Header Ads

Open Source Firewall Appliance Round 2

A few years ago I blogged about using the Untangle firewall to replace a Sonicwall or similar firewall appliance.

Since then, Untangle has come a long way. I would like to revisit the untangle appliance as it has undergone numerous improvements, and in my opinion is now a fully capable replacement for an off-the-shelf firewall appliance.

Hardware update…

For a solid, and completely silent firewall for a business environment, here’s my current recommendation (Prices are for new components. Refurbished or used could result in a 30% – 50% reduction in price).
Server – ASUS rs100-x5/pi2: ~$300
Processor – Intel Core 2 Duo E7500: ~$105
RAM – 4Gb (2x2GB) DDR2667: ~$90
Hard Drive – WD RE3 or equivalent
(200 – 500GB) SATA: ~$100

Total cost is under $600. This would be comparable to a $3000+ Sonicwall or similar appliance and would be significantly more quiet.

If you need more ports, a quality 4 port PCI-E Ethernet card runs about $350. The $1000 tag on this server with 6 Ethernet ports is still a bargain. A quality single port Ethernet card would run around $75. Don’t use a desktop Ethernet card in a server like this and expect good performance, you need a quality 3com, Intel or other enterprise quality card.

This is still a low-end server, but is silent and would work well for a moderate sized office. If you have the budget and usage to require it, you could put this on a dual quad-CPU server and put 32Gb or more ram on it. Additionally for any datacenter usage, you don’t need to worry about sound, so a more robust server could probably be setup for the same cost.

Unlike most human related computer activities, packet inspection and other firewall activities are very processor intensive. The faster the processors, the better a firewall appliance will perform. If you do decide to build a Untangle or other firewall appliance, keep this in mind. Embedded processors like Atoms, or VIA’s are not a good match for a firewall, even through they are designed to fit in compact sized enclosures. They work well for what they’re designed to do, but they are not designed for this.

Current hardware recommendations are as follows:


CPU       RAM          DISK        NIC
Minimum          800 MHz          512 MB          20 GB          2 (inline)
1-50 PCs          P4          1 GB          80 GB          2+ NICs
51-150 PCs          Dual Core          2 GB          80 GB          2+ NICs
151-500 PCs          2+ Cores          2+ GB          80 GB          2+ NICs
501-1500 PCs          Quad Core x64          4 GB          80 GB          2+ NICs
1500+ PCs          4+ Cores x64          4+ GB          80 GB          2+ NICs

VPN
Something I didn’t discus in my last article was the VPN. Untangle comes bundled with openVPN. There is no limit other than that of your hardware for the number of VPN users your appliance can support. It is extremely easy to add, suspend and remove VPN users. VPN users are sent a custom key and connection for them to install on their computer. The VPN also supports site-to-site VPN allowing 2 or more offices to virtually share the same network no matter their distance from each-other.

Open VPN is much simpler than any VPN software I have used on either the client or host side. It makes VPN administration and setup a breeze. If you have used cisco, sonicwall or other VPN services, this will be a breath of fresh air in administration and setup.

Feature Improvements
When we started using Untangle, it was not designed to handle advanced protocols including some VPN services, and multi-protocol traffic like VOIP (Voice over IP) phone services.
I am happy to say that Untangle now fully supports multi-protocol traffic like VOIP or Ipsec. Some types of traffic will require custom configurations, but so far I haven’t found any sort of traffic that Untangle has problems with.

Untangle also now support firewall bypassing for high-availability applications, and supports a form of QOS (Quality of service). The QOS is very configurable, but still not quite a user friendly as other platforms. It is however usable despite some potential complicated setups. QOS is essential for running VOIP and other mission-critical applications. It can also be used to throttle down bandwidth eating services like online video.

OS Upgrades
Untangle is now offered in a 64bit operating system, something to satisfy the larger memory requirements for more robust servers. It is still a small custom Debian-linux build. The total install file size is around 500Mb, which is a fresh breath compared to the 3 – 4Gb sizes of many current Linux distributions.
There is also a Windows version for those who don’t have a dedicated server to run untangle on. In this case, Untangle works as a re-router, controlling the routing and traffic of a network, but on an existing windows XP computer.

Conclusion
Untangle has moved from an aspiring concept, to a true contender to established firewall appliances. At this point, I can’t see any reason why a business would spend the extra money on a Sonicwall or similar appliance. Pair this with OpenDNS, and you have a reliable system that can block websites on a DNS level, and a full featured firewall for spam, intrusion, phishing, viruses, and just about every other threat your users will encounter on the internet.

Untangle resources
Untangle Downloads (32bit, 64bit, and Windows)
Untangle guide (Wiki)
The Untangle Blog

If you don’t want to built an appliance yourself, there are plenty of approved untangle hardware vendors.



No comments

Powered by Blogger.