With our great firewalls shootout looming on the horizon (2008Q1) I've begun to wonder just what it would take to build a firewall for a Distributed Enterprise main office out of open source tools. So when the folks from NoStarch Press sent me a copy of Linux Firewalls by Michael Rash I just had to start a sub project with my students to try to build an open source equivalent to the appliances that will be arriving in my lab this coming year.

Linux Firewalls
Attack Detection and Response with iptables, psad, and fwsnort
by Michael Rash

October 2007, 336 pp.
ISBN-10 1-59327-141-7
ISBN-13 978-1-59327-141-1

$49.95

BIG NOTE, the type of Firewall that's proposed for this market segment would be typical of what you might find at a distributed enterprise like some large hardware store chains where one might find a largish UTM (unified threat management) appliance that would be capable of handling gigabit throughput from both their DMZ and from the trusted side of the shop to some pretty big pipes on the WAN side. Minimum buy in for this shootout is quantity 3 gigabit interfaces and if you can't move at least a gig/sec, you probably ought not to be playing. The goal is to handle the huge amount of data being fed at it by hundreds of branch offices through VPN's, in addition to all the crud on the Internet washing up on the shores of our fictional enterprise all combined with the throughput necessary to handle the legitimate traffic from folks e-shopping or just looking things up on the corporate site.

First and foremost a firewall based upon a general purpose operating system is only as secure as the base OS. Michael Rash actually starts off with a discussion on just how you can build a Linux kernel that ONLY has what you need to support the firewall, losing all those extra pieces that can collect vulnerabilities over time. That's chapter one! What really makes this book different from the others I've seen over the years is that the author approaches the subject in a layered method while exposing potential vulnerabilities at each step. (Thank you so VERY much) So for those that are new to the security game, the book also takes a stab at teaching the basics of network security while teaching you the tools to build a modern firewall.

The author goes on with a detailed approach to PSAD (Port Scan Attack Detector), diving into details like attack signature detection, attack finger printing and active responses. Particularly valuable is his detailed discussion on FWSnort (IDS for Linux firewalls) and how it can be used to analyze in depth attacks that IPTables would normally not be able to recognize or act upon. Keep in mind that FWSnort is NOT a full implementation of Snort but rather a PERL implementation that will take Snort rules and translate them to a rough equivelent of IPTables rules that would normally be quite difficult to implement. You can if you want implement a layered approach and setup a full version of the Snort IDS to examine network streams at various locations, but FWSnort gives you a greater level of control over exactly what packet streams you let through your firewall.

Overall, this is not quite a cookbook, but more of a reference for those that want to dig into extending what they're already learned implementing IPTables on their Linux servers and/or workstations. It's also a terrific reference for those trying to fine tune what they already have with new features like FWSnort and/or PSAD. Nothing is going to replace sites like http://www.cipherdyne.org/fwsnort or http://www.netfilter.org for detailed descriptions of how each package works, but Linux Firewalls is a great place for those that either can't or won't spend the thousands of dollars on an appliance enterprise class firewall.

NOTE: The author does assume that you know a bit about where to find things in the Linux world, but has courteously included LOTS of actual command examples.

Posted by Brian Chee on November 19, 2007 12:28 PM