[ale] Buy vs. build - Firewall

Raj Wurttemberg rajaw at c64.us
Thu May 5 14:17:04 EDT 2011


Hello David,

I implemented a low-cost but extremely flexible OpenBSD solution at one of
my clients remote sites. The product is called pfSense,
http://www.pfsense.org/ . I ran the firewall on a low-end PC with a
quad-port NIC so I could have an inbound connection and then other ports for
different VLANs or a DMZ. The product supports OpenVPN as well as IPSec VPN
tunnels. I think it also supports multiple inbound NICs for internet fault
tolerance (i.e. Cable modem on one connection and DSL on another).

pfSense is a firewall and a router so it was able to integrate well with the
existing Windows (AD) and RedHat environment. 

To answer your question about firewall failure... I've never used this
functionality, but I'll quote the pfSense Wiki:

"CARP (failover) - CARP from OpenBSD allows for hardware failover. Two or
more firewalls can be configured as a failover group. If one interface fails
on the primary or the primary goes offline entirely, the secondary becomes
active. pfSense also includes configuration synchronization capabilities, so
you make your configuration changes on the primary and they automatically
synchronize to the secondary firewall."

Hope this helps a little.

Kind regards,
-=Raj=-


From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of David
Hillman
Sent: Thursday, May 05, 2011 1:36 PM
To: Atlanta Linux Enthusiasts
Subject: [ale] Buy vs. build

Our firewall is close to dead.  My boss wants to buy an expensive one.  I
think it's better to build.  We had problems extending the old firewall,
plus it would give us a chance to actually have OpenVPN on the firewall box
itself.  The trouble is figuring out how to get to a working solution that's
flexible and affordable.  Should we go with a trihomed solution?  Should
OpenVPN then listen on all interfaces, or just the external one?  How does
this all fit in with our Active Directory and DNS server?  Can OpenVPN
easily deal with Active Directory?  How should packets be routed from the
VPN connection to the internal network and to the DMZ?  Should we go with a
powerful little box that has iptables on the hardware and something like
Virtualbox + PHPVirtualbox for everything else?  By the way, we were using a
Secure Computing box before.

The AD box can then be virtualized and consolidated inside the one physical
box.  Our web box (virtualized) and file server box would still stay
separate.  Then, how do we tie the virtualized AD service back into the LAN?
 Through the internal network interface via virtual switch?  What are the
chances of the firewall box failing?  Of course, we were thinking of a
Mini-ITX board with Intel Atom (no fans) and RAID 1 SSD drives.  Are there
any good books dealing with issues like these?  I can understand buying to
save time, but how many headaches do you have to put up with down the road





More information about the Ale mailing list