practical firewall implementation: iptables vs fw appliance

Discussion in 'Networking & Security' started by Thuleman, Jul 7, 2008.

  1. Thuleman

    Thuleman [H]ardness Supreme

    Messages:
    5,834
    Joined:
    Apr 13, 2004
    Folks, here's the situation:

    Two physical servers, running Windows 2008 Enterprise Core & Hyper-V, both have two physical NICs each. Each physical server runs three virtual machines, five of which are Windows 2008 server, and one will be Debian 4.0.

    A third physical server is currently under consideration (hardware is on hand) to run Centos 5 and act as backup server (Amanda + Zmanda) for the Hyper-V boxes.

    The public institution these are located at will place them outside of the institutional firewall, and any attempts to receive further support from the IT department to secure these machines have been met with "we have no further suggestions for you at this time, thanks for letting us know what you are planing to do though". (I kid you not!)

    I'll try to explain the best I can which way these are meant to be set up:

    P1 = physical server 1
    P1V1 = physical server 1, virtual machine 1
    etc.

    -P1
    --P1V1 - web server (IIS7)
    --P1V2 - web application server
    --P1V3 - file storage server
    -P2
    --P2V1 - SQL server
    --P2V2 - middleware server (P1V2 <-> P2V1)
    --P2V3 - web server (LAMP)
    -P3

    I know which ports I would like to keep open between machines, and which I would like to keep open to the outside world. I could go all out and create VLANs for some of these virtual machines to completely remove them from the Internet as such, but that's a level of complexity that's may not be necessary.

    The IT department offered to assign static IPs, host names, and create all relevant DNS entries for all machines (physical and virtual), so all machines will (can) receive a routable IP.

    The network traffic those machines are projected to experience will be low by any standards, both in terms of requests/day as well as MB/day.

    The question is, how would I best go about securing this setup? I do have a 1U server I can set up with Centos to act as iptables based firewall, but is that really a good option considering that I don't have all day to babysit my firewall and monkey with it (ok ok, shorewall comes to mind to make things a bit easier).

    Should I look into buying a rack-mountable firewall appliance to make my life easier? I was looking into an ASA 5005, and although the licensing scheme is confusing to me, the roughly $1,000 I could probably justify. However, it's not rack-mountable afaik. The Cisco appliances which are rack-mountable are oversized for our needs, and at $3,000+ also over budget.

    Any suggestions would be highly appreciated. I am not afraid of iptables, but I do wonder whether over time an appliance would be a more cost effective solution due to easier administration, support, updates, no monkeying with building a custom kernel firewall box, etc. etc.

    Thanks for reading!
     
  2. XOR != OR

    XOR != OR [H]ardForum Junkie

    Messages:
    11,549
    Joined:
    Jun 17, 2003
    To clear up a glaring misconception; an iptables solution wouldn't require any baby sitting once you got it setup. This assuming the hardware was well behaved.

    Now, as to which solution you should go with, what does the IT dept use? Even if you aren't getting immediate support from them, I can almost guarantee they will handle this stuff at some point in the future. To that end, you may want to make sure they are comfortable with it.

    Were this me and I didn't have to worry about the it dept, I'd always choose iptables over an asa. cisco's stuff is always "odd" and has rather painful licencing associated with it. And, I'll admit, I'm far more comfortable with iptables than any other firewall package.
     
  3. GlobalFear

    GlobalFear 2[H]4U

    Messages:
    3,631
    Joined:
    Nov 22, 2003
    Just throw something like ipcop on the 1u server. It's usually quite a bit less work than iptables and much more flexible. That and you don't need to add $1000+ to your budget to do it.

    Edit: as a clarification. Ipcop and the like are built on top of iptables. They provide an easier administration process and a few more goodies.
     
  4. MorfiusX

    MorfiusX 2[H]4U

    Messages:
    3,007
    Joined:
    Feb 13, 2004
    Personally, for firewalls for businesses I prefer devices that have vendor support for any mission critical task. If your VMs will be mission critical, then I would suggest something like an ASA5505 (personal favorite). There are a number of other vendors that make quality products as well.

    If these VMs aren't mission critical, then you have some more flexibility with your options. A *Nix based solution would probably be the cheapest solution for initial cost. With a firewall distro, you can have a pretty robust solution up and running in very little time. There plenty of opinions and information around here on which ones are the best.
     
  5. Thuleman

    Thuleman [H]ardness Supreme

    Messages:
    5,834
    Joined:
    Apr 13, 2004
    Thanks for your feedback guys, much appreciated.

    Yeah the whole "monkeying with iptables" didn't come out right. What I meant is that there tends to be more effort involved in setup and customization in terms of monitoring and alerts as opposed to a firewall appliance.

    The IT department here is a mix of Juniper NS5400, NS500, and a bunch of Cisco equipment. Ideally they would put our machines behind their firewalls, but part of their reasoning for not doing it is that once they do it for one party, a hundred more will come out of the woodwork with all kinds of special ports they need to have open, and the IT folks just don't have the time, manpower, or desire to accommodate such needs while maintaining the overall security of the network. So their solution is to just assign IPs outside of any firewall and have people figure it out on their own.

    My concern with an iptables based Linux box is that it is subjectively less reliable when it comes to the hardware side of it. Too many moving parts, or if I were to go with solid state drives it would require investment, or perhaps I could just jerry rig it with a USB flash drive (and a RAM disk, 2 GB total RAM (PC133 wheee!) on that 1U server I have) and have that drive be inside the enclosure. Still, dual 170W power supplies, 11 fans in the 1U enclosure, all those are points of failure. It's an old dual Socket 940 system that has been running 24/7 since 2004, and will probably run just fine till the end of days, but if it craps out then all the boxes behind it are offline.

    Of course an appliance can experience a hardware failure as well. Though odds are the appliances are easier to administer by folks who are not as familiar with the whole process.

    I think I may just go ahead and set up a linux box to have something up and running, and then recommend to upgrade to a appliance that matches the hardware the IT people already maintain. That's probably the easiest solution to get me of the hook. ;)
     
  6. MorfiusX

    MorfiusX 2[H]4U

    Messages:
    3,007
    Joined:
    Feb 13, 2004
    Having a consistent platform (regardless of what that platform it) will reduce support and administration costs over the life of a given set of products.
     
  7. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    9,771
    Joined:
    Nov 4, 2005
    agreed, your plan of getting a linux box up now with the movement to matching hardware later seems to be the best without question
     
  8. hutchingsp

    hutchingsp Limp Gawd

    Messages:
    150
    Joined:
    Dec 24, 2006
    Maybe I'm just old fashioned but for something that, IMO, is as mission critical as a firewall I'd be looking at an appliance.

    It's the support element, the fact that if it should be breached, and assuming it was configured correctly it simply puts you in a better position with the higher ups if it was a commercial product, plus as you point out an appliance with a web interface/GUI is much more likely to be manageable by someone on the end of the phone etc.
     
  9. dandragonrage

    dandragonrage [H]ardForum Junkie

    Messages:
    8,298
    Joined:
    Jun 5, 2004
    How about Untangle? You can run it free, or you can pay them and get support. pfSense is another option if you don't need the tech support.

    You do not need an appliance. Not for stability, not for support, not for anything.