Wednesday, 20 December 2017

What’s the best Linux firewall distro?

This article was provided to TechRadar by Linux Format, the number one magazine to boost your knowledge on Linux, open source developments, distro releases and much more. Subscribe to the print or digital version of Linux Format here.

You don’t have to manage a large corporate network to use a dedicated firewall. While your Linux distro may already have an impressive firewall installed as well as an equally impressive arsenal of tools to manage it, the advantages don’t extend to the other devices on your network. 

A typical network has more devices connected to the internet than the total number of computers and laptops in your average small or home office. With the onslaught of IoT, it won’t be long before your router is doling out IP addresses to your washing machine and microwave as well.

The one thing you wouldn’t want in this Jetsonian future is having to rely on your router’s limited firewall capabilities to shield your house – and everyone in it – from the malicious bits and bytes floating about on the internet.

A dedicated firewall stands between the internet and your internal network, regulating the data flowing from one to the other. Setting one up is an involved process both in terms of assembling the hardware and configuring the software. However, there are quite a few distros that help you set up a dedicated firewall with ease, and we’re going to look at the ones that have the best protective open source software and roll them into a convenient and easy to use package.

Specifically, in this roundup, we’re going to dissect and compare five different distros: IPFire, OPNsense, pfSense, Sophos UTM and Untangle NG Firewall.

How we tested

While you can test these firewall distros on a spare physical PC, it’s more convenient to take them for a spin inside a virtual machine. Create a virtual network by firing up VirtualBox and heading to File > Preferences > Network. Switch to the host-only network tab and add a new network using the screwdriver icon to assign it an IP address e.g. 192.168.56.1.

Next, create a VM for the firewall distro and make sure it had two network adaptors – the first one in bridged mode, the second one as a host-only network. After installing the distro, you can assign a different IP address such as 192.168.56.2 to the second adaptor and configure it as a DHCP server to assign an IP address range of 192.168.56.20 - 192.168.56.50. From here on out, any other VM connected to the host-only adaptor will be routed through the firewall VM, so you can experiment with it safely. 

See our guide to running Linux in a Virtual Machine here.

IPFire contains a number of security measures such as an IDS (Intrusion Detection System) and a GeoIP block which can block hackers by country.  

The distro can also compartmentalise networks based on their respective security levels using a simple colour-coded system. IPFire also allows you to create custom policies to manage individual networks. For more elaborate control, you can also manage outbound access to the internet from any segment.

IPFire uses a Stateful Packet Inspection (SPI) firewall that’s built on top of the utility netfilter. It facilities Network Address Translation (NAT), packet filtering and packet mangling. You can set up the firewall for everything from forwarding ports to creating a safe DMZ between your network and internet. The project’s wiki also hosts a 'security hardening' guide to create firewall rules for common scenarios.

The pfSense distro uses the p0f OS fingerprinting utility to allow you to filter traffic based on the operating system initiating the connection. You can also choose to log traffic matching each rule. The OPNsense distro was forked from pfSense and offers pretty much the same features for the firewall and other aspects of the system.

Sophos UTM, unlike the other distros, cuts off all traffic and then enables you to allow specific types, such as web and email, during initial setup. The server also includes an innovative category-based web filter that blocks sites based on the type of content and includes categories such as Drugs, Spam URLs, Nudity, Weapons and so on. It also offers to scan emails sent over POP3 for viruses.

Untangle’s hosted firewall can be set up through an easy to use interface that makes it very straightforward and simple to define rules for firewalling traffic. You can also gain granular control over the traffic by defining complex rules that combine multiple parameters. This might seem like quite an involved process, but it’s made more accessible by abundant use of relevant pull-down menus.

Verdict

  • IPFire: 4/5
  • OPNsense: 4/5
  • pfSense: 4/5
  • Sophos UTM: 5/5
  • Untangle NG Firewall: 4/5

All the distros in this roundup bundle a lot of other functionality besides a basic firewall. Some distros offer these features as free add-ons while others charge for them. While we’ll list all the functionality provided by each distribution, in order to be fair to the FOSS distros, we’ll rate all of them based on the modules that are available free of charge.

IPFire can be used as a VPN gateway, infrastructure server, content filter, proxy server, caching name server, an update accelerator and much more. When used as an internet gateway the distro can connect to the internet through various technologies, encompassing all popular types of broadband access, as well as mobile access, including VDSL, ADSL, Ethernet and 3G/4G.

Both pfSense and OPNsense can operate as a traffic shaper, load balancer and VPN. They both offer three options for VPN connectivity including IPsec, OpenVPN and PPTP. Similarly, you can use the Sophos UTM server as a site-to-site VPN solution and configure it to handle VoIP connections and balance load.

Untangle allows you to choose which features to install via its App Store style interface. If you selected the recommend package during setup it'll install over a dozen applications and services including: a web filter, virus blocker, spam blocker, application control, captive portal, WAN balancer as well as the firewall itself.

Some of the applications that Untangle doesn’t install are an ad blocker, intrusion prevention and web cache. The latest version of Untangle also supports VPN through the Tunnel VPN app.

Unlike the other distros, some of the Untangle applications are paid options with a 14-day trial. 

Verdict

  • IPFire: 5/5
  • OPNsense: 5/5
  • pfSense: 5/5
  • Sophos UTM: 5/5
  • Untangle NG Firewall: 3/5

While servers require more involvement and active maintenance, some aspects of the installation process are, in fact, streamlined i.e. a server distro is designed to take over an entire hard disk which eradicates the need to define partitions. The firewall distros in this roundup go to great lengths to help you mould the installation as per your network configuration. All of them employ browser-based interfaces that can be used to monitor and modify the various components of the firewall. 

Having a graphical interface is crucial – a technologically sound base isn’t enough by itself. A convoluted or illogically arranged management interface will have a direct bearing on a distro’s usability and prevent users from getting the most out of it.

We’ll break this slide down into mini-reviews of the deployment experience, starting with…

IPFire

IPFire is written from scratch and has a straightforward installation process. The installer will detect the number of NICs (Network Interface Controllers) attached to the computer and ask you to assign them to one of the four colour-coded zones. Each of these zones caters to a group of machines that share a common security level. Later on you’ll be asked to assign an IP address to the NIC that’s connected to your internal network. An IP address will be doled out via DHCP.

Once you’ve installed the distro, fire up its browser-based admin interface which is available on the IP address you assigned to the NIC connected to the local network. Head to the Firewall section in the admin interface to define the rules for the firewall. While the interface is simple to use, it requires some expertise for effective deployment. You should also read the documentation thoroughly. 

Score: 3/5

OPNsense

This distro was forked from pfSense and follows the same straightforward installation procedure. After installation, the distro boots to the command-line dashboard which also includes the address of the browser-based admin console. The admin interface is the one major visible difference between the distro and its progenitor. The interface takes you through a brief setup wizard prompting you for information about your network.

Once it’s rebooted with the right settings, head to the Rules section under Firewall. The rules definition interface is presented logically and includes a switch to display relevant help information to explain the various settings. Similarly, configuring the other components of the firewall distro is also a relatively intuitive process. Since the distro has a vast number of settings, you can enter keywords in the search box at the top of the interface to locate the relevant setting.

Score: 4/5

pfSense

The FreeBSD-based distros, pfSense and OPNsense, use the same fairly automated installers, though the original pfSense version offers more advanced options, including the ability to install a custom kernel. Again, just like OPNsense, pfSense boots to a console-based interface that gives you the option to configure the network interfaces on the installed machine.

Once they're installed a browser-based console will take you through the firewall setup wizard. The web interface for pfSense has recently been updated giving it a much smoother and more streamlined feel. 

The distro requires you to put some time into learning it, especially if you’re going to use the add-on packages, but the documentation is worth its weight in gold (if printed out).

Score: 3/5

Sophos UTM

To get started with Sophos UTM you have to download the ISO, register on the project’s website, get a user licence and upload it to the server for further configuration. During installation, Sophos asks you to select the NIC connected to the internal network and assign it an IP address, which you can use to access the distro’s browser-based admin interface. You'll also be asked to agree to installation of some proprietary components which are necessary in order to use the distro.

Once installed, you can bring up the browser-based management interface and run through the brief setup during which you can upload the licence. Sophos then locks down all traffic and enables you to 'poke' holes for the type of traffic you wish to allow.

Score: 5/5

Untangle NG Firewall

The Debian-based distro Untangle NG is very easy to set up and is the only distro in this roundup which restarts automatically after installation into the web-based setup wizard. Untangle NG asks you to set the password for the admin user, then to choose and configure the two network cards. One of these connects to the internet and the other to your local network.

Once setup is complete, Untangle prompts you to create a free account in order to configure the server. You’ll then have to install applications, such as the firewall, to enable specific functions. Almost all the applications are preconfigured and run automatically after install. You can also customise each application by clicking the Settings button under it. Untangle’s dashboard also enables you to analyse the traffic passing through the server, and each application will show statistics for its own traffic as well.

Score: 4/5

Virtually all the distros in this roundup offer a range of paid services. IPFire offers paid support through Lightning Wire Labs who provide custom solutions to businesses deploying the firewall. The company also offers customised hardware appliances  to integrate into your network infrastructure.

OPNsense has multiple commercial support options. The annual subscription to the business support package costs €299 (around £265, $355 or AU$460)  and includes three hours of technical assistance. You can purchase additional hours if you wish. There are also gold, silver and bronze professional services designed for larger deployments, integrations and custom changes to the distro.

You can also purchase support packages for your pfSense deployment which include technical support, configuration assistance and a configuration review. Furthermore, the pfSense project offers pfSense Training, with the cheapest course starting at $899 (around £670, AU$1,170).

Besides selling a retail version of the Sophos UTM for larger organisations, Sophos offers support packages via its resellers. The firm also has over 40 online and offline training courses on different aspects of the distro. Fees for the courses vary but an introductory two-hour webinar costs $249 (around £180, AU$310). Sophos also offers a free weekly ransomware webcast.

Untangle sells several components to extend the functionality of the firewall. If you purchase NG Firewall Complete it costs $50 a month (around £40, AU$65) for up to 25 devices. There's a 10% discount for paying annually.

Untangle also sells several hardware appliances with its firewall server preinstalled ranging from the small u25 appliance for $399 (around £300, AU$520) to the firm’s m3000 for $7,599 (around £5,670, AU$9,900).

Verdict

  • IPFire: 5/5
  • OPNsense: 5/5
  • pfSense: 5/5
  • Sophos UTM: 5/5
  • Untangle NG Firewall: 5/5

Just like paid services, all projects behind the firewall distros in this roundup offer a hefty amount of documentation and support in the form of guides, wikis and forums to help you through the deployment process.

The IPFire project hosts detailed documentation in wikis, as well as its English and German forum boards in addition to an IRC channel and dedicated mailing lists.

OPNsense also has forums, a wiki, IRC and very detailed documentation covering every aspect of deployment. Furthermore, the project has over a dozen how-tos on popular configurations/setups, such as configuring traffic shaping, web filtering and setting up a guest network.

The best source of documentation for the pfSense distro is its handbook which comes with a gold membership subscription. Besides this there’s a wiki, forums, mailing lists and IRC. The wiki hosts a large collection of how-tos, most of which are clear and to the point. The project developers are also very active on social networks, such as Reddit, where users can seek help.

The Sophos website hosts PDFs of the quick-start guide and a 600-page administrator’s guide, in addition to community-supported bulletin boards. There’s also the Sophos Knowledge Base which hosts articles on different aspects of the distro. 

Finally, the Untangle project hosts forums, a FAQ, and its wiki pages have screenshots where applicable, along with some short tutorials.

Verdict

  • IPFire: 5/5
  • OPNsense: 5/5
  • pfSense: 5/5
  • Sophos UTM: 5/5
  • Untangle NG Firewall: 5/5

A firewall server – just like any other server – needs constant upkeep, whether it’s to install updates or new add-ons. IPFire ships with Pakfire, an extensive package management utility that makes it fairly simple to expand on the basic installation. The package manager also enables updates to address security issues.

Similarly, pfSense also includes a package manager which can be used to install and update packages. The packages are grouped under categories, for example Services and Utility, Security and so forth, and include a wide range of applications, such as FreeRadius2, Snort, Squid and many more. The distro is configured to automatically install new versions of firmware and includes a host of diagnostic tools and utilities to troubleshoot the installation.

OPNsense also supports add-ons via the use of plugins, but doesn’t offer as many packages as you get with pfSense. Like pfSense, OPNSense can fetch and install updates for all the installed components.

There’s no package management option in Sophos UTM as all features are shipped in the distro and you can enable them as required. The distro includes the Up2Date utility for installing updates to the firewall’s firmware, as well as for fetching newer patterns for components, such as the antivirus and the Intrusion Prevention System.

Untangle requires you to use the interface to fetch any components you need. The Reports application monitors and prepares detailed and visually appealing reports about the server as well as its different components. The distro also includes the ability to update the installation and its components. You can configure it to install updates automatically during setup, as well as use the web interface to customise the schedule for the automatic updates.

Verdict

  • IPFire: 5/5
  • OPNsense: 4/5
  • pfSense: 5/5
  • Sophos UTM: 4/5
  • Untangle NG Firewall: 5/5

While IPFire is based on Linux From Scratch, its browser-based interface is borrowed from the older firewall distro IPCop. The interface has a simple and easy to navigate layout with the different aspects of the firewall server grouped under tabs listed at the top of the page. The System tab houses options to configure the overall installation. This is where you’ll find the option to enable SSH access and create a backup ISO image of IPFire with or without log files. The Status tab shows you an overview of the various components, while the Services tab lets you enable and configure individual services besides the firewall.

The dashboard in pfSense is more verbose than IPFire’s but has pretty much the same layout. The Firewall drop-down menu houses options to define the filtering rules as well as configure the traffic shaper. Settings for other services, such as the load balancer and captive portal, are housed under the Services menu. VPN has its own menu and enables you to configure the various supported VPN protocols. The CLI console on the firewall server displays a dashboard of sorts, as well. In addition to the addresses assigned to the different NICs, it allows you to reset the configuration of the install to the default state and even upgrade the install.

OPNsense has a more refined interface than pfSense. Certain sections, such as when adding firewall rules, include a toggle labelled 'Full Help'. When enabled, this option appends relevant information to fields to help you make the right selection.

Sophos UTM also has a loaded dashboard interface. Among other things, it displays information about the threats that firewall components have blocked in the last 24 hours. You can also use the Search box to narrow down the list of options.

Untangle also has a polished interface. Once you’ve installed an application, it’s enabled automatically and listed in the app rack. Each app has a Settings button for tweaking parameters. The rack also supplies a snapshot of traffic it has processed.

Verdict

  • IPFire: 3/5
  • OPNsense: 4/5
  • pfSense: 2/5
  • Sophos UTM: 4/5
  • Untangle NG Firewall: 4/5

Deploying a server is as much about personal preference as it is about a product’s technical dexterity. Despite objective testing, the results and our recommendation are influenced by our own preferences. Also, all firewall servers offer much the same functionality, but since this is delivered by different applications, one product might perform a certain task better than the others.

The one distro we definitely do not recommend is Untangle. This isn’t a reflection of its technical inferiority, but the fact that similar functions from its competitors are available cost-free. The majority of Untangle’s apps in the free version are 14-day trials. Even with the paid components, the distro doesn’t offer anything compelling over the others.

We’ve docked pfSense a few points for similar reasons. The distro is a tweaker’s paradise – you can flesh it out into any kind of server. However, unless you’re used to its tools and FreeBSD underpinnings, it’ll only end up confusing you with a myriad options. 

OPNsense, which is a fork of pfSense, has a much better user interface and rewritten components, such as the captive portal.

The runner-up prize goes to IPFire which has an impressive list of features. Its Pakfire package management system helps you to update and expand the initial installation. The distro’s UI also makes it easier to configure several components, such as OpenVPN, when compared with the other offerings here.

The top honour goes to Sophos UTM which is free for managing a network of up to 50 IP addresses, and bundles Sophos Endpoint Protection for up to 10 computers. The distro includes an impressive list of tools, many of which are identical to the paid enterprise edition. We also like that the distro enables the firewall as soon as it’s installed, and allows you to poke holes in the firewall to enable the flow of required traffic. Not only is this the proper way to deploy a firewall, the Sophos wizard makes it easier for inexperienced users to reap the benefits from the get-go.

So, our final rankings are as follows:

1st Place: Sophos UTM – bundles all the essential features with an intuitive UI.

Overall score: 4/5

Web: https://www.sophos.com

2nd Place: IPFire – a secure and expandable distro with a functional management interface.

Overall score: 4/5

Web: http://www.ipfire.org

3rd Place: OPNsense – all the benefits of pfSense with a reimagined UI.

Overall score: 4/5 

Web: https://opnsense.org

4th Place: pfSense – feature rich and fully functional distro, with a simple interface.

Overall score: 3/5

Web: https://www.pfsense.org

5th Place: Untangle NG Firewall – the free version is little more than a demo for the paid version.

Overall score: 2/5

Web: http://ift.tt/Xo6LKb

One popular firewall distro we didn’t include in this roundup is Smoothwall Express. It hasn't had a stable release since 2014, but is still one of the most well-known firewall distros out there. 

Then there’s also the feature-restricted community edition of the Endian Firewall as well as the Zeroshell firewall router distro for embedded devices. You can also add firewall functionality to your existing gateway server. ClearOS and Zentyal are two such systems which can be adapted into firewalls.

If you are the DIY type, it’s possible to build your own firewall appliance with little effort. One approach would be to use an ARM-based computer such as a Raspberry Pi. The website for the IPFire distro provides ARM images to download and install to your Pi’s SD card.

Alternatively you could install a minimal Linux distro, such as Arch Linux, and then use the built-in iptables firewall. To assist you with creating and managing rules, you could also use a graphical tool such as Shorewall. Another approach would be to install and use Ubuntu’s command line tool ufw or its graphical companion Gufw to manage iptables.

http://ift.tt/2lsfRYp

No comments:

Post a Comment