Manufacturer: Watchguard Technologies, Inc.
Price: $4,990 US (Firebox II; options extra), $449 US (base SOHO)
Reviewer: Glenn Stone
Much ado has been made in the post-Melissa era about firewalling, particularly with the advent of low-cost, always-on high-speed Internet connections and associated security risks. Many of us here are familiar with the poor but educated man's approach to the problem: drop a Linux distro on a machine with a pair of NICs and configure appropriately. This is cheap, effective, reasonably secure, but also time-consuming and doesn't scale all that well. It's fine for Joe Hobbyist, but Mike the Network Manager wants something a little easier to handle.
Enter Watchguard. This Seattle-based company makes a line of dedicated firewall appliances to serve anything from the SOHO market to a 5,000-user mega-office with up to 100 branches on Virtual Private Networks connected securely across the Internet. Bundled with the bigger boxes is their LiveSecurity System, a GUI-based manager tool that allows the network manager to easily configure the local firewall, called a Firebox, and optionally, VPN Manager, which allows management of multiple VPNs as well as any Fireboxes (including the SOHOs) that happen to be on the other end of the VPN link. As you might have guessed, the larger Fireboxes run Linux. (The SOHOs run VxWorks.) At $4,990 US for a full-sized one, it's not cheap at all but, as I was to find out, it is easy.
The Firebox II arrived in a nice carry-handle box with all the cables needed to hook it up, including an RJ-45 crossover cable for setup, RJ-45 patch cords for the rest of the network and a serial cable for direct console setup with appropriate adapters for DB9 or DB25 connectors. The fire-engine red case also comes with a pair of metal flanges that, when you rearrange them appropriately, allow the Firebox to be mounted in a standard 19", 2U rack slot. The front panel has an array of LEDs for system status, traffic and load average; the back panel has three RJ-45 10/100Tx jacks, a pair of DB9 serial ports, a pair of Type II PCMCIA modem slots, power socket and switch. (I always liked the idea of the switch on the front, but that's just me.) Under the hood lies a custom single-board computer with a 200MHz Pentium MMX, 64MB of SDRAM, an 8MB Flash ROM and two noisy but effective fans. Instead of a CPU fan, there is a monster heat sink, and one of the case fans is aimed directly at it. I suppose this is so the unit can survive the loss of one of the fans; using a smaller fanned-heat sink would give the unit a single point of failure.
The manual is a nice 300-page spiral-bound volume about the size of a trade paperback. What lay inside, though, was the big surprise—Windows?!? You need Microsoft Windows to run this software.
A query to Watchguard's tech support web page netted me a pair of answering phone calls, verifying what the manual said. There is currently no way to set up the big Fireboxes without using Microsoft Windows. But, they said, we would be happy to have you visit our training facility and show you how things work.
On-site at Watchguard, we get down to business. We put the CD in the drive, the install ran, did its normal Windowsish thing (including a reboot) and now we're looking at the configurator for the Firebox. You can configure it for drop-in mode (where it does transparent proxy like a bridge) or routed mode, which allows the trusted network to have private addresses, to which the Firebox will port-forward, if so desired. With all the requisite magic numbers in place, we pressed the button to upload and booted the Firebox. Hmmm, uploading via TCP didn't work. Not to worry, you can also upload via the console port. Back up a click, reset for COM1 and up pops the progress box. Ahh, sweet success. A reboot under software control, and the Firebox is up and running. We verified that it would communicate over the trusted interface then used a pre-configured Firebox to address it over the external interface, set up an IPSec gateway and tunnel. The optional VPN Manager is really slick; you simply give it the remote address and configuration password of the remote Firebox, then drag one Firebox icon onto another, run through three clicks worth of configuration and the tunnel is configured; a quick reset (20-30 seconds) on each Firebox, and the tunnel is active. The VPN tunnels can be filtered in all the same ways you can filter regular IP traffic: by host, by port or both, on source, destination or both. The Firebox II client can also configure SOHO units remotely, so a network admin can manage his or her telecommuters as well as big branches.
I asked some pointed questions about the safety of uploading new configurations and got a neat insight into the Firebox's internal architecture. The Flash ROM is divided into several sections: the running configuration, the underlying Linux system, a backup area where these can be saved (and recovered) during upgrades and a “system” area, which is the moral equivalent of a rescue partition. You tell the configurator you want to restore the factory default configuration, then reboot the system with the console port connected to your serial port. The configurator detects the boot prompt and tells the system to boot from the system area, at which point you reconfigure the machine from scratch. You can also boot the box with a PCMCIA modem in one of its slots and (re-)configure the machine from remote dialup. This makes for easy physical deployment of a large VPN; all the person at the remote site has to do is insert various sets of tab “A” into slot “B” (and the cables are all color-coded) and turn it on, and the network admin sitting in the home office in Sioux City can take it from there.
Practical Task Scheduling Deployment
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.View Now!
|The Firebird Project's Firebird Relational Database||Jul 29, 2016|
|Stunnel Security for Oracle||Jul 28, 2016|
|SUSE LLC's SUSE Manager||Jul 21, 2016|
|My +1 Sword of Productivity||Jul 20, 2016|
|Non-Linux FOSS: Caffeine!||Jul 19, 2016|
|Murat Yener and Onur Dundar's Expert Android Studio (Wrox)||Jul 18, 2016|
- Stunnel Security for Oracle
- The Firebird Project's Firebird Relational Database
- SUSE LLC's SUSE Manager
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- Managing Linux Using Puppet
- My +1 Sword of Productivity
- Non-Linux FOSS: Caffeine!
- Google's SwiftShader Released
- SuperTuxKart 0.9.2 Released
- Doing for User Space What We Did for Kernel Space
With all the industry talk about the benefits of Linux on Power and all the performance advantages offered by its open architecture, you may be considering a move in that direction. If you are thinking about analytics, big data and cloud computing, you would be right to evaluate Power. The idea of using commodity x86 hardware and replacing it every three years is an outdated cost model. It doesn’t consider the total cost of ownership, and it doesn’t consider the advantage of real processing power, high-availability and multithreading like a demon.
This ebook takes a look at some of the practical applications of the Linux on Power platform and ways you might bring all the performance power of this open architecture to bear for your organization. There are no smoke and mirrors here—just hard, cold, empirical evidence provided by independent sources. I also consider some innovative ways Linux on Power will be used in the future.Get the Guide