Firewalls and Gateways

Hi, I’m Simon. I am the Technical Director at White Cliffs Radio. Here I will show you my findings from the challenge of trying to pick the right software for us.

At White Cliffs Radio, I introduced an enterprise grade network with VPN connections between sites. This enables our presenters to experience an easy and consistent flow across all our studios.

This was a challenge as there is a variety of hardware and software, free, support contracts and paid subscriptions.

The Requirements

A software based virtual machine to control our networking communication infrastructure.

Cost was also an issue, so I wanted to look for something free, but secure. With this in mind I opted to search for an open-source, Linux based piece of kit.

Must have a easy interface for firewall and network management.

The ability to link sites together using IPSec tunnels.

Allow remote access via OpenVPN to our presenters. This means that they can present their shows from anywhere, while still having full access to our music store.

Zentyal – Development Edition

Zentyal advertises itself as an all-in-one solution for a small business, fronted by an Ubuntu operation system.

I couldn’t fault DNS and DHCP setup, they were really user friendly, especially for beginners.

In the more advanced sections such and VLAN and VPN configuration this could get very confusing very quickly for beginners. For the advanced users, it was quick to pickup. It also supported hot-adding/swapping network interfaces (while using a VMWare Virtual machine).

Zentyal also has an integrated Mail and Directory service, which I could see would benefit many who are just starting out. However, I had no need for an integrated mail server or directory support.

The firewall interface was as easy as they come. Nice and clean, easy to setup and maintain, but no aliases. This means you have to do each port individually rather than creating say a WEB alias.

This would have been the one I went with, apart from one major drawback. We had to make sure the virtual machine running the Zentyal system was restarted nightly. We would periodically get a slow down in speed. The cause was unknown so we opted to look elsewhere.

It should be noted that this was the DEVELOPMENT edition which of course is always changing. This is more than likely a contributing factor to the above problem. There are paid-for solutions and support that Zentyal offer which will more than likely not have the same problems.

Check out Zentyal’s Website for more information and download links to try it out yourself. Maybe you can find something I’ve missed?

ClearOS – Community Edition

This edition is a community driven solution which features a whole host of functions. It has a clean but sometimes confusion user interface depending on what you want to do with it. Based on CentOS/RedHat Linux and free, again meeting our criteria.

ClearOS had much the same feature set of Zentyal, but on a much more basic level. No integrated mail services, only the option to attach to existing directory server(s), which for me is perfect as we only need VLAN configuration, firewalls and VPN capability.

Out of the box it supported the basics, DNS, DHCP and network interface management. This however (in the version I used) did not support hot-adding/swapping network interfaces. Not really a problem as this was a nice to have feature to begin with.

For more advanced things such as IPSEC and OpenVPN you have to install plugins/modules. These can be found in the marketplace.

IPSec used Strongswan which is a very reputable open-source IPSec solution and something we were already familiar with. It had an easy-to-use graphical user interface and tutorials were available online of how to setup tunnels. Much the same story for OpenVPN.

The one place it definitely lacked was firewall configuration. There is a plugin/module in the marketplace to enable the feature, but required a detailed understanding of iptables. If this is your bag, then I would highly recommend this to anyone, but for me, I only knew the basics of iptables.

For this reason I chose not to use ClearOS and it would make maintenance very messy and time consuming.

Check out ClearOS’ website if you are interesting in what it can do and have a play yourself.

pfSense

This is based on the FreeBSD operating system with a very active community driven package availability.

The system does not support hot-adding/swapping, but it is not all doom and gloom. I have yet to utilise this, but using CARP, we can have a redundant pair.

Supports standard DHCP server integration with an included DHCP relay for those who are interested in taking full advantage of IPv6.

A standard install will provide a DNS resolver. I chose to disable this option and install a BIND server from the available packages on offer. I then turned this into a slave DNS server incase our master had issues.

One thing I must praise pfSense for if the ability to setup IPSec Tunnels. With a small amount of configuration on each I had a working tunnel. Easiest IPSec configuration I have ever done as well as remaining extremely secure.

As for the firewall, I couldn’t of asked for anything better. Aliases for not only ports, but individual IP addresses and network subnets. Words cannot describe how overjoyed I was with the amount of stuff I could do with firewalls. This means at a quick glance I can see exactly what the firewall is doing.

OpenVPN setup was another easy one. With a client configuration generator which means you don’t have to spend time working out your clients configuration. With the included certificate manager you can easily setup an OpenVPN CA with its server and client certificates.

I would recommend this to anyone. It is widely used by individuals, companies, small and enterprise and has a range of options for support and hardware. Take a look at the website to find out more information.

Conclusion

So as you can all gather I went with the pfSense option with its ease of install, features and manageability.

It gives me scope to keep expanding our infrastructure to the limits.

I now not only use IPSec to tunnel between sites, but to also link up to my AWS Cloud Services so that I can start moving my infrastructure to the cloud, but still have still act like it’s sitting locally on site.

Leave a Reply

Your email address will not be published. Required fields are marked *