Although my company has no firewall product yet I have a customer who uses our firewall.
This sounds crazy no? Yet it is indeed crazy. What I thought was a basic firewall is different from what I now think. And I think in a few months time I might end up building what is known as UTM. UTM stands for unified threat management. It manages all kinds of threat, snort IDS, IPS, spam control, port and site blocking et al. But then a firewall is a combination of not just active functions like this. You need certain passive monitoring facilities like network monitoring. It is not just SNMP stuff. You have a Cisco open standard called Netflow. That helps you collect packet flows and display. I have never manged to get it working. A firewall has to be able to monitor the goings on in the network which is basically nothing but various kinds of traffic. A glorified tcpdump you can say. Now it also needs various reports and graphs. Easily managed with a little bits of rrdtool magic and SQLite database manipulations. In other words a firewall is expected to give adequate active protection as well as a dashboard of the local network. Of course firewalls should have VPN and ISP link load balancer feature too. I believe this is part of the UTM concept since everyone in the market seems to be quite dumbfounded by the firewall term, it is almost as abused as the word sex. It is used for anything and everything. But in reality it is only concerned with basic port and IP blocking. But that is a text book definition which nobody is going to understand. It protects your network alright. And that is what my first firewall deployment attempted to do. Block all packets and allow only explicitly allowed traffic. But it crumbled down. Why? Because a basic IP based kernel firewall does not cut it. Nowadays every bank, e-mail site and nearly anyone with money goes for a pool of IP addresses for their site. If it is linkedin or facebook you are toast not to mention Google. So you have to do what is known as URL blocking or URL filtering. Now squid is what comes to mind. But I don't like it. For whatever reason. Squid has time based blocking, caching and so on. I ended up using an open source tool called tinyproxy which does excellent URL filtering although it is not very stable. It keeps crashing. But I can manage it. A basic URL filter takes a HTTP URL and inspects to see if it is allowed or not. Now the DNS backend takes care of the IP pool problem I spoke of above. The URL is what is inspected to do allow/deny in userland. This has been a big relief for me. Now this works only for web URLs. What about HTTPS? What about other protocols like FTP and p2p traffic? What about IM? There is a tool called imspector which is a C++ open source project that can help you log your chat messages. Then you have to do what is known as content filtering. Whenever some customer asks me this I stare blankly. What does this mean? You mean inspect every damn packet to look into what it contains? Read every e-mail at wire speed? I just dunno how to do it. Perhaps later. Normally firewalls come with multiple WAN ports and multiple LAN ports. They are able to do certain WiFi AP functions like RADIUS authentication and stuff known as captive portal. Check out the pfSense project which is a FreeBSD based firewall , open source. I have to take dinner. Moreover this mail has gotten too long and too broad. I will send another to deal with this topic again. -Girish -- Gayatri Hitech http://gayatri-hitech.com _______________________________________________ ILUGC Mailing List: http://www.ae.iitm.ac.in/mailman/listinfo/ilugc
