Modern IT organizations most often operate on a network built with products from different manufacturers. An error leads either to service downtime or a hole in the security policy, and both can be very costly. Administrators have to become experts in all platforms in order to be able to make the same change everywhere. When a new service is added, administrators need to implement the same policy rule using different languages for different devices. Coordinating changes across multiple devices in the network becomes difficult and risky. Constant switching between different configuration languages leads to errors. This is especially so in multivendor installations where the administrator manages router access lists, several dedicated firewalls and perhaps local firewall rules on servers. Many firewall appliances based on iptables or PF offer a Web-based GUI interface that helps configure them, but these interfaces tend to reflect the structure and ideas of the underlying configuration language closely.Ĭomplex configuration languages and the need for the administrator to be aware of the internal packet flow in the packet inspection engine make management of these firewalls difficult. A simple error like this can cause the server behind the dedicated firewall to become inaccessible and at the same time create a hole allowing access to the firewall itself. Using the chain INPUT instead of FORWARD can mean the difference between a working service and a broken service. For example, for iptables, you need to understand internal packet flow in the Netfilter engine to choose chains and targets correctly. Administrators have to understand the internal structure and logic of the given firewall system in order to be able to design and maintain a configuration with the required level of confidence and reliability. The syntax often is rather complex and different between the different tools, and definitely different from commercial firewalls. These systems provide very respectable feature sets and good performance, but they provide only command-line access and plain-text configuration files. These implementations include iptables (Netfilter) on Linux, PF on OpenBSD and FreeBSD, and ipfilter and ipfw on FreeBSD. Open-source firewall implementations have gained momentum in recent years and now offer a viable alternative to commercial systems. A lot of time has passed since 2003, the project has evolved, the appearance of the GUI has changed and many features have been added. Mick Bauer introduced Firewall Builder to Linux Journal readers in 2003 with his article “Using Firewall Builder”.
0 Comments
Leave a Reply. |