Configuring IPCop Firewalls: Closing Borders with Open Source

上QQ阅读APP看书，第一时间看更新

The Benefits of Building on Stable Components

IPCop could very well be developed as an add-on to an operating system in the way that Shorewall is an application to be installed on a Linux system or ISA server on a Windows system, making it an application you install over your existing setup. You would then be left with the maintenance of the system underlying the software package.

The disadvantage of this is that if your server's purpose is only to be a firewall for your network you would be required to have an adequate basic understanding of the Linux operating system in order to get the software installed and if you want it to perform well you would have to configure both the operating system and IPCop itself. However, since IPCop installs as an operating system of its own, you have no real need to know Linux in order to use the system. When it comes to stability, this means that the IPCop developers can concentrate on one platform for their development and can be completely confident that they are in control of that environment. They are fully responsible for configuring this and when it comes to support they can be relatively sure the users haven't destabilized the system by wrongly configuring the operating system—and if they have, then hopefully they understand the consequences such that they either do it properly or understand why IPCop breaks after they tinker with it!

Stability, security, reliability, and ease of use are probably the most important factors for smaller networks and are the areas in which IPCop, then, seems to excel. Being built on the 2.4 series of the Linux kernel, the system has a noteworthy level of security, stability, and reliability. Also, having tools installed that are used in networks of different sizes around the world provides a massive user base meaning that the systems in use are well-tested and have a lot of individuals and companies using them, reporting bugs on them, and relying on them for their business.

The Linux kernel is one of the largest single pieces of OSS and includes millions of lines of source code developed by a multitude of developers from all over the world. Linux has many modern operating system features such as support for wireless and Bluetooth devices as well as the most current encrypted network communications. As we will see throughout the course of this book, some of these features have become invaluable to the IPCop developers and therefore the IPCop users who benefit from the features that can be included in the IPCop distribution. The developers of IPCop don't have to worry terribly much about lower-level network communication, because they have built IPCop on top of the pre-existing kernel code, which manages this.

This sort of layering—software on top of other software—enables developers to concentrate on the area they know best, and for the IPCop developers, this area is making an easy-to-use firewall. You may find this a concept familiar from the network layering of the OSI model, which we covered in the previous chapter. This interoperability, whether it occurs in an application stack, operating system, or set of network protocols, is crucial to build reliable, secure systems. Open Standards, from network protocols like HTTP to document formats like the Open Document Format, are of critical importance to it.

Some of the other software we have mentioned includes Apache and OpenSSH. Apache, the web server that serves the pages used to configure IPCop, powers some of the largest websites in the world. According to the latest web server survey, Apache is used on almost 70% of the world's web servers (http://news.netcraft.com/archives/2005/11/07/november_2005_web_server_survey.html).

Apache therefore seems like an extremely stable and trustworthy system and gives the IPCop developers incredible flexibility when working on their user interface, which is almost entirely web-based. Other than the set-up procedure there is no real need to go beyond the web interface. By combining the built-in functions of the Apache server and IPCop's own scripts it is possible for the developers to accomplish very advanced tasks with minimal effort. This stability and ease of use is then transparently transferred to the user. Completely unaware that Apache is part of the system doing the work, the user can go about configuring the firewall with only the knowledge required to browse the Web. Since this is fast becoming an essential skill and has joined reading and writing as one of the skill-sets taught in school classrooms, it makes IPCop extremely approachable. The use of approachable technology such as this is one of the many ways in which IPCop strives to achieve its goals.

Equally in networks with no full time IT staff and those with staff for whom IPCop constitutes only a small allocation of time, ease of use becomes vital. Most IPCop users don't want to know about the inner workings of creating and maintaining session state rules for packet filtering. IPCop aims to make this sort of knowledge unnecessary. The front end allows us to quickly configure the basic and advanced features of our firewall without knowing the in-depth details of underlying systems. With this ease of use there are also some powerful configuration options, which allow us to set up configurations that are quite advanced and would be much more difficult to set up using the tools IPCop is built on. Virtual Private Networking and Quality of Service controls are excellent examples of this—individually, the packages providing these services have a very steep learning curve, but when incorporated into IPCop, they are relatively easy to configure.