I once read that a network firewall was as much a central point for getting visibility into your network as it was a point for restricting and securing your network. It is my personal belief that these things go hand in hand. How can you secure your network if you don't understand what is actually going on inside it? how can you differentiate between what is good and bad traffic, if you can't actually see the traffic? A few years ago, I invested a serious amount of time searching for an open-source firewall that I could insert into a network on some standard hardware and see what was happening, then respond to this. I was disappointed to say the least.
Linux and BSD based open source network firewalls and routers, it seems, have been reduced down to nothing but a centralised management interface for various tools. They are built using either iptables or pf and frankly give the user nothing more than what is provided as standard in Linux. What is even more discerning, is the fact that they are not even great management interfaces for these tools. Now don't get me wrong, some of these tools are good, and I want to applaud the work that has gone into them, but they are not good enough.
Perhaps my expectations are just too high, but I cannot be alone here. When I look for a security product for my network, I want an all in one solution. Something that is not patched together with various tools providing very different things. Something that is not just generating configuration for other tools. I want a seamless system that I can control my network with.
+ IP Filtering
+ Nat and Pat Forwarding
+ QOS and Rate Limiting
+USER BASED RULES
+ REPORTING, who was downloading those reports from the staff server at 2am? Who is using all the bandwidth watching porn?
+ Web filtering, including SSL traffic
+Quotas, usage alerts, smart event handling
These are just some of the features I expect, yet they are hard to come by unless you purchase some expensive kit from cisco or dell. Let's take a look at some of the key cases above.
Reporting. When you start a new job, normally the first thing you get is an email account, the second is a proxy server username and password. Companies use proxy servers to control internet access, proxies give them the reporting information they think they need, and the ability to filter websites. But, I'm sorry, proxy servers are crap. They are not suitable for todays network environments. These days, everyone has a smart phone they want to put on the wifi, everyone with half a whit about IT knows how to bypass a proxy server, and everyone gets pissed of when a proxy is not functioning properly and they cannot use a legitimate website. The biggest issue with proxies lies simply in the fact that they are not transparent. You can argue that a proxy server can be installed transparently using some tricky forwarding rules, BUT then you are screwed when it comes to https ssl traffic. The second biggest issue with proxies is that they ONLY work on http traffic. Proxy servers can't handle what the web has become, which is not just limited to http web traffic. There is a whole lot more going on now, and as a sysadmin you need to see this too.
The user account. How many people have worked in an environment where a ldap service like Active Directory is in place? Most companies employ this sort of system to manage users, why not extend that to their network access. Capture portal systems have been around for years in Wifi networks, and the same thing can be extended to general network access. I have yet to see another open source firewall that supports this. I want to specify that users in the staff group can access the internet and the staff servers. And guests only get restricted access to the internet. Once you can do this, it can even be taken further, you can enforce user quotas, limits, qos rules for types of users and much more. You no longer have to worry about people connecting their ipads or other wifi enabled devices, all their network access is pulled into one user account.
Event handling. I was recently working for a company that had a small test server farm in a remote datacenter. We had a Vantronix box using Pfsense acting as the network firewall. At some point, a bill arrived for 20K worth of international traffic. Some script kiddie had broken into one of the test machines and for the last week had been sucking the network dry. No one, including the ISP, saw this until the bill arrived. This is utterly unacceptable. It's not so difficult to send an email alert when a machine starts using unusual amounts of bandwidth, yet this sort of trend based monitoring and response does not exist in standard network gear. Hell, the ISP could not even tell us what kind of traffic had been going through this connection. This bill could have been easily prevented with a smarter firewall, it could have even been solved without the interaction of a sysadmin. Surely if a network host is using hundreds of gigs more traffic than normal, it should be blocked.
In reality it comes down to just one thing, I want to see what is happening on my network and respond to it. I want to be able to transparently hold my users accountable, and manage resources. Not much more. This is why I built Sphirewall. Our goal is very simple, to provide an open source firewall that lives up to what I believe a router/firewall should provide. We don't build rulesets, we manage the packets straight from the linux kernel, and as a result of this, we have complete control. Sphirewall can tell you exactly what is happening on your network, who is generating the traffic, what kind of traffic it is, and all down to hourly aggregations, it can be configured to automatically respond to events on the network, and it provides you with the ability to define complex rulesets based not only on IP paramaters but much more. We have solved all the problems mentioned above, and a lot more.
If your interested in claiming back your network then take a look, http://sphirewall.net