An effective firewall is essential for perimeter protection and network zoning. While some high-end commercial products have evolved to include intrusion detection, controls on outbound web traffic, and inline anti-malware detection, they require more powerful hardware and costly annual support contracts. As a result, it is still common to find small businesses using consumer-grade routers as a firewall.
Commercial VPN products can be expensive, often requiring per-seat annual fees. Some small businesses respond by allowing inbound traffic through their firewall instead, exposing the organization to unnecessary risk.
Many small businesses do not centrally aggregate logs. In some cases they do not perceive a need; cost is often a significant factor. Licensing by data volume is the norm in the log management industry. One particular market leader’s annual software licence fee is US $1800 to index 1 GB of data per day. At 10 GB/day the price drops to US $1000 per year per GB. This is in addition to the cost of hardware or cloud computing resources on which to run the licensed software. To put this pricing in perspective, sending all logs from one router, one firewall, and a handful of Linux servers and devices approaches 0.5 GB per day, and spiked to almost 1 GB per day when the firewall came under attack. Some businesses respond by only logging selected events, but this approach limits the usefulness of the logs from both an operations and security perspective.
For companies that can afford it, industry-leading commercial firewalls, VPNs, and log management products can greatly improve the enterprise security posture. Those with lean budgets can consider open source solutions.
pfSense is an excellent open source firewall. While available pre-installed and supported on US $300 to $1800 appliances, a free .iso file can be downloaded, burned to a DVD, and installed on commodity 32-bit or 64-bit hardware. New low-power hardware, or an old dual-core PC, can be turned into a business-class firewall.
pfSense accommodates multiple network interfaces and provides full VLAN support, making network zoning easy to implement. Paired with a VLAN-capable switch, users, servers, IoT devices, VoIP phones, IP Cameras, and Internet-accessible systems can all be effectively isolated, and inter-zone access mediated by firewall rules. It is also ideal for homes to provide a separate network for children, including age-appropriate firewall rules.
As with most products, firewall rules are applied in order. In addition to the customary interface, protocol, source, and destination selectors, several advanced options are available. These include time schedules, rate limiting, TCP flags, source OS detection, Differentiated Services Code Point (DSCP) values, 802.1p priority matching and setting, and policy-based routing.
pfSense provides DHCP services (including reservations), DNS resolution for clients, high availability (with real-time state synchronization between two firewalls) and a host of other enterprise-class features including IPSec and OpenVPN.
The built-in OpenVPN server can greatly simplify remote access by assigning each client an IP address in a VPN subnet. Firewall rules allow control of traffic between the VPN subnet, the Internet, and other internal networks. pfSense’s included certificate generation and management functionality, combined with a free optional package aptly named “openvpn-client-export,” allows a OpenVPN configuration bundle for Windows, OS X, Android, or iOS to be easily exported.
Free OpenVPN clients are available for most operating systems, although many Windows and Mac users are happy to pay $9 for a Viscosity client licence. Creating a free VPN gateway by installing and configuring an OpenVPN server package via the command line is moderately difficult on most modern Linux distributions. pfSense remains an easier and better option for most applications.
Spearheaded by Graylog, open source log management solutions have come a long way in the past few years. Based on Elasticsearch and MongoDB, Graylog is capable of handling the needs of a small business on a single VM or physical server, or scaling to meet enterprise log management requirements. In addition to receiving, storing, indexing, and searching logs, Graylog includes the capability to tag messages into streams in real time. Streams can be routed to other applications for further processing, and used for basic alerting functionality. For example, 400 series web server error messages can be sent to a stream and alerts configured on log message volume and content.
The latest version of Graylog introduced significant architectural improvements as well as new features such as live tail, message processing pipeline, collector sidecar, and a map widget. The map is useful for visualizing Internet traffic sources. While Graylog Inc. has introduced a commercial version, the open source edition meets the logging needs of many businesses and the amount of data it can index is limited only by the underlying hardware and network connectivity. Optional support is available.
Free open source products require hardware or VMs, and knowledgeable individuals to run and maintain them. Although the cost is lower, they are not always the best solution, but do provide businesses of all sizes with viable, lower-cost firewall, VPN, and log management solutions.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…