I am working to have a network setup using as much open-sourced software as possible. This website is a perfect example; Linux Webserver and Joomla, and Open-source website framework. The next thing on my list of open-source softrwares is a good UTM Firewall device. For the uninitiated, UTM stands for Unified Threat Management. As opposed to just a basic firewall that blocks and allows traffic, I want something that offers a complete package, with Site-to-Site (IPSec) VPN, Client-to-Site (Remote Access) VPN, and easy-to-use management. There are a number of options that would possibly fit this bill. Here is a rundown of the Firewalls I have found and how they do/don't work.
Since this is a rather personal decision, I will list the requirements I have, and compare each firewall to each other based on this list:
- Reasonably easy/straightforward install and configuration
- Ability to manage/configure from the outside world
- Firewall - allow/block traffic
- Site-to-Site VPN (IPSec)
- Remote Access VPN (RA)
- Mobile Access - VPN Access for mobile devices
- Install on older i386 hardware
(Edited: 2015-10-28)
- Behave as a VPN Client
After some additional work and research, an additional requirement has arisen: be able to BE an OpenVPN Client. There are many VPN services out there, offering some pseudo-anonymity through their VPN servers. I need to be able to use the UTM gateway as a VPN Client to connect to this VPN, and then forward all traffic through this VPN.
These are my base requirements. If anything doesn't meet these, I'm simply moving on to another, regardless of what other features are present. I am checking the features by installing them in a Virtual Machine before I go through the troubles of getting it to my old i386 hardware. Once I have verified that the features I need exist, I will go ahead and install it on my device for real. As for the hardware, it's an old desktop PC that has no other real use. It has 2 NICs right on the motherboard, and can handle a total of 4GB RAM, so in terms of computing power, it is comparable to many UTM Appliances. I just don't want to fork out any cash for new hardware when this older stuff functions just fine.
Let's get to it:
I heave read much about this software. Most of it was about how "awesome" it was. So I decided this would be my first to check, as it seemed to be THE MOST likely to fit my needs. Let's see how it stacks up:
The install process was very straightforward and simple. Once it was installed, getting the basic interface configuration was just as simple. The rest of the configuration is handled in a web browser. Fortunately, the OS comes ready to do so, and when it boots up to a GUI, it loads the web browser to config page, ready to go.
Firewall: Yes
IPSec: Paid feature
RA: Paid feature
Mobile Access: Paid feature
Technically, there's an OpenVPN section I can configure to set up the device as an OpenVPN server and/or client. But that typically requires more work. Right now my little router is running an OpenVPN server, so if I wanted to go through all that trouble, I would just do so with my little router. Since my primary VPN needs are only part of a paid product, we're moving on to something else. To be quite honest, I am rather disappointed that these (seemingly) basic VPN features are only part of their paid-for offerings, especially with all the online readings of how great this product is.
Next up is Endian
I came across this while searching for Open Source UTM. I hadn't read any reviews on it, so I was more or less going in blind. Again, based off their website, it looks like this should cover all my needs.
The install process was just as simple, and it comes with a nice option I have never seen before: it can set the serial port to be a console access port. That's awesome for anyone looking to set up a headless appliance. The initial configuration is pretty simple as well, though it only tells me to configure the "GREEN IP", and there is no indication what actual port that correlates to. Once it boots up, it loads to a basic screen telling me to configure it through the WebUI from another device on the network. The configuration is rather unclear though... You go about configuring "Green", "Red", and "Orange"/"Blue" interfaces, without really being really clear as to what is going on. As it turns out, they are just trying to color-code the interfaces/traffic, Red for the external/untrusted networks, Green for internal/trusted traffic. What they truly fail to explain is that the WebUI is only available from the "GREEN" interface. The configuration here is so unclear and bass-ackwards that I couldn't get to a point to see what features there are.
Truly disappointed here. Maybe the setup will be different on real hardware, but based on this experience I won't bother. At least not for now...
Moving on to ClearOS
Again, having NOT read any other reviews on this product, I found this with the same search as I found Endian. From their website: "ClearOS Community is a cloud-connected Server, Network, and Gateway operating system designed for homes, hobbyists and Linux developers." SOLD! I like the sounds of this already!
The install process was very simple through a nice GUI interface. While totally unnecessary, the GUI is a bit of a nice touch. It reboots into a very basic GUI that allows for interface configuration, and not much more, the rest of the configuration is done from a WebUI. The configuration is very straightforward, and even includes a spot to intall some add-ons, like VPN, Web-filtering and such. Most of the add-ons are free, but there are some paid ones. So far, I think what I want can be taken care of through the free ones. Once the extra packages are selected, they need to be downloaded and installed. The WebUI is very nicely polished. The firewall rules are not quite as obvious as one would hope, but they work nonetheless.
Firewall: Yes
IPSec: Yes
RA: I think so. Technically I can use the OpenVPN server access it has, but it is not very clear on how to grant a user VPN access
Mobile Access: Same as above.
So far, while it technically meets my needs, the way in which things are configured are a bit unclear. This may be due to the Automatic Configuration feature that exists in some of the Add-Ons. This, in theory, may help a basic end-user to get things configured a little more easily. But I am used to things being a little more complex, so while this may be in place to try to simplify things, I personally find it a bit more confusing.
Let's carry on, and maybe come back to ClearOS afterwards...
Next up is pfSense
From their website: "The pfSense® project is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface." While I had heard of pfSense in my work as a Network Security engineer as well as my own personal searchings, but I never really looked into it all that much. Now that I have reason to do so, I am kinda looking forward to it.
The install is a little odd, in that it starts to boot a LiveCD, then later on it asks if you want to run the LiveCD or run the installer. Once it reboots, all the configurations are done from the CLI, which is fine. Once the basics have been configured, the rest is once again done through a WebUI.
Firewall: Yes
IPSec: Yes
RA: Yes
Mobile Access: Yes
(Edited: 2015-10-28)
Be a VPN Client: Yes
This one is definitely a candidate for real hardware installation. This one will need some more thorough testing before I decide to go this route though... While the configuration seems to be a lot easier, it seems to be lacking some of the UTM completeness that I am really looking for. For example, I can rather easily set up a client-to-site VPN, but I need to manually create all the certificates and such, and I'm looking for something that does a lot of this for you. I will certainly be keeping this one in mind and testing it a little more in-depth as time goes.
So out of the 4 products I found, only 1 seems to fit the bill... that's only 25%, not a very good grade. But this is purely Open Source software. In my serachings for these products, I did find another product, but quickly passed it over, Sophos. I wrote an article about setting up a Sophos to Check Point IPSec VPN. So now I'm stuck in a bit of a conundrum... Do I stick purely with Open Source (and thus free) software, or do I forgo the necessity of Open Source, and allow for closed source, but free software? I am working on a "Zero-Cost" proof-of-concept (details yet to be fully fleshed out), and though my primary source of software is Open Source, I do not think that I should totally rule out closed source software *IF* it can meet my requirements. So let's take another look at Sophos, this time with my requirements in mind, and see how it stacks up.
Sophos UTM Home Edition
"Our Free Home Use Firewall is a fully equipped software version of the Sophos UTM firewall, available at no cost for home users – no strings attached. It features full Network, Web, Mail and Web Application Security with VPN functionality and protects up to 50 IP addresses." This is promising. It can certainly fit part of my "Zero-Cost" Proof-of-Concept. Let's install it and see how that goes. The install process is very straightforward, and it even provides an option to NOT install the 'Astaro' tools. From my research, Astaro is the original name for this product before being acquired by Sophos. Maybe later I will see what that option does, but for now, since those tools are what I want to check out, I will install them. Upon reboot you get a nice little message: "All configuration is done wth WebAdmin. Go to https://X.X.X.X:4444 in your prowser." That's a nice little touch, it is clear as clear can be. The initial WebAdmin (WebUI) configuration is equally straighforward and simple. The only extra step was setting up the license file. If you do not have one, you will have troubles getting past this. The free home-use license is very easily acquired when you are filling out the details to get the Sophos ISO file in the first place. The initial configuration walks you through enabling different features, and even gets you to set up some basic Firewall rules. Once that initial config is complete, it loads to a nice WebUI where we do the rest of the Management and Configuration. Let's see the features:
Firewall: Yes
IPSec: Yes
RA: Yes
Mobile Access: Yes
(Edited: 2015-10-28)
Be a VPN Client: No
Woo yeah! This meets my needs (Edited: 2015-10-28: Not anymore. Due to this failing, I need to find a different product). From my experience configuring the Site-to-Site VPN with Check Point, I know already that the IPSec configuration is rather straighforward. When I did that, I also took a few moments to just poke around the rest of the VPN features, and the Remote Access and Mobile Access are very easily done. This one definitely deserves a real hardware install and further investigation.
So now that's a total of 2/5 products... 40%, still a failing grade, but much better than 25%. More importantly though, I now have some real choice, as opposed to just narrowing down to the 1 that is least crappy. I will write up another article about the real hardware install process and taking a deeper look into the VPN features.
(Edited: 2015-10-28)
After much research into Sophos in the VPN Client realm, it has come to my attention that this product (and company) is seriously deficient in these regards. Allow me to elaborate:
- Sophois has a Feature Request site. If you take a look at the VPN Feature Requests, their #1 feature request (by a VERY wide margin) is just this very feature (though differently worded). The fact that this feature request was originally put in OVER 5 YEARS AGO, with no solid response from Sophos is not at all a good sign.
- There are some Community-driven efforts to make Sophos act like an OpenVPN Client. But this will necessitate some Command Line(CLI)/SSH edits, and:
- Any CLI edits to the Sophos device completely voids the warrantee. While non-existent for the Home users, this DOES include those who actually pay for support.
In the end, this means that Sophos is out of the running. So this either means taking another, deeper look into pfSense, or finding something else altogether, like IPFire... Either way, more research is needed.