Firewall companies have a little secret that they do not want you know: most of their software is based on free open source software. What you pay the firewall companies for is the assembly of the software, an intuitive interface and professional technical support. And what they really want to keep a secret is the fact that several free firewall distributions assemble the software and create an intuitive interface for free also.
Using one of these free firewall systems will give you many great business class features without the hefty business class price tag. These firewalls are a perfect choice for small businesses on a shoestring budget and for busy home offices.
Why Upgrade? Increased Bandwidth: Most home routers have enough horsepower for a standard cable or DSL connection, but may slow you down on new ultra-high connections like Verizon’s FIOS or ATT’s Uverse.
Upgraded connections limits: Internet routers have to track all of the connections that all of the computers on its network make to the internet and that number of connections can really add up as more computers are added to the network. Each of these connections have to be stored in the router’s memory and small home routers typically don’t have a ton of memory. Applications such as bittorrent that make thousands of connections to other computers on the internet can choke a router and make your internet connection feel slow.
Advanced Quality of Service (QoS): If your teenager is sucking up all of the bandwidth by downloading music and movies all day, finding a router that supports QoS or traffic shaping will help. It allows you classify which internet traffic takes priority and allows you to put all of your web surfing ahead of their downloads. This is especially helpful with applications like bittorrent that suck bandwidth and internet phones that don’t like latency.
Web access logging: Firewalls can track where users go on the internet and keep a log of it without the need to install software on every computer.
Web Content filtering: In addition to logging web traffic, some routers can dynamically block objectionable web traffic based on keywords or a database of known questionable websites. And there is no need to install filtering software on each individual PC.
Remote access VPN: Spend all of that time building a great home network and it doesn’t do any good once you leave the house. Virtual Private Network (VPN) allows you to connect securely to your network through any internet connection via an encrypted tunnel just like a corporate network. If your work will allow you, you can even create a vpn tunnel directly from your router to work.
Inline Antivirus and Antispam: The copfilter plugin for IPcop allows you to scan e-mail for spam and viruses as it is being downloaded before it has a chance to infect PCs inside.
Granular Firewall Control: Most of these firewalls allow you to control what traffic comes in or even out of your network. Traffic to a webserver at your house can be allowed from just work or you can block applications from leaving your network.
Captive Portal: With a captive portal, the firewall intercepts web traffic and forces users to login via a web page before proceeding to the web page that was requested. This is useful for tracking individual user web traffic where people share computers. Wi-Fi hotspots often use captive portals to lead users into registration and payment pages.
Updates and new features: Firewall manufacturers don’t like to update their software after you buy the router. Instead, they would rather you buy a new firewall for those new features so they can make more money. In contrast, these firewalls are actively maintained and new features are released as they are finished or needed.
Here are six of the most popular firewall software packages.
IPcop – IPcop is one of the most commonly used small office and home office firewalls available. It has been around for many years and boasts a simple and intuitive interface with some of the most humble hardware requirements. In addition to the standard granular firewall, IPcop offers a web proxy that caches web traffic files to speed up the internet and log web traffic. Intrusion detection software detects hackers, basic QoS manages traffic and VPN creates secure connections.
In addition to the base feature set, there are several unofficial add-ons that extend IPcop’s features. Advanced Proxy adds complete control and authentication to the web proxy and URL Filter adds web content filtering. Copfilter adds antivirus, antispam and web privacy filtering. Installing add-ons may increase system requirements.
Monowall – This is the lightweight of the firewall distributions. It requires a mere 5 to 6 MB of space to run. Monowall can run from a compact flash disk or a cd-rom so that no hard drive is required. It supports specialized micro PCs that are the same size as most home routers. This firewall is based on BSD Unix which has a reputation of being one of the most secure Linux/Unix distributions available. Monowall offers advanced NAT (Network Address Translation) and QoS configuration. Many users delpoy Monowall for its captive portal functionality, which forces users to login through a web page before surfing the internet. Because of its small stature, there are almost no add-ons or modifications and web content filtering is not available, but it supports the built-in Windows VPN client in addtion to the standard branch office VPN. Monowall can also act as a wireless access point.
Pfsense – This is the big brother to Monowall and uses some of the same software. It takes more space but offers almost all of the bells and whistles that a firewall can including support for two internet connections and redundant firewalls. For example, one firewall will take over for another firewall that has failed. Modifications and add-ons are available for PfSense. There is commercial support available. It also runs on micro PCs like Monowall.
Endian – Some developers took the IPcop software, made improvements and made the product commercial, it still retains an open source option that is free for people to use and test new features. Content filtering, antispam, antivirus, and VPN are built in. Essentially, Endian is like IPcop with all of the main addons already installed and a slick interface.
Smoothwall – Like Endian, Smoothwall is a commercial firewall that had its roots as an open source project. They still retain an open source version for people to try out. IPcop actually branched off from Smoothwall early on, so they have commonalilties, including add-ons. Smoothwall has one of the most polished and intuitive interfaces, but some advanced features like VPN and web filtering require an upgrade to the commercial version.
DD -WRT – This is a firmware replacement for several home wireless routers that enables features not supported by the manufacturer like granular wireless control, QoS, increased connection limits. The benefit of this project is that it uses inexpensive off the shelf hardware that may already be lying around the house. A complete list of DD-WRT supported hardware can be found at their website.
Why is the software free?
In many cases, people write the software for the challenge or fun of it. In other cases, it is part of their job. Many businesses pay their software engineers to write open source software in thehope that they will get assistance from other engineers around the world in development and testing. Endian and Smoothwall firewalls release a free version of their software as a test of their commercial product. Pfsense releases a free firewall but offers fee-based commercial support.
How hard is it to upgrade?
Most of the firewall packages listed here are designed for average computer users with moderate knowledge. In many cases, there are extra knobs and buttons underneath the web administration if you are into that, but looking under the hood is not needed for normal usage. In most cases, the installation process is simple and the developers maintain detailed instructions on their web site. A basic knowledge of small networks is helpful.
What about that commercial support?
Commercial software clearly has the advantage here for support. None of these firewalls have a 1-800 number to call for help, especially for free, but that free help is often worth just what you pay it–nothing. But there is help for these free firewalls. All have detailed documentation and many have message boards where you get help from other users and even directly from the software programmers. Users almost never enjoy that type of access to the developers in commercial software.
Finding the right hardware:
The software is free, but you do have to find your own hardware. DD-WRT uses off the shelf home routers that can be found at most computer stores The hardware requirements for the rest of the firewalls are quite low so almost any old computer will do. An extra network interface card is needed for basic connectivity and a wireless card can be added to make the firewall a wireless access point also.
Monowall and PFsense have the most flexible hardware requirements since they can run on micro PCs, directly from CD-ROM without a hard drive or a compact flash card on an old computer. IPcop can be installed on a PC with a standard hard drive or compact flash card. The free version of Endian must be installed to a computer with a hard drive.
Buying a commercial firewall with these same features can cost hundreds of dollars, but the same software can be downloaded for free and installed in an afternoon.
