In general, most of the optimal firewall solutions are some mixture of IP filters and application-level proxies, although the detailed architecture highly depends on the target environment. Proxies are mostly used for enabling extra authentication methods and advanced logging facilities. Linux systems can be used as a complete firewall solution, when using additional packages like the Firewall Toolkit of Trusted Information Systems, Inc. (TIS), S/Key or one of its derivatives like OPIE (One-time Passwords In Everything), SOCKS, etc. These packages are freely available and are known to work on Linux. But keep in mind that the use of a single bastion host without a filtering router is not recommended practice.
The pro's en con's of using free software for mission-critical applications like a firewall often focus on the black box versus crystal box debate. A commercial product usually doesn't come with source code, so nobody can study that code to find security leaks and try to misuse them. This is the black box concept, sometimes called ``security by obscurity''. On the other hand, when using freely available software, everybody, including the user, can look for possible bugs or weaknesses. The source code is available, so this approach is often referred to as a crystal box (of course, configuration details, local enhancements, etc., are not known publically). This usually will make bugs be found earlier, and fixes are just made available via the Internet, often within hours after detecting a bug.
The costs of a Linux firewall solution are relatively low. Given today's decreasing prices of PC's, a single Linux PC acting as a filtering router might cost less than Dfl. 1,500. A more advanced Linux system, also hosting several proxy services, a WWW-server, etc., will cost no more than Dfl. 3,000. Of course, these prices do not include consulting services to configure a customized firewall solution. But, be aware of the fact that you'll also have additional costs when buying a commercial firewall product. The quality of a total firewall solution highly depends on a well-designed configuration scheme, no matter whether it's based on commercial or free components.
Copyright © 1996 by X/OS Experts in Open Systems BV. All rights reserved.