I have grown weary of the proprietary vendors or vendors who start off Open Source and then switch to closed source while code quality and value for both me and my clients goes down. Even though I ahve partnered with Sophos and Dell their products do not meet every objective that I have listed here.I have been researching my theoreticals for my new secure file storage/offsite backup/ cloud backup solution for about 6 months and I recently got most of the the theoreticals figured out so this project is now into the pipeline for onsite testing. I have one project that has been in the works even longer and now I think I have found my platform of choice. My goals for my new firewall are as follows:
- strict controls over both incoming and outgoing traffic with a deny by default policy for all traffic.
- Be able to Identify, control, and log machine activities at the OS and hardware levels.
- Highly flexible logging down to the rule level.
- Flexibility for policy routing down to the rule level.
- Able to as a Layer 2 firewall in both an ip or ip-less state. Able to bridge and filter traffic between interfaces in either IP or IP-Less mode.
- Multiple groups and aliasing of rules, devices, groups, users, interfaces and more.
- Packet normalization. This means any packets that do not conform to standards is either destroyed before being allowed to traverse networks or can be reassembled if re-transmission can be requested.
- Fully stateful firewall.
- NAT capabilities.
- High availability available.
- Multi-WAN capable with load balancing/fail over capabilities.
- VPN capabilities.
- Dynamic DNS.
- Extensive logging capabilities both at the command line and via the web interface.
- Captive portal/hotspot capabilities.
- Has the ability to have capabilities added for further security enhancements. This would include http/s content filtering, malware scanning, intrusion scanning, among others.
- Must be open source with a very active development community.
- Must have commercial support option.
- Easy and fully integrated configuration backups.
- Low base system requirements.
Now this is still purely theoretical so now it is time to start testing here. This project is getting a higher priority than the file storage project at this time. However I could easily flip back to the file storage. However the theorecticals here in this project mandate actual live network testing in order to fully validate them to a much larger degree than the file storage research project. I’ll update this post as progress is made..:)