Tuesday, 21 February 2017

What’s the best Linux firewall distro of 2017?

This article was provided to TechRadar by Linux Format, the number one magazine to boost your knowledge on Linux, open source developments, distro releases and much more. Subscribe to the print or digital version of Linux Format here.

You don’t have to manage a large corporate network to use a dedicated firewall. While your Linux distro will have an impressive firewall – and an equally impressive arsenal of tools to manage it – the advantages don’t extend to the other devices on your network. A typical network has more devices connected to the internet than the total number of computers and laptops in your SOHO. With the onslaught of IoT, it won’t be long before your router doles out IP addresses to your washing machine and microwave as well.

The one thing you wouldn’t want in this Jetsonian future is having to rely on your router’s limited firewall capabilities to shield your house – and everyone in it – from the malicious bits and bytes floating about on the internet.

A dedicated firewall stands between the internet and internal network, sanitising the traffic flowing into the latter. Setting one up is an involved process both in terms of assembling the hardware and configuring the software. However, there are quite a few distros that help you set up a dedicated firewall with ease, and we’re going to look at the ones that have the best protective open source software and roll them into a convenient and easy to use package.

Specifically, in this roundup, we’re going to dissect and compare five different distros: IPFire, OPNsense, pfSense, Sophos UTM and Untangle NG Firewall.

How we tested

While you can test these firewall distros on a spare physical PC, it’s rather convenient to take them for a spin inside a virtual machine. We created a virtual network by firing up VirtualBox and heading to File > Preferences > Network. Then switched to the host-only networks tab and added a new network – using the screwdriver icon to give it the address 192.168.56.1.

Next, we created a VM for the firewall distro and made sure it had two network adaptors – the first one in bridged mode, the second one as a host-only network. After installing the distro, we assigned 192.168.56.2 as the IP address of the second adaptor and configured it as a DHCP server that assigns IPs between 192.168.56.20 - 192.168.56.50. From here on out, any other VM connected to the host-only adaptor will be routed through the firewall VM. Phew.

The IPfire kernel is hardened with the grsecurity patchset to thwart zero-day exploits and comes with strict access controls. The distro can also divide networks based on their respective security levels and enables you to create custom policies to manage each network. For more elaborate control, you can also manage outbound access to the Internet from any segment.

IPfire uses a Stateful Packet Inspection (SPI) firewall that’s built on top of the utility netfilter that facilities Network Address Translation (NAT), packet filtering and packet mangling. You can set up the firewall for everything from forwarding ports to creating a DMZ. The project’s wiki also hosts a best practices guide to create firewall rules for common scenarios.

The pfSense distro also uses a stateful firewall and can filter traffic by source and destination IP, IP protocol, and source and destination port for TCP and UDP traffic. It offers various options for handling the different states including the keep state which is used by default for all rules and works with all protocols as well as the sloppy state which works only for TCP traffic. It also allows you to limit simultaneous connections for every rule.

The pfSense distro uses the p0f OS fingerprinting utility to allow you to filter traffic based on the operating system initiating the connection. You can also decide to log (or not) traffic matching each rule. The OPNsense distro was forked from pfSense and offers pretty much the same features for the firewall and other aspects of the system.

Sophos UTM, unlike the other distros, cuts off all traffic and then enables you to allow specific type of traffic, such as web and email, during initial setup. The server also includes an innovative category-based web filter that blocks sites based on the type of content and includes categories, such as Drugs, Medicine, Nudity, Ordering, Weapons. It also offers to scan websites and emails sent over POP3 for viruses.

Untangle’s hosted firewall can be set up through an easy to use interface that makes it very straightforward and simple to define rules for firewalling traffic. You can also gain granular control over the traffic by defining complex rules that combine multiple parameters. This might seem like quite an involved process, but it’s made more accessible by abundant use of relevant pull-down menus.

Verdict

  • IPFire: 4/5
  • OPNsense: 4/5
  • pfSense: 4/5
  • Sophos UTM: 5/5
  • Untangle NG Firewall: 4/5

All the distros in this roundup bundle a lot of other functionality besides the firewall. Some distros offer these features as free add-ons while others charge for this additional functionality. While we’ll list all the functionality provided by each distro, in order to be fair to the FOSS distros, we’ll rate all of them based on the modules that are available without any charge.

IPFire can be used as: a VPN gateway; an infrastructure server; a content filter; a proxy server; a caching name server; and an update accelerator etc. When used as an internet gateway the distro can connect to the internet through various technologies, including all popular types of broadband access, as well as mobile access, including VDSL, ADSL, Ethernet and 3G/4G.

Some of the interesting uses for both pfSense and OPNsense are as a traffic shaper, load balancer and VPN. They both offer three options for VPN connectivity including IPsec, OpenVPN and PPTP. Similarly, you can use the Sophos UTM server as a site-to-site VPN solution and configure it to handle VoIP connections and balance load.

Untangle doesn’t ship with any components pre-installed but its recommended package installs over a dozen applications and services including: web filter; virus blocker; spam blocker; bandwidth control; application control; captive portal; WAN balancer; and a firewall among others. Some of the applications that Untangle doesn’t install are the ad blocker, intrusion prevention and web cache. Also unlike the other distros, some of the Untangle applications are paid-for options that only install a 14-day trial version.

Verdict

  • IPFire: 5/5
  • OPNsense: 5/5
  • pfSense: 5/5
  • Sophos UTM: 5/5
  • Untangle NG Firewall: 3/5

While servers require more involvement and active maintenance, some aspects of the installation process are, in fact, streamlined, i.e. a server distro is designed to take over an entire hard disk which eradicates the need to define partitions. The firewall distros in this roundup go to great lengths to help you mould the installation as per your network configuration. All of them use browser-based interfaces that can be used to monitor and modify the various components of the firewall. 

Having a graphical interface is crucial as a technologically sound base isn’t enough by itself, since a convoluted or illogically arranged management interface will have a direct bearing on a distro’s usability and prevent users from getting the most out of it.

We’ll break this slide down into mini-reviews of the deployment experience, starting with…

IPFire

IPFire is written from scratch and has a straightforward installation process. The installer will detect the number of NICs attached to the computer and ask you to assign them to one of the four colour-coded zones. Each of these zones caters to a group of machines that share a common security level. Later on you’ll be asked to assign an IP address to the NIC that’s connected to your internal network and will dole out IP address via DHCP.

Once you’ve installed the distro, fire up its browser-based admin interface which is available on the IP address you assigned to the NIC connected to the local network. Head to the Firewall section in the admin interface to define the rules for the firewall. While the interface is simple to use, it requires some expertise for effective deployment and some time spent with IPFire’s documentation.

Score: 3/5

OPNsense

This distro was forked from pfSense and follows the same straightforward installation procedure. After installation, the distro boots to the command-line dashboard which also includes the address of the browser-based admin console. The admin interface is the one major visible difference between the distro and its progenitor. The interface takes you through a brief set up wizard prompting you for information about your network.

Once it’s rebooted with the right settings, head to the Rules section under Firewall. The rules definition interface is presented logically and includes a switch to display relevant help information to explain the various settings. Similarly, configuring the other components of the firewall distro is also a relatively intuitive process. Since the distro has a vast number of settings, you can enter keywords in the search box at the top of the interface to locate the relevant setting.

Score: 4/5

pfSense

The FreeBSD-based distros, pfSense and OPNsense, use the same fairly automated installers, though the original pfSense version offers more advanced options, including the ability to install a custom kernel. Again, just like OPNsense, pfSense boots to a console-based interface that gives you the option to configure the network interfaces on the installed machine.

Once they are all set up and configured, a browser-based console takes the user through a set up wizard. The interface isn’t the most pleasing to look at, i.e. the page for adding a new firewall rule is verbose and only contains links for relevant documentation, which are designed to help new users. The distro requires you to put some time into learning it, especially if you’re going to use the add-on packages, but the documentation is worth its weight in gold (if printed out).

Score: 3/5

Sophos UTM

Originally known as the Astaro Security Gateway, you have to download the ISO for Sophos UTM, register on the project’s website and get a user licence which you’ll have to upload to the server when configuring it. During installation, Sophos asks you to select the NIC connected to the internal network and assign it an IP address, which you can use to access the distro’s browser-based admin interface. Users are also asked to permit installation of some proprietary components which has to be agreed to in order to use the distro.

Once installed, users are expected to bring up a browser-based management interface and run through the brief setup during which they will be asked to upload their licence. Sophos then locks down all traffic and enables you to poke holes for the type of traffic you wish to allow during the initial setup.

Score: 5/5

Untangle NG Firewall

The Debian-based distro is very easy to set up and is the only distro in this roundup which restarts after install into a web-based setup wizard. You’re asked to set the password for the admin user, then point to and configure the two networks cards – one that connects to the internet and the other the local network.

When setup is complete, Untangle prompts you to create a free account in order to configure the server. You’ll then have to install applications, such as the firewall, to infuse that functionality into the server. Almost all the applications are preconfigured and run automatically after install. You can also configure each application by clicking the ‘Settings’ button under it. Untangle’s dashboard also enables you to analyse the traffic passing through the server, and each application will show statistics for its own traffic as well.

Score: 4/5

Virtually all the distros in this roundup offer a host of paid services. IPFire offers paid support through Lightening Wire Labs which provides custom solutions to enterprises that use IPFire. The company also offers customised hardware appliances that integrate well with your infrastructure.

OPNsense has multiple commercial support options. The annual subscription to the business support package costs €299 (£255). There are also professional services designed for larger deployments, integrations and custom changes to the distro.

You can also purchase support packages for your pfSense deployment which includes technical support, configuration assistance and a configuration review. The pfSense project also conducts training with the cheapest course starting at £699.

Besides retailing a version of the Sophos UTM for larger organisations, Sophos offers support packages via its resellers. The firm also offers over 40 online and offline training courses on different aspects of the distro. The fee for the courses vary but an introductory two-hour webinar costs $249 (£200).

Untangle retails several components to extend the functionality of the firewall distro. If you purchase the complete package it costs $55 (£44) a month. Untangle also sells several hardware appliances with the firewall server pre-installed that range from $399 (£320) to $7,599 (£6,080).

Verdict

  • IPFire: 5/5
  • OPNsense: 5/5
  • pfSense: 5/5
  • Sophos UTM: 5/5
  • Untangle NG Firewall: 5/5

Just like paid services, all projects behind the firewall distros in this roundup offer a hefty amount of documentation and support in the form of guides, wikis and forums to handhold you through common deployment.

The IPFire project hosts detailed documentation in wikis, as well as its English and German forum boards in addition to the IRC channel and dedicated mailing lists. OPNsense also has forums, a wiki, IRC and very detailed documentation covering every aspect of deployment. Furthermore, the project has over a dozen how-to’s on popular configurations/setups, such as configuring traffic shaping, web filtering and setting up a guest network etc.

The best source of documentation for the pfSense distro is its handbook which comes with a Gold Membership subscription. Besides this there’s a wiki, forums, mailing lists and IRC. The wiki hosts a large collection of how-tos, most of which are clear and to the point. The project developers are also very active on social networks, such as Reddit, where users can seek help.

The Sophos website hosts PDFs of the quick-start guide and a 600-page administrator’s guide, in addition to community supported bulletin boards. There’s also the Sophos Knowledge Base, which hosts articles on different aspects of the distro. Finally, the Untangle project also hosts forums, a FAQ, and its wiki pages have screenshots where applicable, and some short tutorials.

Verdict

  • IPFire: 5/5
  • OPNsense: 5/5
  • pfSense: 5/5
  • Sophos UTM: 5/5
  • Untangle NG Firewall: 5/5

A firewall server – just like any other server – needs constant upkeep, whether it’s to install updates or new add-ons. IPFire ships with Pakfire, an extensive package management utility that makes it fairly simple to flesh out the basic installation. The package manager also enables updates to address security issues.

Similarly, pfSense also includes a package manager which can be used to install and update packages. The packages are grouped under categories, such as Services and Utility, Security and so forth, and include a wide range of applications, such as Asterisk, Dansguardian, FreeRadius2, Snort, Squid and a lot more. The distro is configured to automatically install new versions of firmware and includes a host of diagnostic tools and utilities to troubleshoot the installation.

OPNsense also contains a package manager but doesn’t offer as many packages as you get with pfSense. However, like pfSense, it too can fetch and install updates for all the installed components.

There’s no package management option in Sophos UTM as all features are shipped in the distro and you can enable them as required. The distro includes the Up2Date utility for installing updates to the firewall’s firmware as well as for fetching newer patterns for components, such as the antivirus and the IPS.

With Untangle you have to use the interface to fetch any of the required components. There’s the Reports application which monitors and prepares detailed and visually appealing reports about the server as well as its different components. The distro also includes the ability to update the installation and its components. You can configure it to install updates automatically while setting up the distro and use the web interface to customise the schedule for the automatic updates.

Verdict

  • IPFire: 5/5
  • OPNsense: 4/5
  • pfSense: 5/5
  • Sophos UTM: 4/5
  • Untangle NG Firewall: 5/5

While IPFire is based on Linux From Scratch, it has borrowed the browser-based interface from the IPCop distro. The interface has a simple and easy to navigate layout with the different aspects of the firewall server grouped under tabs listed at the top of the page. The System tab houses options that influence the entire install. This is where you’ll find the option to enable SSH access and create a backup ISO image of the installation with or without the log files. The Status tab gives an overview of the various components while the Services tab enables you to enable and configure individual services besides the firewall.

The dashboard in pfSense is more verbose than IPFire’s but has pretty much the same layout. The Firewall drop-down menu houses options to define the filtering rules as well as configure the traffic shaper. Settings for other services, such as the load balancer and captive portal, are housed under the Services menu. VPN gets its own menu and enables you to configure the various supported VPN protocols. The CLI console on the firewall server displays a dashboard of a sorts as well. In addition to the addresses assigned to the different NICs, it allows you to reset the configuration of the install to the default state and even upgrade the install.

Sophos UTM also has a loaded dashboard interface. Among other things, it displays information about the threats that firewall components have blocked in the last 24 hours. You can also use the Search box to narrow down the list of options.

OPNsense has a more refined interface than pfSense. Certain sections, such as when adding firewall rules, include a toggle labelled full help. When enabled, this option appends relevant information to all fields to help users make the right selection.

Untangle also has a polished interface. Once you’ve installed an application, it’s enabled automatically and listed in the app rack. Each app has a ‘Settings’ button for tweaking parameters and the rack also supplies a snapshot of traffic it has processed.

Verdict

  • IPFire: 3/5
  • OPNsense: 4/5
  • pfSense: 2/5
  • Sophos UTM: 4/5
  • Untangle NG Firewall: 4/5

Deploying a server is as much about personal preference as it is about a product’s technical dexterity. Despite our objective testing, the results and our recommendation are influenced by our own preferences. Also, all firewall servers offer much the same functionality, but since this is delivered by different applications, one product might do a certain task better than the others.

The one distro we definitely won’t be recommending is Untangle. But that isn’t a reflection of its technical inferiority, rather the availability of similar functions from its competitors at no cost. A majority of Untangle’s apps in the free version are 14-day trials. Moreover, even with the paid components the distro doesn’t offer anything compelling over the others.

We’ve docked pfSense a few points for similar reasons. The distro is a tweaker’s paradise. You can flesh out this distro into any kind of server. However, unless you’re used to its tools and FreeBSD underpinnings, it’ll only end up confusing you with a myriad of options. A better approach to pfSense, comes from its fork OPNsense, which has a nicer user interface and rewritten components, such as the captive portal.

The runner-up spot goes to IPFire which has an impressive list of features. Of note is its Pakfire package management system that helps update and flesh out the install. The distro’s UI also makes it easier to configure several components, such as OpenVPN, when compared with the other distros.

The top honour goes to Sophos UTM which is free for managing a network of up to 50 IP addresses, and bundles the Sophos Endpoint Protection for up to 10 computers. The distro bundles an impressive list of tools many of which are the same as the distro’s paid enterprise edition. We also like that the distro enables the firewall as soon as it’s installed, and allows you to poke holes in the firewall to enable the flow of required traffic. Not only is this the proper way to deploy a firewall, the Sophos wizard makes it easier for inexperienced users to reap the benefits from the get-go.

So, our final rankings are as follows:

1st Place: Sophos UTM – bundles all the essential features with an intuitive UI.

Overall score: 4/5

Web: https://www.sophos.com

2nd Place: IPFire – a secure and expandable distro with a functional management interface.

Overall score: 4/5

Web: http://www.ipfire.org

3rd Place: OPNsense – all the benefits of pfSense with a reimagined UI.

Overall score: 4/5 

Web: https://opnsense.org

4th Place: pfSense – feature rich and fully functional distro but with an archaic interface.

Overall score: 3/5

Web: https://www.pfsense.org

5th Place: Untangle NG Firewall – the free version is little more than a demo for the paid version.

Overall score: 2/5

Web: http://ift.tt/Xo6LKb

Two popular firewall distros we didn’t include in this roundup are Smoothwall Express and IPCop. Both haven’t had a stable release in quite a while, but IPCop is being actively worked on and will be putting out a new release soon. Then there’s also the feature-restricted community edition of the Endian Firewall as well as the Zeroshell firewall router distro for embedded devices. You can also add firewall functionality to your existing gateway server. ClearOS and Zentyal are two gateway servers that are used as firewalls as well.

On the other hand, if you are the DIY type, you can build your own firewall appliance as well with little effort. One approach would be to use an ARM-based plug computer or a Raspberry Pi and install a minimal Linux distro, such as Arch Linux, and then use the built-in iptables firewall. To assist you with creating and managing rules, you could also use a graphical tool such as Shorewall. The other approach is to either install and use Ubuntu’s UFW tool for managing iptables or use its graphical cousin, GUFW.

http://ift.tt/2lsfRYp

No comments:

Post a Comment