Virtualizing your Linux Firewall

From WBITT's Cooker!

(Difference between revisions)
Jump to: navigation, search
(Introduction)
(Linux as a firewall)
Line 26: Line 26:
* VPN: OpenVPN, OpenSWAN, etc.
* VPN: OpenVPN, OpenSWAN, etc.
* Intrusion Detection Systems: Snort, etc.
* Intrusion Detection Systems: Snort, etc.
 +
* .... and more.
 +
 +
You can have one "thick" Linux firewall, by having all of the services on one physical machine. However, the purpose of this paper is to explain, how  <i>compartmentalized security model</i> can be implemented, by running most of the services listed above as separate "thin" virtual machines, on a single physical server. And for the sake of ensuring business continuity, a copy of all VMs can be kept on a second (in-expensive) physical machine. In case of hardware failure, the firewall and it's related components can be run from this second machine, without significant downtime.
==References==
==References==
* http://en.wikipedia.org/wiki/Cisco_PIX#Description_of_hardware
* http://en.wikipedia.org/wiki/Cisco_PIX#Description_of_hardware

Revision as of 18:06, 8 March 2011

This paper discusses the concept of running your Linux Firewall as a Virtual Machine.

Introduction

In today's IT world, almost all IT managers know what exactly it means for the business, when a firewall is down. When this alarm is raised, it is just like the fire alarm. All of a sudden there is immense panic, there are question marks on everyone's face, productivity is halted, and people rush to see, who reaches to the coffee machine first; except the IT staff. To the IT staff, it seems like hell has broken loose. The managers of all level, almost all at once, start yelling at the IT staff, to get the network back up as soon as possible. It is quite a scene!

For people using hardware based firewalls, like Cisco PIX, Juniper NetScreen, or SonicWall, etc, this can actually mean a lot of downtime. Especially in cases when the firewall device has actually got burnt because of some power failure. They would have to wait for a replacement unit to arrive. In case the firewall was cracked, by a cracker, it would again mean a lot of downtime, as the firewall device has to be re-configured, probably from a clean backup, if it all, there was any.

Normally there is only one such device in an environment, because they are pretty expensive. And, as noted above, a burnt device, or any component of it, such as a WAN port, can seriously cripple your business to a complete halt.

Many people consider Cisco PIX as the Holy Grail of firewalls. Same is the general point of view about other hardware-based/proprietary firewalls, such as Juniper NetScreen, SonicWall, CheckPoint, NetGear, etc. There is nothing much you can do "different", with the so-called hardware/proprietary firewalls, compared to what you can do with Linux based firewalls. One of the popular strategy used by the sales people of prominent firewall vendors is to create Fear, Uncertainty and Doubts,(FUD), in the minds of the possible customers, about low cost Linux firewalls. When they are successful in doing that, the sales people move to the next step, and convince their customers to purchase the ultra expensive firewall. The interesting point is, that even the IT managers also do not resist in such purchases, because they "feel secure" by merely buying a branded product, and don't want to take any risk by saying "No". After the product is acquired, it is placed on the network, without a well thought out configuration. In a hurry to brag "I have configured the brand X firewall and placed it in production in 30 minutes", the IT staff, constantly under the influence of the brand X name/reputation, puts something on the network, which was, (a) not well configured, (b) no-body well understood it (c) outrageously expensive, and (d) was not required in the first place. Most of the time it ends up like buying a rocket launcher to kill a fly, where merely a fly swatter was required in the first place.

In this paper we would discuss the possibility of using Linux based firewalls, running as virtual machines, on a XEN or KVM host. We would also show, how this can be achieved.

Linux as a firewall

Fundamentally, any hardware-based firewall is a collection of hardware and software components. A hardened Linux box, with enough resources, used "solely" in a firewall role, can confidently be termed as a hardware firewall; and it can compete with any branded firewall you can throw against it. Besides, it is the configuration, which makes a firewall strong; not it's brand.

It would be interesting for many to know that Cisco PIX uses processors like Intel Celeron, Intel PIII, and AMD's Am5x86; with Intel 440BX and AMD's SC520 chip-sets; with RAM range between 16 MB to 1 GB. [Reference: http://en.wikipedia.org/wiki/Cisco_PIX#Description_of_hardware].

A modern day PC is much more powerful than what is described above. A cut down version / minimal install of Linux OS on a commodity off the self PC, can essentially turn it into a firewall, more powerful than the Cisco PIX. A Linux based hardware firewall can offer almost all services which any other type of firewall can offer. It is just the matter of adding the right modules and software pieces to it. For example, a basic Packet Filtering Linux firewall can work as a Stateful Firewall, merely by adding a connection tracking kernel module, and some configuration. The following non-exhaustive list provides an insight into what all can be accomplished by using totally free OS and it's tools; Linux.

  • Packet Filtering: IPTables
  • NAT: NAT module in IPTables
  • Stateful Filtering: Connection Tracking module in IPTables
  • Web Proxy/Caching Service: Squid, etc.
  • Web Content Filtering: SquidGuard, DansGuardian, etc.
  • VPN: OpenVPN, OpenSWAN, etc.
  • Intrusion Detection Systems: Snort, etc.
  • .... and more.

You can have one "thick" Linux firewall, by having all of the services on one physical machine. However, the purpose of this paper is to explain, how compartmentalized security model can be implemented, by running most of the services listed above as separate "thin" virtual machines, on a single physical server. And for the sake of ensuring business continuity, a copy of all VMs can be kept on a second (in-expensive) physical machine. In case of hardware failure, the firewall and it's related components can be run from this second machine, without significant downtime.

References

Personal tools