Q

Best server fits and configuration for firewalls

I'm wondering what particular flavor of Linux would be best to use as an IPSec VPN/firewall server? BSDs are okay as well. I'm also looking for the least amount of kernel configuring possible. Is it advisable to have the VPN on the same box as the firewall?

I'd lean toward a BSD-based platform. A Linux-based system is perfectly capable of handling this sort of functionality

and I imagine would met most people's security needs. However, a BSD-based platform like OpenBSD is almost purposely built for this sort of role. It has already had a lot of base hardening done, what OpenBSD calls "secure by default," and the development team has a strong focus on security. There have been only a handful of vulnerabilities found in OpenBSD. These have been quickly and carefully fixed. I have found very little need or reason to tweak the OpenBSD kernel for security purposes.

With regard to placement of your VPN and firewall functionality, it's hard for me to answer that question as it depends on a few factors. The key issue being: I don't know the level of risk you are exposed to. If you feel you are a serious target and the data you are trying to protect is critical to your organisation, then perhaps two systems are a better model. This is especially true if there is information with differing levels of criticality and sensitivity being passed across your VPN and firewall servers. For example, if the data traversing your VPN server is more critical and/or sensitive then it potentially needs a higher level of security than the data traversing your firewall and vice-versa.

Additionally, there are other questions about performance and redundancy. Do you have sufficient resource to run both functions on a single box? Does this include future growth? Do you need two boxes for redundancy or disaster recovery? Do you need a fail over model? If you do decide that you need two systems, then you need to consider the cost of acquiring that additional system and, more importantly, the additional overhead of administering two systems.

Overall, you need to model your risks and your requirements, then decide the necessary architecture in your environment. The best way to do this is to conduct a risk assessment. If you don't feel comfortable doing this, then I recommend you engage a security consultant or consulting company, preferably one with experience in open source, to assist you in this activity.

This was first published in December 2005

Dig deeper on Linux system security best practices

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchDataCenter

SearchServerVirtualization

SearchCloudComputing

SearchEnterpriseDesktop

Close