CPU power, and in some cases, disk-space.	+	* Virtualization overhead: Virtualization means, that there must be a Hypervisor, to host all virtual machines. The hypervisor itself consumes certain amount of resources, mainly RAM, and CPU. If the size of RAM is already low/small on the physical host, there is little left for VMs to run efficiently. This is equally true for any computer system which is low on CPU power, and in some cases, disk-space.
	* Extra complexity: Virtualization introduces extra level of complexity in the infrastructure/network. The administrator has not only to take care of the physical machine and it's network connections, for example; he also has to take care of the VMs, the virtual networks inside the machine, and a keep an eye on the resource utilization.		* Extra complexity: Virtualization introduces extra level of complexity in the infrastructure/network. The administrator has not only to take care of the physical machine and it's network connections, for example; he also has to take care of the VMs, the virtual networks inside the machine, and a keep an eye on the resource utilization.
	* Requirement of additional IPs: All virtual and physical network interfaces (of physical and virtual machines) need to have IPs assigned to them. Thus there is a requirement of additional IPs.		* Requirement of additional IPs: All virtual and physical network interfaces (of physical and virtual machines) need to have IPs assigned to them. Thus there is a requirement of additional IPs.

Kamran: /* Advantages */

2011-04-04T10:44:54Z

Advantages

← Older revision		Revision as of 10:44, 4 April 2011
Line 92:		Line 92:
	* COTS/in-expensive hardware: This gives you the (financial) freedom to have multiple physical machines in stock. In case a hardware failure occurs, the second physical machine can be quickly setup to run these VMs and the services they offer.		* COTS/in-expensive hardware: This gives you the (financial) freedom to have multiple physical machines in stock. In case a hardware failure occurs, the second physical machine can be quickly setup to run these VMs and the services they offer.
	* Cloud capable: Virtual firewalls can prove really useful in environments which are heavily virtualized, such as <i>Cloud</i>. Several virtual firewalls can exist within a larger virtual network, serving different departments, or different customers.		* Cloud capable: Virtual firewalls can prove really useful in environments which are heavily virtualized, such as <i>Cloud</i>. Several virtual firewalls can exist within a larger virtual network, serving different departments, or different customers.
-	* Support: Normally, the first question asked about a product, before it's formal review is: "Who will provide support for this?" . In case of the in-expensive Linux firewalls (both Physical and Virtual), explained in this paper, the support is expected from the particular distribution vendor who's Linux flavour is installed on the firewall. This is true for almost all commercial Linux distributions. However, if you are running free ~~destributions~~, such as Debian, CENTOS, Fedora, Ubuntu, etc; you should expect the support from your Linux administrators. In 99% of cases, it is the Linux system admins in the IT staff, who propose, and often implement such technologies without external help. As you would be noticing that the free Linux distributions cannot be directly asked to provide support. However, they all have bug tracking / issue tracking systems, which are actively monitored by the back end developers. Also, there are "support companies" active in this field, who provide commercial/professional support for these free Linux distributions.	+	* Support: Normally, the first question asked about a product, before it's formal review is: "Who will provide support for this?" . In case of the in-expensive Linux firewalls (both Physical and Virtual), explained in this paper, the support is expected from the particular distribution vendor who's Linux flavour is installed on the firewall. This is true for almost all commercial Linux distributions. However, if you are running free distributions, such as Debian, CENTOS, Fedora, Ubuntu, etc; you should expect the support from your Linux administrators. In 99% of cases, it is the Linux system admins in the IT staff, who propose, and often implement such technologies without external help. As you would be noticing that the free Linux distributions cannot be directly asked to provide support. However, they all have bug tracking / issue tracking systems, which are actively monitored by the back end developers. Also, there are "support companies" active in this field, who provide commercial/professional support for these free Linux distributions.

	===Disadvantages===		===Disadvantages===

Kamran: /* Configuration of Physical Machine */

2011-04-04T10:37:07Z

Configuration of Physical Machine

← Older revision		Revision as of 10:37, 4 April 2011
Line 155:		Line 155:
	* There are firewall/iptables rules on this machine, other than those used to protect it against attacks, such as ICMP ping floods, etc. Refer to the document: [Reference: http://cooker.techsnail.com/index.php/XEN,_KVM,_Libvirt_and_IPTables]		* There are firewall/iptables rules on this machine, other than those used to protect it against attacks, such as ICMP ping floods, etc. Refer to the document: [Reference: http://cooker.techsnail.com/index.php/XEN,_KVM,_Libvirt_and_IPTables]
	* The libvirtd service provides some extra rules in the physical host's iptables rules-set. It also sets up a private bridge (virbr0), with the network 192.168.122.0/24. On a XEN host, libvirtd service can be configured to be turned off, without any loss of functionality.		* The libvirtd service provides some extra rules in the physical host's iptables rules-set. It also sets up a private bridge (virbr0), with the network 192.168.122.0/24. On a XEN host, libvirtd service can be configured to be turned off, without any loss of functionality.
-	* The DNSMASQ service can be configured to be turned off using (chkconfig --del), however it would still be called internally from the libvirtd service. Here is the dnsmasq process running under a user "nobody". (The line has been broken down into multiple lines to avoid ~~horizoltal~~ scrolling):	+	* The DNSMASQ service can be configured to be turned off using (chkconfig --del), however it would still be called internally from the libvirtd service. Here is the dnsmasq process running under a user "nobody". (The line has been broken down into multiple lines to avoid horizontal scrolling):
	<pre>		<pre>
	/usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/default.pid \		/usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/default.pid \

Kamran: /* The Linux Physical Firewall */

2011-04-04T10:24:20Z

The Linux Physical Firewall

← Older revision		Revision as of 10:24, 4 April 2011
Line 53:		Line 53:
	Readers might be wondering, <i>"What is it, in a hardware appliance firewall, which makes is so costly?"</i> The answer is, that the hardware firewalls have custom designed hardware. They may be using a standard Intel or AMD processor, but the other components would be built-in on the main-board. Network cards, which are the most important component/feature of a firewall device, are slimmed down, and are provided as network interfaces. There are also certain components, which you will not find in such an appliance. For example. You would not find a VGA, or Keyboard and mouse ports on your appliance. Such custom designs provide serial interfaces / console ports, which can be connected to using a null-modem cable, etc. You will find a minimum of two network ports on the most basic firewall. One for Internet (Red Zone), and the other for LAN (Green zone). The newer designs include several network ports; some of them are additionally there to provide facility to configure DMZs (Orange Zone). Also, the newer firewalls devices/appliances have built in Wireless device, providing a fourth configurable zone (Blue Zone). Instead of using a hard disk for storage, you will find small sized flash disks. The OS is proprietary with a minimal user interface, normally through command line. In newer designs, firewall vendors have started providing secure web interface to configure the device. The operating system is minimalistic in nature, and does not consume much RAM too. It therefore does not "require" extra RAM to function. And above all, all components are enclosed in a small (slick) box, which does not take up much desk/rack space. This all is what makes such devices known as "hardware based firewalls" or "branded firewalls".		Readers might be wondering, <i>"What is it, in a hardware appliance firewall, which makes is so costly?"</i> The answer is, that the hardware firewalls have custom designed hardware. They may be using a standard Intel or AMD processor, but the other components would be built-in on the main-board. Network cards, which are the most important component/feature of a firewall device, are slimmed down, and are provided as network interfaces. There are also certain components, which you will not find in such an appliance. For example. You would not find a VGA, or Keyboard and mouse ports on your appliance. Such custom designs provide serial interfaces / console ports, which can be connected to using a null-modem cable, etc. You will find a minimum of two network ports on the most basic firewall. One for Internet (Red Zone), and the other for LAN (Green zone). The newer designs include several network ports; some of them are additionally there to provide facility to configure DMZs (Orange Zone). Also, the newer firewalls devices/appliances have built in Wireless device, providing a fourth configurable zone (Blue Zone). Instead of using a hard disk for storage, you will find small sized flash disks. The OS is proprietary with a minimal user interface, normally through command line. In newer designs, firewall vendors have started providing secure web interface to configure the device. The operating system is minimalistic in nature, and does not consume much RAM too. It therefore does not "require" extra RAM to function. And above all, all components are enclosed in a small (slick) box, which does not take up much desk/rack space. This all is what makes such devices known as "hardware based firewalls" or "branded firewalls".

-	===The Linux ~~Physical Firewall~~===	+	===The hardware-based Linux firewalls===
	Fundamentally, any hardware-based firewall is a collection of hardware and software components. A hardened Linux box, with enough resources, used "solely" in a firewall role, can confidently be termed as a hardware firewall; and it can compete with any branded firewall you can throw against it. Besides, it is the configuration, which makes a firewall strong; not it's brand.		Fundamentally, any hardware-based firewall is a collection of hardware and software components. A hardened Linux box, with enough resources, used "solely" in a firewall role, can confidently be termed as a hardware firewall; and it can compete with any branded firewall you can throw against it. Besides, it is the configuration, which makes a firewall strong; not it's brand.

Kamran: /* The branded hardware firewalls */

2011-04-04T10:23:48Z

The branded hardware firewalls

← Older revision		Revision as of 10:23, 4 April 2011
Line 27:		Line 27:

	==The Physical Firewall==		==The Physical Firewall==
-	===The ~~branded~~ hardware firewalls===	+	===The hardware-based branded firewalls===
	To explain this topic, we would use an example from the real world; the most commonly known firewall device, <i>Ciso PIX</i>. It would be interesting for many to know that the processors used in Cisco PIX firewalls were Intel Celeron, Intel PIII, and AMD's Am5x86. The chipsets used on the mainboards of these firewalls were Intel 440BX and AMD's SC520 chip-sets. And the RAM ranged between 16 MB to 512 MB (to 1 GB). [Reference: http://en.wikipedia.org/wiki/Cisco_PIX#Description_of_hardware].		To explain this topic, we would use an example from the real world; the most commonly known firewall device, <i>Ciso PIX</i>. It would be interesting for many to know that the processors used in Cisco PIX firewalls were Intel Celeron, Intel PIII, and AMD's Am5x86. The chipsets used on the mainboards of these firewalls were Intel 440BX and AMD's SC520 chip-sets. And the RAM ranged between 16 MB to 512 MB (to 1 GB). [Reference: http://en.wikipedia.org/wiki/Cisco_PIX#Description_of_hardware].

Kamran: /* Conclusion */

2011-04-03T10:41:29Z

Conclusion

← Older revision		Revision as of 10:41, 3 April 2011
Line 178:		Line 178:

	==Conclusion==		==Conclusion==
-	Linux/Open-Source based firewalls are a great way to save money, while at the same time, not compromising on Security, Functionality or Efficiency. ~~You~~ can have ~~enterprise security while remaining within~~ your ~~IT budget~~. ~~That is what makes Linux/~~Open-Source ~~firewalls so great~~!	+	Linux/Open-Source based firewalls are a great way to save money; while at the same time, not compromising on Security, Functionality or Efficiency. The virtualized Linux firewalls can save you from the hassle of installing a fresh Linux OS, and configuring it, each time you have a problem with the underlying hardware, or other types of breakdown. With Virtual Firewalls, you can start a saved (clone) image of your firewall on any other readily available hardware. They are also quite helpful, when you need multiple firewalls in your infrastructure. Copies of such Virtual Firewalls can instantly be created, adjusted, and put to work. Open-Source technology is what makes this easier, efficient and affordable!

	==Related Open Source Firewall Solutions==		==Related Open Source Firewall Solutions==

Kamran: /* Advantages */

2011-03-21T05:25:31Z

Advantages

← Older revision		Revision as of 05:25, 21 March 2011
Line 92:		Line 92:
	* COTS/in-expensive hardware: This gives you the (financial) freedom to have multiple physical machines in stock. In case a hardware failure occurs, the second physical machine can be quickly setup to run these VMs and the services they offer.		* COTS/in-expensive hardware: This gives you the (financial) freedom to have multiple physical machines in stock. In case a hardware failure occurs, the second physical machine can be quickly setup to run these VMs and the services they offer.
	* Cloud capable: Virtual firewalls can prove really useful in environments which are heavily virtualized, such as <i>Cloud</i>. Several virtual firewalls can exist within a larger virtual network, serving different departments, or different customers.		* Cloud capable: Virtual firewalls can prove really useful in environments which are heavily virtualized, such as <i>Cloud</i>. Several virtual firewalls can exist within a larger virtual network, serving different departments, or different customers.
		+	* Support: Normally, the first question asked about a product, before it's formal review is: "Who will provide support for this?" . In case of the in-expensive Linux firewalls (both Physical and Virtual), explained in this paper, the support is expected from the particular distribution vendor who's Linux flavour is installed on the firewall. This is true for almost all commercial Linux distributions. However, if you are running free destributions, such as Debian, CENTOS, Fedora, Ubuntu, etc; you should expect the support from your Linux administrators. In 99% of cases, it is the Linux system admins in the IT staff, who propose, and often implement such technologies without external help. As you would be noticing that the free Linux distributions cannot be directly asked to provide support. However, they all have bug tracking / issue tracking systems, which are actively monitored by the back end developers. Also, there are "support companies" active in this field, who provide commercial/professional support for these free Linux distributions.

	===Disadvantages===		===Disadvantages===

Kamran: /* Advantages */

2011-03-21T04:50:29Z

Advantages

← Older revision		Revision as of 04:50, 21 March 2011
Line 91:		Line 91:
	* Service/VM Load Balancing: If the VM running the WebCache/content-filtering services is taking too much physical resources of the physical host, that VM can be moved to another physical machine on the network.		* Service/VM Load Balancing: If the VM running the WebCache/content-filtering services is taking too much physical resources of the physical host, that VM can be moved to another physical machine on the network.
	* COTS/in-expensive hardware: This gives you the (financial) freedom to have multiple physical machines in stock. In case a hardware failure occurs, the second physical machine can be quickly setup to run these VMs and the services they offer.		* COTS/in-expensive hardware: This gives you the (financial) freedom to have multiple physical machines in stock. In case a hardware failure occurs, the second physical machine can be quickly setup to run these VMs and the services they offer.
-	* Cloud ~~enabled~~: Virtual ~~firewall is an excellent option, usable~~ in environments which are heavily virtualized, such as <i>Cloud</i>. Several virtual firewalls can exist ~~with~~ a larger virtual network, serving different departments, or different customers.	+	* Cloud capable: Virtual firewalls can prove really useful in environments which are heavily virtualized, such as <i>Cloud</i>. Several virtual firewalls can exist within a larger virtual network, serving different departments, or different customers.

	===Disadvantages===		===Disadvantages===

Kamran: /* Advantages */

2011-03-20T11:59:10Z

Advantages

← Older revision		Revision as of 11:59, 20 March 2011
Line 91:		Line 91:
	* Service/VM Load Balancing: If the VM running the WebCache/content-filtering services is taking too much physical resources of the physical host, that VM can be moved to another physical machine on the network.		* Service/VM Load Balancing: If the VM running the WebCache/content-filtering services is taking too much physical resources of the physical host, that VM can be moved to another physical machine on the network.
	* COTS/in-expensive hardware: This gives you the (financial) freedom to have multiple physical machines in stock. In case a hardware failure occurs, the second physical machine can be quickly setup to run these VMs and the services they offer.		* COTS/in-expensive hardware: This gives you the (financial) freedom to have multiple physical machines in stock. In case a hardware failure occurs, the second physical machine can be quickly setup to run these VMs and the services they offer.
		+	* Cloud enabled: Virtual firewall is an excellent option, usable in environments which are heavily virtualized, such as <i>Cloud</i>. Several virtual firewalls can exist with a larger virtual network, serving different departments, or different customers.

	===Disadvantages===		===Disadvantages===

Kamran: /* Configuration of Physical Machine */

2011-03-20T11:34:18Z

Configuration of Physical Machine

← Older revision		Revision as of 11:34, 20 March 2011
Line 153:		Line 153:
	* There are firewall/iptables rules on this machine, other than those used to protect it against attacks, such as ICMP ping floods, etc. Refer to the document: [Reference: http://cooker.techsnail.com/index.php/XEN,_KVM,_Libvirt_and_IPTables]		* There are firewall/iptables rules on this machine, other than those used to protect it against attacks, such as ICMP ping floods, etc. Refer to the document: [Reference: http://cooker.techsnail.com/index.php/XEN,_KVM,_Libvirt_and_IPTables]
	* The libvirtd service provides some extra rules in the physical host's iptables rules-set. It also sets up a private bridge (virbr0), with the network 192.168.122.0/24. On a XEN host, libvirtd service can be configured to be turned off, without any loss of functionality.		* The libvirtd service provides some extra rules in the physical host's iptables rules-set. It also sets up a private bridge (virbr0), with the network 192.168.122.0/24. On a XEN host, libvirtd service can be configured to be turned off, without any loss of functionality.
-	* The DNSMASQ service can be configured to be turned off using (chkconfig --del), however it would still be called internally from the libvirtd service.	+	* The DNSMASQ service can be configured to be turned off using (chkconfig --del), however it would still be called internally from the libvirtd service. Here is the dnsmasq process running under a user "nobody". (The line has been broken down into multiple lines to avoid horizoltal scrolling):
		+	<pre>
		+	/usr/sbin/dnsmasq --strict-order --bind-interfaces --pid-file=/var/run/libvirt/network/default.pid \
		+	--conf-file= --listen-address 192.168.122.1 --except-interface lo \
		+	--dhcp-range 192.168.122.2,192.168.122.254 --dhcp-lease-max=253
		+	</pre>
	* DNSMASQ service provides DHCP, DNS and NAT (Masquerade) services only to the virtual machines connected to virbr0. If you do not have any VMs connected to the virbr0, it is better to stop/turn-off libvirtd and dnsmasq services. This will free up some resources on the physical host.		* DNSMASQ service provides DHCP, DNS and NAT (Masquerade) services only to the virtual machines connected to virbr0. If you do not have any VMs connected to the virbr0, it is better to stop/turn-off libvirtd and dnsmasq services. This will free up some resources on the physical host.