Recently I had the pleasure of being a part of the Napera Indigo Beta program in which Napera, (a networking company founded by Todd Hooper formerly of Watchguard) sent me a 24 port gigabit switch with their new embedded switch platform installed on it.
The Napera beta is basically a test of a network software platform for installation by companies interested in the features that Napera is spearheading. With the recent release of Windows XP SP3, Vista and the upcoming release of Windows 7, microsoft has taken the bold move of having the ability to offload the monitoring and auditing of machines connected to your internal network and checking them for things like up to date OS patches, firewalls and antivirus.
The program focused on a couple key components.
1. Set-up and Activation
2. Enable NAP and Health Reporting
3. Health Enforcement
4. Identity Enforcement
5. Guest Access
You can read a little more on exactly what NAP is here : http://www.microsoft.com/technet/network/nap/napoverview.mspx
All of that aside, in the most recent episodes of Hak5, I dived into the interface and health reporting functionality of the Napera switch and it’s ability to limit workstation access based on Health and Authentication with Active Directory.
I’m a steadfast believer that anything that makes my life easier as a Systems Admin, or now in my case a CTO for a small company, is a great advancement and something that I think is sorely lacking in the industry.
I can go on and on about the functions of the napera software but I think it’s best experienced from the horse’s mouth.
For more information on Napera, head on over to http://www.napera.com/indigo/Napera%20Indigo%20User%20Guide.pdf for the Users’s guide on Indigo.
So while our smoothwall is and has been working well for us for the past two years, I recently had the need for something a little more robust.
I came across a fork of the monowall project, pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.
Here’s a short summary of some of the eye catching features.
* Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic
* Able to limit simultaneous connections on a per-rule basis
* pfSense utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense can do so (amongst many other possibilities) by passively detecting the Operating System in use.
* Option to log or not log traffic matching each rule.
* Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.)
* Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.
* Transparent layer 2 firewalling capable – can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall (though you probably want an IP for management purposes).
* Packet normalization – Description from the pf scrub documentation – “‘Scrubbing’ is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.”
o Enabled in pfSense by default
o Can disable if necessary. This option causes problems for some NFS implementations, but is safe and should be left enabled on most installations.
* Disable filter – you can turn off the firewall filter entirely if you wish to turn pfSense into a pure router.
* pfSense offers three options for VPN connectivity, IPsec, OpenVPN, and PPTP.
There’s a ton of other great features that you can read up on at http://is.gd/iauk
The LiveCD ISO is available from http://www.pfsense.org/mirror.php?section=downloads and for VMware folks, a prebuilt VM is available at http://files.pfsense.org/vmware/pfSense-1.2.2-VM.zip