November 21st, 2007

Need a firewall? Download it

Posted by Christopher Dawson @ 3:20 am

Categories: Education Technology

Tags: Firewall, Network, IPCop, Copfilter, Untangle, Firewalls, Network Security, Security, Networking, Christopher Dawson

Our firewall has been giving us fits lately. We lose connectivity, we bog down unexpectedly, and the content filtering/anti-virus/anti-spam subscriptions are just too expensive. Google and George Ou are my friends, though, and both suggested IPCop and Copfilter (the former via a search for open source firewall software and the latter via an email). I was already using Untangle at home with good luck (and unhappy teenage kids who were locked down quite handily), but I wanted to give IPCop a shot.

Untangle and IPCop are both stripped down Linux distributions focused on providing firewall functionality (Internet gateway, intrusion detection, logging, port forwarding, VPN, etc.) and DHCP. Untangle actually provides a nicely integrated, turnkey solution including content filtering, spam/malware protection, etc. The installation itself, as well as the user interface (via a Java client) are fairly slow and I was concerned about scalability, especially on the older hardware I had at my disposal.

IPCop, on the other hand, has a very quick install (up and running in 15 minutes), a snappy secure web interface, web caching to speed frequent downloads, supports up to 4 network interfaces, and runs quite well on older hardware. Add-ons are available to handle the functions built into Untangle. While the setup is not quite as straight-forward, it’s fast enough that when I screwed up the first time (incorrect IP address assignments) that I didn’t bother with command line fiddling and just reinstalled the software. Since both Untangle and IPCop are complete distribtions, make sure that you install them on dedicated machines; this isn’t Ubuntu where you can just resize your partitions.

Copfilter is a slick add-on for IPCop that adds anti-malware, email scanning, and additional monitoring tools. Once installed (fairly easy instructions are available on the Copfilter website), it simply adds an extra tab to the IPCop web interface and setup of the individual modules is relatively intuitive (certainly no worse than the Sonicwall that we actually paid for). Click here to see a screen shot of the web interface

The last piece I need to add is true content filtering. While I have already found IPCop (and Untangle) to be quite effective at blocking malicious sites, I need to really lock down what my students can see. Again, Untangle has a built in interface that blocks proxy traffic, IM, social networking, pornography, gambling, etc., and logs attempts to access these types of resources. IPCop can use addons like Dansguardian, but I have yet to get this functional in the latest version of IPCop. Any success stories, please talk back below. Dansguardian, by the way, is highly effective in and of itself; it was built in to the Linux Classmate PCs I tested and worked very well. I just need to get it working on the firewall side rather than the client side.

I currently have an IPCop machine in front of my network at home and in front of one lab at school. Untangle is sitting in front of a second lab at school. As soon as I get Dansguardian running the way I want it to, I can let them go head to head. Regardless of the winner, though, I’ve definitely been converted to the “download-a-firewall-and-install-it-on-salvage-hardware” school of thought.