Firewalls

This webpage discusses Do-It-Yourself Firewalls for small firms and solos. This description is separate and apart from firewalls for your laptop and PC.

Prequil

If you want information about application firewalls for your PC or laptop (which you should), check out these sites for Windows, Mac and Linux.  What this page is about making an inexpensive firewall that is (much) better than nothing.   Yes, most routers (including the cable and DSL modems from your Internet providers) have firewalls.  However, those modem firewalls are generally used to protect your ISP from you rather than the other way around.  

Introduction

A stand-alone, dedicated firewall, properly configured, is one of the best things that you can do for your law firm.  This type of firewall is almost certainly better than the firewall found on your garden-variety router or cable/DSL modem.  If your firm suffers a breach (even if is unrelated to the firewall), you can at least point to the firewall as proof that you took the problem seriously and did something about it.  Having a stand-alone firewall makes your firm safer, and it affords your firm more control over its network security -- and gives the firm the potential to implement its own virtual private network ("VPN").

This page makes the following assumptions:

  1. That your firm has a "static" Internet Protocol ("IP") address, or uses a managed dynamic IP address with a service such as no-ip;
  2. Your firm has offices (or homes) that require access to files stored centrally on a server that is connected to the aforementioned static IP address (e.g., a file server that is on a network that is connected to the Internet);
  3. Your firm is contemplating using its own Virtual Private Network ("VPN"); and
  4. Your firm doesn't want to spend any money on software (or updates), and only as little as possible on hardware.

Note, this website is not going to advocate purchasing one of the (many) purpose-built commercial firewalls.  Those companies spend a great deal on advertising, and I don't need to add to it here.  I am going to describe a low-cost option for firms that fit the above-identified assumptions.  On this matter, I'm speaking from personal experience.  One of my clients found themselves in this position (they have offices in Texas and Louisiana and needed a VPN), so I built the system that I'm about to describe.  Their IT guy had left, and he was the only one who understood the expensive proprietary firewall.  The client had spent $16,000 on the proprietary firewall, and had no money to spend on even more software.  Consequently, all of the software that I will identify is open source, and is freely available under an open source license.

Some rules of thumb:

  • Firewalls should be as "dumb" as possible. 

Complexity is the playground of hackers.  The more "capable" a firewall is, the more likely that you'll miss a setting that could (inadvertently) expose your data. 

  • Firewalls shouldn't need much hardware capacity.

If the firewall is as dumb as possible, a garden-variety processor with about 2 GB of RAM should be ample.  If you *really* do it right, you won't even need a hard disk because you'll run the software on an unhackable CD-ROM.  I know some people who have set up a working firewall on a $35 Raspberry Pi

  • A firewall will take some effort.

Nothing is free.  If you are willing to take some time to make your own firewall, your firm will be safer, and you will save money. 

  • It isn't as hard as you might think.

There are lots of horror stories out there.  And companies are rife to instill fear in you, often to separate you from your money.  Still, if a firewall is supposed to be dumb, then it can't be that hard to set up.  If you chose your software correctly, updates can be relatively trouble-free, and shouldn't cost you anything.

  • If nothing else, going through this exercise will turn you into a savvy customer.

You will know what you want, and what you need -- and that is the most important factor in a purchase.

The Ingredients

You will need:

  1. Modest hardware
  2. Linux firewall software

As for the hardware, an old PC with 2 GB of RAM an extra network interface card will be enough, assuming that has at least one network interface (RJ-45) connection, plus an extra network interface card which you can get cheaply on Amazon for between $12 and $24.  If your future firewall is a laptop, you can obtain a USB to Ethernet adapter for between $9 and $13.  There are descriptions of adequate (old) devices, such as the one here.

conversion.png

At a minimum, you will need a network interface to connect to the Internet device (e.g., the cable or DSL modem), and another one to connect to your local area network ("LAN").

RJ-45_Connection.png

The software...

The lowest-cost (viable) solution entails the use of open source software, namely a version of Linux that has been tailored to firewalls.  Linux is one of the most widely used operating systems in the world.  While ranking third in the PC world, Linux dominates in servers, cell phones (Android) and the Internet of Things ("IoT"), precisely because it is free and easily adapted to a wide variety of applications.  Tailoring Linux for a specific application creates a distribution.  Popular Linux distributions for firewalls include IPFire, OpenSense, and IPCop

IPFire.png

OpenSense.png

IPCop.png

Which one should you pick?  My advice is to download and try all three.  If you don't like those three, there are others, all of which you can find here.  The good news is that trying it out is free.  What differs between them is the polish of the interface, the features, and the documentation.    

Some Theory is in Order...

Keep in mind what a firewall is for: a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.  That means that you need to set some rules.  The Linux firewall software will help you do exactly that.  The idea is to allow the network traffic that you need, and preclude the network traffic that nefarious hackers (or recalcitrant employees) need to hurt your firm.    Firewalls can prevent access to improper websites (porn) or other sites that can be used to misappropriate trade secrets and client confidences.  The point is that up-front work of a firewall is not getting the hardware and software together.  Rather, it is the determination of what you want to protect, and then configuring the software accordingly. 

For that, fortunately, there are many fine descriptions on the Internet (for free).  Good places to start can be found here, here and here

Once your policies are defined, the documentation of the Linux firewall will explain how to implement those policies in software.  Hint, you can cheat and find a Linux firewall distribution that most closely matches your business model -- by default.  Most of the web pages for the various Linux distributions describe what they do (and more importantly why they were created) which provides an indication of what defaults can be expected.

As a start, however, you would be wise to preclude all incoming traffic to your network.  If you do nothing else, that step would be a great benefit to your firm.