Ask the Expert

Best server fits and configuration for firewalls

I'm wondering what particular flavor of Linux would be best to use as an IPSec VPN/firewall server? BSDs are okay as well. I'm also looking for the least amount of kernel configuring possible. Is it advisable to have the VPN on the same box as the firewall?

    Requires Free Membership to View

I'd lean toward a BSD-based platform. A Linux-based system is perfectly capable of handling this sort of functionality and I imagine would met most people's security needs. However, a BSD-based platform like OpenBSD is almost purposely built for this sort of role. It has already had a lot of base hardening done, what OpenBSD calls "secure by default," and the development team has a strong focus on security. There have been only a handful of vulnerabilities found in OpenBSD. These have been quickly and carefully fixed. I have found very little need or reason to tweak the OpenBSD kernel for security purposes.

With regard to placement of your VPN and firewall functionality, it's hard for me to answer that question as it depends on a few factors. The key issue being: I don't know the level of risk you are exposed to. If you feel you are a serious target and the data you are trying to protect is critical to your organisation, then perhaps two systems are a better model. This is especially true if there is information with differing levels of criticality and sensitivity being passed across your VPN and firewall servers. For example, if the data traversing your VPN server is more critical and/or sensitive then it potentially needs a higher level of security than the data traversing your firewall and vice-versa.

Additionally, there are other questions about performance and redundancy. Do you have sufficient resource to run both functions on a single box? Does this include future growth? Do you need two boxes for redundancy or disaster recovery? Do you need a fail over model? If you do decide that you need two systems, then you need to consider the cost of acquiring that additional system and, more importantly, the additional overhead of administering two systems.

Overall, you need to model your risks and your requirements, then decide the necessary architecture in your environment. The best way to do this is to conduct a risk assessment. If you don't feel comfortable doing this, then I recommend you engage a security consultant or consulting company, preferably one with experience in open source, to assist you in this activity.

This was first published in December 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: