From the excellent documentation:
What Is Endian Firewall?
Endian Firewall™ is a “turn-key” linux security distribution that turns every system into a fully featured security appliance. The software has been designed with “usability in mind” and is very easy to install, use and manage, without losing its flexibility. The features include a stateful packet inspection firewall, application-level proxies for various protocols (HTTP, POP3, SMTP, SIP) with antivirus support, virus and spamfiltering for email traffic (POP and SMTP), content filtering of Web traffic and a “hassle free” VPN solution (based on OpenVPN). The main advantage of Endian Firewall™ is that it is a pure “Open Source” solution that is commercially supported by Endian.
I see a lot of things to like about this firewall. I prefer a much more minimalist approach at the battlements. I personally wouldn’t run this on the gateway to the internet. It simply has too much software for me. I prefer simple firewalls. Endian has too many things that can have zero day exploits and undiscovered vulnerabilities. Just too many moving parts. I prefer firewalls that run in memory, have little or no disk writes. If you can’t get a shell on them, that makes me happy. I would run this firewall on departmental gateways. It could save some bandwidth, because it has some nice proxy cache capabilities.
Most of the network configuration is done during the install, through an ncurses interface. But it can be reconfigured from the web interface. Here’s the images of me doing just that.
The web pages not only let you configure the firewall, they also let you keep track of statistics about the system, track services that are running or shut down, memory, disk and uptime. The network status page shows Interfaces, NIC status, Routing table entries and ARP table entries. There are pages that allow you to view System Traffic and Proxy graphs, as well as SMTP Mail statistic, if you enabled. You can view OpenVPN connections. There is a web page for configuring static routes and host tables.
There are several services available on the firewall/server. The standard dhcp server that most firewalls have is here. Clamav is there for virus detection and can be used with smtp proxy and the pop3 proxy. There’s a web page to configure the time server and another to set up traffic shaping. Spamassassin is part of Endian Firewall, and there is a web page for configuring a source to feed it ham and spam. Snort is another of the packages installed in the Endian Firewall. Under Intrusion Detection System is a web page for configuring snort. If you enable traffic monitoring, you activate ntop, which will produce nice graphs for viewing traffic patterns by protocol and interface.
The Firewall tab give access to configure firewalling rules based upon interfaces or zones. It allows you to configure access rules for managing the system. You can add rules for port forwarding and Source NAT.
The pop3 proxy can filter for spam using spamassassin and virus scanning with clamav, though they warn you that it will likely slow down pop3. It also allows the creation of whitelists and blacklists for spam. The ftp server can also take advantage of the virus detection capabilities of Endian Firewall.
The SMTP proxy allows spam checking, virus scanning and file extension blocking. It has whitelist and blacklist capabilities, and it can use Real Time Blacklists, for stopping spam. The DNS proxy even has an anti-spyware option.
You can configure Virtual Private Networks several ways with Endian Firewall. You can configure a pool of address for OpenVPN connections into the network. You can configure OpenVPN client to create a Gateway to Gateway tunnel. Or, you can configure host-to-net or net-to-net with IPSEC.
Installing the Endian Firewall is easy, boot from the CD and it will do the rest. It partitioned my hard disk into three partions, /, /boot and /var. Here’s what df -h outputs.
This firewall does most of the things that a small business needs. It can be configured to protect more vulnerable mail servers, as well as virus scan and filter most inbound connections. It can be configured for both ingress and egress filtering. It’s designed to protect and proxy for vulnerable systems inside the network. Like many complex systems, if improperly configured it may actually make your network more vulnerable. I prefer a more simple approach to firewalls, I realize some people want all the extra filters and proxies and may find this just the thing to protect their network, and valuable data.
I definitely give the development team A+ for design. Although there is ample documentation available for Endian, I barely had to use it. The parts of the system were well thought out, and the groupings make sense and enhance ability to configure the software. There is also the possibility, because of the switches are provided in the software, for there to be a minimal configuration without all the proxies, virus scanners and spam filters turned on.
I didn’t do any throughput testing. If I were going to deploy this with all the bells and whistles turned on, I would definitely opt for some substantial hardware, with a good amount of memory. Today I would probably want nothing less than a P4 and 2Gb of memory. Without the proxies and filters, it could probably run on a 486 with 256Mb of memory. With only remote logging turned on, it might run from a compact flash.
Remember, security is a process. Don’t look to this or any other single device be the only security solution for your network. Start with a policy document then develop tools to meet that policy.
Thanks for looking.