Roll your own firewalls for fun and profit

Cheap, beefy hardware and great open source options make homegrown firewalls more enticing than ever

For most of the 1990s and well into the 2000s, the general consensus was that you went out and bought a firewall appliance from Cisco or whomever, and you let it rule the network edge. For more than a decade within that span, the Cisco PIX was the firewall of choice, steadily controlling network traffic flows in organizations large and small.

One of the main reasons for the reliance on firewall appliances was performance. The Cisco PIX was essentially a PC, with the 515 model running a Pentium-II 433MHz CPU and as little as 64MB of RAM. Heck, you could build your own PIX 520 clone at home, the FrankenPIX. It used commodity network cards, yet could reliably police 100Mb network flows and terminate a significant number of VPN tunnels. This was due to the tightly coupled code and hardware (which I spoke of just last week), and the low-level construction of PIXOS. The Cisco PIX was ultimately retired, giving way to the ASA, which is built on a more customized platform.

[ Also on InfoWorld: Review: 6 slick open source routers | Teach your router new tricks with DD-WRT. | Get expert networking how-to advice from InfoWorld's Networking Deep Dive PDF special report and Technology: Networking newsletter. ]

ASA appliances are quite pricey, especially for smaller companies. Sure, you might have just a 150/50Mb cable connection or a fiber drop that can drive up to 200Mb synchronous. However, much costlier hardware firewall is required to get that other 50Mb in downstream bandwidth because you need a firewall with at least two gigabit network interfaces.

Heaven forbid you want your DMZ to run at those speeds too. That will take a bunch more gigabit interfaces, which will push the cost even higher. You're not driving gigabit speeds, of course, but you do want to take advantage of the speeds over 100Mb; in many cases you're essentially forced to buy much more hardware than you need -- hardware that will sit idle most of the time.

Or you could roll your own. These days, there's no shortage of extremely capable, cheap hardware or thoroughly vetted and stable open source firewalls. If you know how fantastic the PF firewall is, you might take a look at projects such as M0n0wall and PfSense, which wrap that wonderful packet filter up in an easy GUI. Or you could try any one of many Linux-based firewall packages such as IPCop and Smoothwall. These projects have purely open source versions, and some have supported commercial versions, so you can have something to fall back on should you run into problems.

Other options at the commercial end of the spectrum, such as Vyatta and Untangle, run heavily customized versions of Linux and provide all kinds of add-ons such as content filtering, phishing, spam, and spyware blockers. You'll find that they're surprisingly cheap.

Of course, it's also possible to deploy a software firewall like those mentioned above on a virtualized platform. Using that method on a true network edge still gives me the heebie-jeebies and violates my long-held religious belief in physical separation of completely untrusted networks. However, deploying firewalls in this way within other networks or semi-trusted network edges might be just the thing. You can place a whole bunch of VMs behind a software firewall very easily, without requiring physical connections to untrusted networks anywhere along the way.

Out there at the edge, public IPs on one side, I'll always be more comfortable with a dedicated box, be that an appliance or a customized commodity server. These days you can get a small-form-factor server-class box with redundant power supplies, a quad-core CPU, and 4GB of RAM for extremely cheap. Such a box running the right open source firewall distro can do amazing things -- far surpassing what you can buy from a traditional vendor for the same price. Many of these solutions can provide all the goodies like stateful failover, VPN termination, caching, and WAN load balancing -- you name it.

The next time you set out to bump up your edge security, give the homegrown approach a test first. You might find it's all you need.

This story, "Roll your own firewalls for fun and profit," was originally published at Read more of Paul Venezia's The Deep End blog at For the latest business technology news, follow on Twitter.

Copyright © 2012 IDG Communications, Inc.