It's been a quiet day at Solaris Security Central until your boss walks in and says, "Corporate is coming down on us for not having a firewall between the research department and the rest of the network. There's no money in budget for hardware or software, and we need it done by next Friday."
You hang your head in disgust as he walks out and you wonder if it's too late to get started on a career as a long haul trucker. As your chin rests on your chest, you notice a Sparc 20 you had forgotten about lurking underneath your desk. Your hardware problems are solved, but what about firewall software?You have no money to spend.
IPFilter to the rescue! IPFilter by Darren Reed is a software package for Solaris and other operating systems that can be used to provide firewall and Network Address Translation (NAT) services as a loadable kernel module. With IPFilter, you can block/pass/reject packets across multiple interfaces, perform forward and reverse NAT, send back an ICMP error and/TCP reset for denied packets, keep packet state information for TCP, UDP and ICMP packet flows, and even use redirection to setup transparent proxy connections.
But writing up the ruleset is a real drag with nothing more than the editor-of-your-choice as your primary tool. Firewall Builder and Isba to the rescue! These two programs are the Superman and Batman of ruleset building applications. Firewall Builder consists of an object-oriented GUI and a set of policy compilers for various
Isba is a firewall ruleset builder by Pierre Berthomier. Isba is a free graphical tool designed to edit IPFilter rulesets and remotely manage IPFilter firewalled hosts in a production environment. Isba displays rules in typed columns (action, options, interface, source host or net, etc). Hosts, nets, services and interfaces are objects that can be given names. Objects can be organized in groups which can be used in a rule, to write, in a single line, what will be compiled into many IPFilter rules. Both programs promote the readibilty, maintainability, and flexibility of firewall rulesets.
Okay, so now where do you get started on a policy for the firewall?SANS to the rescue! The SANS Institute has created the SANS Security Policy Resource page, a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you might need for rapid development and implementation of information security policies. And now the best part: there's no charge for this! You don't need lots of money to put in an effective firewall and policy. All you need are the right resources.
Check out IPFilter at http://coombs.anu.edu.au/~avalon/, Firewall Builder at http://fwbuilder.sourceforge.net, isba at http://inc2.com/isba/index.html, and the sample security policies from SANS at http://www.sans.org/newlook/resources/policies/policies.htm. There's no need to consider so drastic a career change with tools like these at hand.
This was first published in April 2002