I'd lean toward a BSD-based platform. A Linux-based system is perfectly capable of handling this sort of functionality and I imagine would met most people's security needs. However, a BSD-based platform like OpenBSD is almost purposely built for this sort of role. It has already had a lot of base hardening done, what OpenBSD calls "secure by default," and the development team has a strong focus on security. There have been only a handful of vulnerabilities found in OpenBSD. These have been quickly and carefully fixed. I have found very little need or reason to tweak the OpenBSD kernel for security purposes.
With regard to placement of your VPN and firewall functionality, it's hard for me to answer that question as it depends on a few factors. The key issue being: I don't know the level of risk you are exposed to. If you feel you are a serious target and the data you are trying to protect is critical to your organisation, then perhaps two systems are a better model. This is especially true if there is information with differing levels of criticality and sensitivity being passed across your VPN and firewall servers. For example, if the data traversing your VPN server is more critical and/or sensitive then it potentially needs a higher level of security than the data traversing your firewall and vice-versa.
Additionally, there are other questions about performance and redundancy. Do you have sufficient resource to run both functions on a single box? Does this include future growth? Do you need two boxes for redundancy or disaster recovery? Do you need a fail over model? If you do decide that you need two systems, then you need to consider the cost of acquiring that additional system and, more importantly, the additional overhead of administering two systems.
Overall, you need to model your risks and your requirements, then decide the necessary architecture in your environment. The best way to do this is to conduct a risk assessment. If you don't feel comfortable doing this, then I recommend you engage a security consultant or consulting company, preferably one with experience in open source, to assist you in this activity.
This was first published in December 2005