Saturday, November 05, 2016

F is for Firewall

(You see, Harrison Ford thinks Firewalls are sexy :-)



Let me be clear, but for the disdainful, criminal actions of the view there would not be the need for Computer Firewalls.

When I talk about a  computer firewall I refer to a Software or Hardware/Software combination that inspects inbound and outbound network traffic on a computer and tries to prevent malicious packets or attacks from damaging your system.

A firewall is quite distinct from an Anti Virus Programme.   A virus is typically a crafted piece of malicious software that if run by the user, or if deposited on a computer, perhaps because no firewall allowed a hacker to gain access, once run can do untold damage to your computer installation.

Do I need a dedicated Firewall
Most modern Operating systems like Microsoft Windows or Apple OSX / macOS can run a firewall programme on your individual computer.

But 'in the Business' it is usual for more sophicticated user / business setups to have a Boundary Firewall.   This is a dedicated computer that is the first line defense, stopping attacks from entering your home network before they actually get to any individual computer / Smart phone etc.

The Onion Ring
So a fair question is:  If each of the computers in my household already has a firewall why would I configure an extra dedicated computer, called a Boundary firewall as well.  Surely that would just slow things down and be an un-necessary duplication?

Well yes, theoretically.   The answer is that you have an Onion Ring of security.   The hacker first has to pass thru your Boundary firewall before they can even attempt to get to your per machine firewall.  These will almost surely be from different manufacturers so exploits (before patching) might only affect one of the firewalls and you would still be safe.   So overall the answer is:  it's safer, and gives the hacker much more work to do.


First The Confession!

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT


# don't delete the 'COMMIT' line or these rules won't be processed


As a paranoid android I feel Firewalls are an essential setup in any well run home Computer network and above. One tiny problem:

I [really] hate firewalls!  Why?

- Their configuration is usually beyond me
- They love the command line not the Graphical Interface
- Temperamental:  One small change to the config file and everything stops working
- Debugging to me, is not easy
- Often you can cut yourself off.  I.e. you make a config change, and once activated you loose all network connectivity.  Marvelous!




3 Firewall configurations

Today I am merely going to chart my way thru our firewall configurations so that you can grasp the history


Generation #1: Hardware Firewall

Zyxel Zywall USG 50 Firewall

This was our main home firewall for years and until our Internet Speeds became insane  (you'll see this on our forthcoming documentation for Firewall Gen3 another day), it was sufficient.   In summary

+ Very Reliable
+ Gui Interface
- Shockingly Bad documentation and Google did not help much
+ Small and Quiet
= Cost was about 500USD new
- The fallback Internet support did not work for me in Switzerland  (via a 3G Key).   You can have it via a second inbound DSL internet, but who has that, seriously?
- If you want to serve out TeraBytes per Week, this Guy will not cut it.
+ Multihonesd DNS setup and other tricky stuff well thought our and easy
- When you buy it you get a 1 year key to some clever stuff like packet inspection, but then it runs out.  Also when switched on the Firewall speed drops like a stone :-(



Marcus's next attempt at firewalling was using the free for personal use Sophos UTM,  Linux based Firewall.

Sophos makes a range of Hardware firewalls, but they also sell their firewalling software that you can buy for business installation onto an Intel Server.

At the entry level Sophos has 2 free end user products, which you can install though there were several gotchas and multiple form filling at the Sophos website.

The UTM firewall is being replaced by the newer XG firewall but it is even more tricky to install.  For example, over one year after launch there is no approved Hardware Compatibility List (HCL) for XG, and so I found, the other day whilst trying to move from UTM to XG that the current Ethernet card would not work.   Typical!



The clincher to move to Sophos was that I could build my own small Intel PC, thus making it as cheap, expensive, and small as I would like, and stick free UTM onto it.   I had all the flexibility.  How was it as a solution then?

+ Faster than the Zywall
+ LANs less than Zywall but only because I had the build in a tiny Micro ITX motherboard and chassis.  In a bigger PC it could have matched Zyxel
- Since it's a consumer PC it's not ideally suited to 24x7 operation
- Due to above, if I was leaving our home for say 1 week, I'd want to power it down.  Oh but then our Webserver would not work.  Dilemma.  Hmmm
- Tiny Power consumption but many more moving parts than Zyxel so not as power efficient
- Noisy, well it had a single fan so was just a tad more noisy than Zyxel
- Lot of form filling admin to get the product and key.  And to me lots of confusing definitions
= Setup was easy in retrospect, but only when I got it working.  Like the Zyxel, being a firewall dummy / dimwit, it's always a case of nothing working, and then everything working!


Generation#3  Raw Linux Firewall



A view into the just out of construction, and to be detailed properly in another post.  The 2016 firewall.  The design process was

- Stop mucking about,  build a decent firewall with faster processors and more memory in a nice case
- Stop using that mickey mouse 4 year old mini ITX CPU

Attempt#3. Plan1
On new hardware:
- Run Linux , say Linux Mate, version Sarah
- Run Virtualisation  (I like VMware)
- Inside Virtualisation run Sophos UTM

Attempt#3. Plan2
Wait, surely I can run Sophos XG instead?
- Run Linux , say Linux Mate, version Sarah
- Run Virtualisation  (I like VMware)
- Inside Virtualisation run Sophos XG

Attempt#3. Plan3
Wait, why don't I just cut out the Virtualisation? :
- Run Linux , say Linux Mate, version Sarah
- Configure the Linux Firewall directly!

Yes, I know, you well all ahead of me here.  You were all screaming: Just use raw Linux for the Firewall.  But it just took me 3 iterations in 2016 to get there.

So this is what is passing thru these keystrokes as I type this.  Some of the characteristics are then

- Quality PC construction
- Nice Case, nice PSU, Nice wiring, quality motherboard
- Quiet and capable of 24x7 operation
- When I say Gigabit routing, I mean actual Gigabit per second routing




Detail to follow, presently!

Over to you Rick:





Rick Astley: Pieces (Rule the World)