Excerpt from the book "Configuring IPCop Firewalls: Closing Borders with Open Source"

 in
Excerpt from the book Configuring IPCop Firewalls: Closing Borders with Open Source by Barrie Dempster and James Eaton-Lee. Published by Packt Publishing and reprinted with permission. All rights reserved. IPCop is a firewall for the Small Office/Home Office (SOHO) network, which is extremely easy to use and is released under the GNU General Public License (GPL). This excerpt
Deploying IPCop

Introduction

IPCop is a firewall for the Small Office/Home Office (SOHO) network, which is extremely easy to use and is released under the GNU General Public License (GPL). It provides most of the basic features that you would expect a modern firewall to have, and what is most important is that it sets this all up for you in a highly automated and simplified way. It's very easy to get an IPCop installation up and running and takes very little time. For features like those in IPCop, you would usually have to pay for a high-end firewall system or string something together using a collection of other tools. IPCop takes some of those powerful Linux tools and creates a pre-built package for you. IPCop was created to fill a void in the market, where users with small networks need some features that only large networks can afford, as far as expertise or money is concerned.

If your network is relatively small and has a single Internet connection or you have a couple of sites with separate internet connections that require linking together in a medium-sized business then you can certainly benefit from using IPCop. Since IPCop itself is free your only expense for the firewall is the cost of the hardware (which can be a low-end older computer left over from a previous upgrade) and the time spent administering the machine (which is relatively low due to the easy-to-use interface). For smaller networks this is a very attractive system.

Systems such as ISA server and Checkpoint are extremely expensive and require a great deal of background knowledge to configure and secure properly. Compare this to IPCop, which functions as a well-secured router and firewall almost immediately on installation. Larger enterprise systems also have much higher hardware requirements and are overkill for smaller networks. The expense and time it takes to set these expensive systems up is unlikely to provide a good return on investment for networks outside the larger enterprise. IPCop also benefits from simplicity that is not available when using a general purpose OS such as Windows or even a Linux distribution because of all the unnecessary services they usually install by default. IPCop has a single specific role, so many of the standard services and applications are not installed leaving you with a simplified, specialized firewall installation.

When evaluating IPCop for use in your environment, you should look at the various functionality it provides and determine if it will be the most effective solution for your network. Generally for a small to medium sized network IPCop is extremely effective and can simplify network administration greatly. However, for very large networks with a variety of segments all interconnecting with varying mechanisms you may find IPCop inadequate. It's important to figure out how exactly your network will fit together and then choose IPCop, if it fits your needs. For the SOHO network this may be a very simple topology and may require very little planning. In a larger network IPCop can be used for specific roles within the infrastructure, for example as a gateway for key remote networks like branch offices.

Trust Relationships between the Interfaces

The four types of network interface -- Green, Red, Blue, and Orange -- supported by IPCop have differing levels of trust associated with them. Here is a simple table outlining what traffic is allowed to go to and from which interfaces. This table, and the knowledge contained within it, should form the basis of our planning when considering how many interfaces to use and what to use them for. This is basically the Traffic Flow diagram from the IPCop administrative guide (www.ipcop.org/1.4.0/en/admin/html/section-firewall.html).

Traffic Flow Diagram

Interface From nterface To Status How To Access

Red

Red

Red

Red

Firewall

Orange

Blue

Green

CLOSED

CLOSED

CLOSED

CLOSED

External Access

Port Forwarding

Port Forwarding / VPN

Port Forwarding / VPN

Orange

Orange

Orange

Orange

Firewall

Red

Blue

Green

CLOSED

OPEN

CLOSED

CLOSED

DMZ Pinholes

DMZ Pinholes

Blue

Blue

Blue

Blue

Firewall

Red

Orange

Green

CLOSED

CLOSED

CLOSED

CLOSED

Blue Access

Blue Access

Blue Access

DMZ Pinholes / VPN

Green

Green

Green

Green

Firewall

Red

Orange

Blue

OPEN

OPEN

OPEN

OPEN

In visualizing the way in which traffic goes through the IPCop firewall, we can see it as a sort of giant junction with a traffic cop (literally, an IP Cop -- hence the name!) in the middle of it. When a car (in network parlance, a packet of data) reaches the crossroads, the cop decides in which direction the packet should go (based on the routing tables IPCop uses), and pushes it in the appropriate direction.

In the case of a Green client accessing the Internet, we can see from the previous table that this access is OPEN, so the cop allows the traffic through. In other instances, however, this might not be the case. If a Blue client tries to access a client on the Green segment, for instance, the cop might allow the traffic through if it comes over a VPN or through DMZ pinholes -- but if a client on the Blue segment has neither of these things explicitly allowing the traffic, it is stopped. The car is pulled over, the occupants victims of some virtual time in the cells!

Note that (generally) when we illustrate IPCop Configurations, the Red interface is uppermost (North), the Orange interface is to the left (West), the Blue interface is to the right (East), and the Green interface is to the bottom (South).

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

need for firewall

Mirko Filipovic's picture

For my home laptop I use ZoneAlarm free firewall. This is absolutely necessary for everyone. It blocks at least 50 attempts daily.

home user firewall

linux firewall user's picture

Small Office/Home Office maybe buy home user like me do not use a firewall, I think firewall are only for corps. It is not a big deal to implement a firewall on my home computer. I use linux. I just never got DoS attacks on my home computer.

IPCop is cool though

I use an Ipcop firewall at

Anonymous's picture

I use an Ipcop firewall at home. It runs great on an old k6 and protects both wired and wireless networks. In Ipcop-speak, this is a Red-Green-Blue network, where red=external, green=wired, blue=wireless. The firewall rules are very thorough and extensible. It was easy to set up for what it does. It does DHCP, has a caching proxy server, an intrusion detection system, NTP server, etc. It is also very secure. My wife has a firewall on her wireless XP laptop and almost nothing ever hits it. This is a very polished, easy to use firewall distribution and you cannot beat the price.

I would not go online without some sort of hardware firewall. And Ipcop beats limited consumer routers hands down. All you need is an older PC and a couple of network cards. And if you want to connect to a VPN or have a DMZ, Ipcop boxes are way less expensive than commercial solutions.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState