Contributor Stephen Poole writes:
In this issue, it’s time to address something that all of us face. No matter how much Internet bandwidth you buy from your Internet service provider, your employees will find a way to max it out. Another very real problem is so-called “malware,” from viruses to Trojans to scam sites that want to trick you into entering personal information.
My assistant Todd Dixon is an absolute whiz at finding free, downloadable solutions to problems like these. I’m going to turn it over to him and let him tell you about the ClearOS firewall.
MAXIMIZE THE INTERNET PIPE
At our Crawford Broadcasting cluster in Birmingham, Ala., we had been looking for a way to maximize the Internet bandwidth coming in and out of our building. We wanted a way to increase our usable bandwidth while not sacrificing service. We had researched getting different Internet providers with more bandwidth only to find that their services weren’t available in our area.
Fig. 1: Setting up the WAN (Internet) side.
We have three Internet audio streams, equipment that increasingly relies on the Internet to function and employees who need Internet content with Flash media, Java and other plug-ins. We had to find a solution.
We knew that part of the answer would be an Internet firewall between our DSL modems and the rest of our network. The term Internet “firewall” may be unfamiliar one. In fact, a better one might be Internet “filter.” Don’t confuse “Internet firewall” with the little blue box that allows everyone in the office to get on the Internet. A good firewall will be a computer with software designed to allow the parts of the Internet that are good and essential for your business and block the parts that aren’t.
At its core, an Internet firewall not only will strain out material unsuited for your work environment, but will also keep data on your network safe from malware. These Internet downloadable programs kill data and employee productivity when the computer needs to be taken offline so the malware can be removed. A firewall also should provide a way for secure, remote access to computers on your network from the Internet. If you’ve been dealing with these types of problems related to your network, your best friend is about to become a firewall.
We had tried several open-source firewalls that used the Linux operating system, but they were difficult to install, seemed to actually slow our already-limited Internet bandwidth and were difficult to maintain after installation. We felt like we were searching for the impossible: a firewall that was dead simple to install, easy to maintain and would grow with us as we continued to expand our Internet presence.
Then we found a Linux distribution called ClearOS (www.clearfoundation.com), a free 700 MB download. Based on Red Hat Enterprise Linux, it was developed to turn any computer into a full-featured, easy-to-use firewall.
Fig. 2: Setting up the LAN (internal network) side.
Once you’ve burned the downloaded ISO onto a blank CD-ROM, you simply find a middle-of-the-road machine with two network interface cards (NICs). A machine with 2 GB of RAM and a 3 GHz processor can protect between 50 and 200 employees. If you don’t have near that many connections onsite, you can get away with a computer with even less horsepower. A 20 GB hard drive is more than plenty to handle the install and the logs necessary for the firewall to run properly. Ensure that the machine is able to boot from the CD, insert the CD and fire it up; the installer will start running.
In the event that you have never done anything like this before, the install will destroy anything that was previously on the hard drive. It will all be overwritten by the new install of the ClearOS system.
Before you start setting up the firewall, you will need the provisioning information from your ISP: IP address, network mask, password (if needed) and so on. This will go on the first network card; ClearOS calls the Internet side the “DSL” connection (some firewall solutions call it the ‘red’ side). See Fig. 1.
The second network card is called the “LAN” (often called the ‘green’ side) connection and is for your internal network. On this side, you will set up your networking parameters. See Fig. 2.
We were primarily interested in content filtering, using the built-in Web proxy server and the reporting features built into ClearOS. In a nutshell, the content filter checks every page that is requested against a predefined list of “not safe for work” (NSFW) sites. If a page on the list is requested, it blocks the user from being able to see it. Of course, the content filter can be set to be as granular as you would like it to be. You can “whitelist” (always let through no matter what the content) or “blacklist” (never let through). Surprisingly, we have not had to adjust the default filter much with whitelist or blacklist at all. The filter is courtesy of noted anti-spam service SpamAssassin.
The Web proxy server saves valuable bandwidth, by caching (placing into memory) a large number of commonly visited sites (google.com, for instance) so that the same page doesn’t have to be downloaded again and again. Lastly, the reporting features contained in ClearOS allow us to get a clear picture of our network usage. From overall usage to individual users, we can clearly see the worst offenders and pay them a visit. These three features alone have increased the efficiency with which we use our limited bandwidth. See Fig. 3.
The ClearOS firewall also contains a full-fledged mail server on it, if you have been considering hosting your own mail server but didn’t think it was possible. This is a POP3/SMTP server with spam, malware and virus protection included. Webmail is also a part of the mail package so that your co-workers may check email from anywhere that an Internet connection is available.
Fig. 3: An example of ClearOS reporting, showing bandwidth consumed by each user.
One of the final features that really endeared us to ClearOS is the MultiWAN functionality. By adding a third NIC and some basic configuration, you can add a second DSL line to increase your bandwidth while the firewall continues to perform its duties on both connections to the Internet. ClearOS load balances both connections in whatever ratio you want them to be used with the added benefit that if one of the DSL lines goes down, ClearOS automatically switches all traffic to the remaining one. This way, you can at least stay online until the problem is resolved.
You are probably well aware that content filtering and a mail server, with anti-spam and virus protection, can come with a hefty price tag. ClearOS is actually free and provides the basic updates at no charge. If you’re willing to pay a bit, you can receive more frequent updates, spam and virus definitions. We pay about $120 per year for frequent anti-virus and anti-malware updates. We are pretty well versed in Linux and don’t require support backup, but should you need support, ClearOS has packages between $80 and $500.
The great thing about ClearOS is that the software modules (both free and paid) allow you to really tailor a solution that completely fits your needs. If you run the mail server portion of the software, you can opt for the increase in the service level and pay the fee for one of their support packages. Their support packages are modest compared to the price of hosting email through an Internet service on a per-month, per-user basis. Since we chose to only use the firewall for content filtering and Web proxy duties, daily updates are not as crucial to our operations so we opted for the free monthly updates.
If you have been struggling to get the most out of your limited Internet service, an Internet firewall is definitely the best way to do it. With four installs already in place in Birmingham and another market, we have found that ClearOS has done it for us — with both simplicity and strength.
Todd Dixon is assistant engineer at Crawford Broadcasting in Birmingham, Ala. Stephen M. Poole, CBRE-AMD, CBNT, is market chief engineer.