Security

Lock IT Down: Deploy a robust firewall at minimal cost with IPCop

Find out about an inexpensive firewall solution


Deploying a good firewall has become a standard prerequisite for all businesses that want to connect to the Internet—and, let's face it, most businesses now either need or want Internet access. Of course, the quality of firewalls varies substantially, from bottom-dollar devices like those from Linksys, which are designed for small offices and home offices, to budget-hogging solutions from Cisco and Check Point that are made to protect the enterprise.

Typically, small and medium businesses have either had to settle for less robust firewalls, such as the ones from SOHO vendors, or have had to spend disproportionately large chunks of their budgets to invest in serious firewalls, such as devices from Cisco and Check Point or software from Microsoft, Symantec, and others that can turn a server into a full-featured firewall.

Some organizations have custom-built firewalls that rival the cost of SOHO solutions by using Linux software, which has robust firewall functionality included in most of its distributions. The challenge is that a Linux firewall solution can be quite complex and difficult to administer, which can lead to insecure deployments and difficulty managing it, especially for small and medium companies that do not have IT staff members with sufficient Linux expertise.

However, there is a way to get the two main advantages of a Linux firewall—a robust feature set and low cost—while getting the ease of use of a firewall solution from Microsoft, Check Point, or one of the other commercial vendors. The solution is IPCop, a Linux firewall distribution that is easy to install and configure and is managed via a friendly Web interface. Let's take a look at the features available in this firewall and see why it can be an excellent solution for small and medium businesses.

The genesis of IPCop
In true open source GPL fashion, IPCop is actually a permutation of another Linux product, called SmoothWall. In 2000, a couple of Linux programmers developed SmoothWall to be a locked-down Linux firewall distribution. Essentially, it was designed to transform standard x86 hardware into a Linux-powered firewall device that could be easily managed from a Web interface. Thus, the firewall administrator did not have to be a Linux command-line guru in order to manage it.

After some initial success with the product, the programmers decided to build an expanded commercial version of the product, called SmoothWall Corporate Server. With the release of that product, the programmers put most of their efforts and best feature improvements into the commercial version. Although still offering the GPL version of SmoothWall (now appropriately called SmoothWall GPL), that version was clearly made a subset of the Corporate Server product.

A number of Linux developers who remained committed to the idea of a full-featured GPL-based Linux firewall distribution decided to go off and create a new product based on version 0.9.9 of SmoothWall GPL. The result was IPCop, which has quickly overtaken SmoothWall GPL in terms of the advanced features offered in a Linux firewall distribution that can be downloaded for free.

Getting started is a breeze
The first thing to like about IPCop is how easy it is to download and prepare for installation. You can download IPCop in the form of an ISO image, which can then be automatically turned into a bootable installation CD using most popular CD-burning software. You can even download this and burn it in Windows using Easy CD Creator or similar programs. (Look in the help files of your CD-burning software for information on how to burn ISOs.)

The IPCop installation itself is easy to follow, even for beginning administrators. It simply walks you through the process of choosing one of the predefined configuration templates, setting up the network interfaces, and configuring a few other essentials. A 10-minute peek at the installation guide (click here for PDF) prior to running the install is all that is needed to familiarize yourself with the process and gather the information you'll need.

After the installation is complete, you can go back to your administrator workstation (assuming, of course, that it's on the same network as the IPCop system), call up a Web browser, and go to:
http://ipcop:81 or https://ipcop:445

You can replace ipcop with the firewall's internal IP address. You'll see a screen that looks like Figure A. From this point on, you can do all of your configuration from the Web interface. The only actions that will require you to return to the IPCop system are changing an IP address or altering the initial installation settings.

Figure A


Install and config
A future article will provide more on installing and configuring IPCop and will walk through all of the technical details.

Now, let's take a closer look at the features in IPCop 1.3.0 (the latest version, as of this writing).

IPCop feature set
It's pretty amazing to see all of the things that are included in IPCop, especially when you remember that it is free software that runs on commodity hardware (which costs very little these days). In my experience, IPCop also runs quite smoothly and with minimal errors and conflicts. It is also quite fast—considerably faster than low-end firewall/routers such as those from Linksys and other SOHO vendors.

IPCop 1.3.0 is based on the Linux 2.4 kernel and the IPTables firewall software, which is much more secure and robust than its predecessor, IPChains, with which SmoothWall GPL was originally built.

The IPCop architecture includes the following functionality:
  • Caching Web proxy (based on Squid)
  • DMZ setup for server hosting
  • Port forwarding
  • VPN server (based on FreeS/Wan)
  • DHCP server
  • DNS proxy server
  • Intrusion detection system (based on Snort)
  • SSH login for the administrator
  • VPN pass-through (both PPTP and IPSec)
  • Support for many dial-up and DSL modems (and cable modems work, too, if you use the Ethernet interface)
  • Traffic report graphics
  • Support for many international languages

IPCop does not include these features:
  • Bandwidth throttling
  • Content filtering

Hardware requirements
There really aren’t any official minimum hardware requirements for IPCop (at least none that I've ever found). A lot depends on your network configuration. In other words, there is a direct correlation between the amount of bandwidth and number of users you have and the amount of system resources you are going to need in the box that you are using to run IPCop.

As an example, I'll give you my recommendation for a small office with 40 users and a DSL line with 1 Mbit of bandwidth (ADSL with 1 Mbit up and 1 Mbit down). You can scale my recommendation up or down based on your requirements. In this scenario, I would recommend a system with (at least) a Pentium III 450-MHz processor and 256 MB of RAM. This is a fairly generous amount of power, but it would make sure the system always had what it needed to get the job done.

The processor isn't as important as the RAM. You could scrape by with a Pentium II 300-MHz machine. Some IT pros might argue that you could get by with 128 MB of RAM, but RAM is cheap, and I'd prefer not to use less than 256 MB with an IPCop system. If you have anything larger than this hypothetical network, it wouldn't hurt to bump up to 384 or 512 MB.

There's also the issue of disk space. The default installation of IPCop takes up a miniscule 400 MB. (Of course, you should plan for future growth of log files, etc.) Therefore, I would recommend a minimum of a 5-GB hard drive. That way, you also can dedicate 3 to 4 GB of disk space to the Web proxy to use for its cache.

You'll also need two network cards (three, if you want to set up a DMZ). Although various network cards are supported, I would recommend using 3Com NICs, both because they are reliable and because the Linux 2.4 kernel easily recognizes them. If you are using a modem, it acts as one of your network interfaces.

One drawback to IPCop is that its configuration templates support only up to three network interfaces. Larger networks often require upward of 10 to 15 interfaces in their firewalls. This is one of the reasons IPCop is currently suited only to small- and medium-size installations.

Adding up the benefits
IPCop fits its niche quite well. It does not contain all of the features available in the high-dollar enterprise firewalls, nor does it offer the support options available with those platforms. However, it does include many enterprise-level functions, and its feature set is hard for other small business firewalls to compete with. In addition, it's far less expensive than many of the small and midsize business firewalls available on the market. And it's easy to administer. These factors make IPCop a capable and attractive SMB firewall solution.

 

 

Editor's Picks