Monday, July 25, 2016

Endian Firewall for The Community

Short description

The Endian Firewall is a turnkey Linux Security Distribution, which is an independent, unified security management solution. The Endian Firewall is based on a hardened Linux operating system. The system is installed on a PC using a boot CD and can be operated without a monitor through its online interface or via a keyboard in a command-line fashion. The server can be configured via a web interface or via the serial interface.
The main task of Endian Firewall is a gateway, router and firewall, and can act as a proxy for web, email, FTP, SIP and DNS. Up to four different networks (dependent on the number of network cards installed in the host PC) are normally managed.Networks are configured through the web interface. With Endian these are differentiated by their color coding:
  • Red Network: connection to the insecure Internet.
  • Green Network: Secure intranet e.g. file server.
  • Orange Network: Part Safe Demilitarized Zone (DMZ) . This includes devices that operate their own server and must be accessible over the Internet, such as Web or FTP servers.
  • Blue Network: Secure wireless part, here on wireless devices can be connected. Thus, they are separated from the green network, which increases its security.
The Endian Firewall includes support for load balancing, which means you can add another connection to the Internet from the red network; Endian Firewall then distributes the network load on both interfaces.

License

Behind the Endian Firewall is the Italian Endian Spa from Appiano, South Tyrol and a community of volunteer developers and helpers. The license model of Endian provides a commercial version and a free version:
  • The commercial version can be purchased either as a standalone software (the product is called Endian or simply Endian UTM Software) in order to install them on their own PCs, as well as in the form of finished Out of the Box - firewalls, with special hardware on which the software is preinstalled. There are currently seven hardware variants with different performance and for different network sizes: Mini 25, Mercury 50, Mercury 100, Macro 250, Macro 500, Macro 1000 and Macro 2500.
  • Both the free Endian Firewall Community and the commercial Endian UTM Software are tailored for installation on your own hardware. The Endian Firewall Community is licensed under the GPL and is therefore open source software that can be downloaded for free. The community version does not include support and not all the features of the commercial version are available.

Featured

The current version includes the following key features:

Gateway

  • Ethernet support
  • Load Balancing
  • Traffic Shaping / Quality of Service
  • Multiple uplinks
  • Uplink failover

Firewall & Security

  • Firewall (both directions)
  • Demilitarized Zone
  • Intrusion Detection System / Intrusion Prevention System
  • Web-, FTP- and E-Mail-antivirus
  • Antispam
  • Content Filter
  • HTTPS- Web interface
  • SSH- Access and Forwarding
  • Scheduler for automated backups

Server Services

User Management

  • Local
  • RADIUS
  • LDAP
  • Active Directory
  • NTLM Single Sign-On
  • User or group as HTTP proxy content filter rules

Logging & Monitoring

  • Visualized Live Log Viewer (AJAX based), see figure "The web interface of Endian Firewall"
  • Log the activities and the stress of network and hardware
  • Connection statistics
  • Forwarding possibility of logs to an external syslog server
  • ntopng integration
  • Event-based notifications by e-mail

Others

  • Support Software-RAID

Friday, July 15, 2016

The Future of IPtables: NFtables

What is nftables?

nftables is the project that aims to replace the existing {ip,ip6,arp,eb}tables framework. Basically, this project provides a new packet filtering framework, a new userspace utility and also a compatibility layer for {ip,ip6}tables. nftables is built upon the building blocks of the Netfilter infrastructure such as the existing hooks, the connection tracking system, the userspace queueing component and the logging subsystem.

What is the status of nftables?

It is currently under development.

Running nftables

You require the following software in order to run the new nft userspace utility:
  • nftables's Linux kernel tree
  • libmnl: the minimalistic Netlink library
  • libnftnl: the user-space library for low-level interaction with nftables Netlink's API over libmnl.
  • nftables userspace utility
This new utility uses a new syntax that is different from {ip,ip6,eb,arp}tables.

Running {ip,ip6}tables compatibility

The nftables project provides a backward compatibility layer that allows you run iptables/ip6tables (using the same syntax) over the nftables infrastructure:
  • nftables's Linux kernel tree
  • libmnl: the minimalistic Netlink library
  • libnftnl: the user-space library for low-level interaction with nftables Netlink's API over libmnl.
  • iptables-nftables: the user-space utility that provides the xtables command line utility to add rule using {ip,ip6}tables syntax.

Main Features

  • Pseudo-state machine in kernel-space: the userspace utility nftables interprets the rule-set provided by the user (using a new syntax), it compiles it into the pseudo-state machine bytecode and then it transfers it to the kernel via the nftables Netlink's API. Roughly, the idea behind nftables is similar to the Berkeley Packet Filters (BPF).
  • Fast lookups through performance data structures: The new syntax allows you to arrange you rule-set in a very performance way contrary to purely linear-list based filtering policies. Nftables allows you to use set-based action mappings, ie. for a matching element in the set, issue the action specified by the user.
  • Reduce the amount of code in kernel-space. You can express the packet selectors for all existing protocols using the instruction-set provided by the nftables pseudo-state machine. That means that we do not need a specific extension in kernel-space for each protocol that you want to support. As a side effect, you are likely not need to upgrade your kernel to obtain new features as it has been designed to keep most of the logic in user-space.
  • Unified interface to replace iptables/ip6tables/arptables/ebtables utilities. Thus, we will be able to fully get rid of all the existing code replication in kernel and user-space.

Git trees

Documentation

You can check the nftables HOWTO documentation.