>

Software Based Firewall Router

For many of us, our experience with routers has been mostly with hardware routers from vendors such as D-Link, Netgear, SonicWall, and others. We have either purchased one or had one provided by the ISP. Many of us either are not aware that software based firewall routers exist or that they are too complicated to configure and maintain.

We want to explain firewalls, routers, and network planning. Later we show an example of how to configure a software firewall router from Astaro. The computer used for the Astaro firewall router can be a low end computer that is no longer used but you have been keeping around just in case there is a need for it.  The Astaro Security Gateway is licensed for free when used in a home networking environment.

In March 2009 Pete Stagman wrote a three-part blog entitled “Building an Astaro personal firewall with spare or low end parts.” This blog contains a significant level of detail as to how to configure the Astaro Security Gateway as well computer technology and security concepts. The intention of this blog is to augment Pete’s blog by concentrating on how easy it is to configure for a home user using Windows Home Server.

Home Server Land has a 16 part blog entitled Securing your WHS and Network that identifies best practices with safeguarding your network from computer security threats and vulnerabilities. We will be referring to this series throughout this blog.

What is a Firewall Router

A firewall router is what connects the local network to the Internet and is the first line of defense to protect the local network from unauthorized intrusion. A firewall can be a software program that is run on a dedicated computer or it can be bundled with a hardware router. Refer to Internet Threats and the Network Router which is Part 8 of the Securing Your WHS and Network series for detailed information about firewall routers and the technical terms used in this section.

Not all routers are firewall routers. Some routers provide Internet connectivity and blocking of certain Internet ports. They rely on network address translation or NAT to permit incoming traffic on specific ports. Many consumer routers fall in to this category. This type of product is not considered to be a firewall router as it provides the least amount of security to the network. It is highly recommended that every computer on the network use an Internet security suite that includes a firewall to protect from Internet threats.

The next level of router performs Stateful Packet Inspection or SPI. These routers provide Internet connectivity, block certain ports, and perform a limited or stateful inspection of the network traffic. Manufacturers sometimes call these products firewall routers, but we do not consider these to be firewall routers. They provide a little better protection of the network; however, not all Internet threats are identified. It is recommended every computer on the network use an Internet security suite that includes a firewall for this type of router product.

A firewall router is one that performs Deep Packet Inspection or DPI. These routers perform the basic router tasks and, as the name suggests, a robust inspection of the network traffic. This type of firewall router provides the best level of security for your network. Some firewall routers include an anti-virus, SPAM detection, and spoofing identification. Internet security suite software is not necessary so, a basic anti-virus product such as the free version of AVG is more than adequate to protect the computer.

Hardware vs. Software Firewall Routers

Functionally, both hardware and software firewall routers perform the same tasks to connect the local network to the Internet, block ports, and perform a DPI of Internet traffic. There are pros and cons for each type of router. The goal is to choose one that is cost effective and easy to maintain.

Purchasing a hardware based firewall router is convenient because one device can be used to interface with the Internet and it addresses the majority of threats before they are permitted to enter the network. They often have four to eight RJ-45 ports and a wireless radio to connect to the computers on the local network.

The majority of hardware routers can protect only one external IP address. This is not an issue with the home network environment, but usually for home and small businesses that have more than one external IP additional routers must be used.

There is less of a need for an integrated Internet security suite to be installed on the computers. This results in an overall reduction of bloat that is associated with the suites and is more cost effective.

The programming of the router is relatively simple. However; the service life of most hardware routers is usually four to five years. Within five years the product is usually discontinued and updates are no longer available. At this point the router is no longer capable of keeping current with new threats.

Installing a software firewall router requires having a computer that is dedicated to performing the Internet routing and firewall security tasks. This computer must have at least two network interface cards – one to connect to the ISP interface and one to connect to the internal network switch. If wireless connectivity is desired, a wireless access point needs to be added to the network.

Many of software routers can address more than one external IP address. Therefore, home and small business need only one device to protect their network rather than separate routers for each external IP address.

The advantages are that the software can be constantly upgraded to stay current with new threats.  A router is not needed because the software program performs the routing functions.  Therefore; the firewall server can be connected directly to a network switch.

The disadvantages are that a dedicated computer is required to perform the firewall and routing tasks.  The computer must be on all the time which increases the electric bill.  And the computer, CPU, and the components must be fast enough to handle all the network traffic; otherwise it can reduce the overall performance of the Internet connection and network activity.

Planning for the Firewall Router

A little pre-planning prior to the installation of the any type of firewall router is prudent to help with an easy and successful implementation. The following are information to collect for either a hardware or software firewall router.

• Internal IP address to assign to the router. Many default to 192.168.168.1;
• External IP, submask, DNS servers, user name and password necessary to connect to the ISP;
• DHCP address range;
• Network name of the firewall router;
• Administrator user name and password of the firewall router;
• MAC addresses of router’s network interface cards (software firewall only);
• Internal IP and MAC addresses of network devices that require static addresses; and
• Internal IP address of firewall server.

Write this information on a piece of paper or on the Network Devices worksheet that appears later in this blog. Store it in a secured location for future reference.

The Astaro Security Gateway – Home Edition

The Astaro Security Gateway provides a full unified threat management of the network perimeter. The Home Edition is a software based firewall product that gives users an enterprise level of computer security protection. This firewall provides a greater level of protection of the network than the hardware routers and firewall routers that are available to the home user market. See Home Server Land’s Internet Threats and the Network Router blog for an explanation of the role a firewall router as it deals with security threats.

Why Consider the Astaro Security Gateway

There are many benefits with using the Astaro Security Gateway.

• The firewall performs deep packet inspection or DPI of all data entering the network. This exceeds the capabilities of most home user routers;
• The software is affordable. When used for home networks, the software is free. All that is needed is a spare PC to host the software firewall;
• Internet security suites are not necessary to protect the user’s home computer since the firewall protects the network from outside attacks. Anti-virus, SPAM, and spoofing subscriptions are included free in the Home Edition.  Basic anti-virus software, which is cheaper and less resource intensive, is all that is needed for the computers on the network;
• The firewall is easy to configure; and
• The firewall can address more than one external IP address.

PC Hardware Requirements

Astaro recommends the following components as the minimum requirements for the PC that is to run the Astaro Security Gateway.

• 1 GB RAM
• 20 GB hard disk
• Bootable CD-ROM
• 2 or more network cards

Of course, the faster the processor, more RAM, and a larger hard disk will increase the performance of the firewall. Two network cards are required, one to connect to the Internet and one to connect to the LAN. To ensure Internet traffic is maximized, we recommend using network cards capable of at least 100 Mbits/sec.

Planning for the Astaro Security Gateway

The following are the steps necessary to install and configure the Astaro Security Gateway.

• Confirm that the computer you are using for the Astaro Security Gateway meets or exceeds the minimum specifications and is in good working order;
• Create a user account with Astaro for the security gateway software;
• Download the Astaro Security Gateway software;
• Burn an installation disc on a CD ROM;
• Plan and document network devices; and
• Install and configure the Astaro Security Gateway.

Astaro User Account

Downloading the Astaro firewall software requires a user account to first be established. From the web browser, enter https://www.astaro.com/user/login to either login or to create a user account. As you progress with the creation of the user account, email messages will be sent to you with directions as to how to proceed.

Obtaining an Astaro user account is a quick and easy three step process. Two forms each with a few fields to complete are all that is necessary to request the user account. Once completed with the forms the information for your user account and installation key is emailed to you.

The following are the detailed steps that are necessary for creating a user account.

Step 1. For those who have an Astaro account, enter your email address and password and click the Login to MyAstaro button. You can skip the rest of this section and continue with the Download the Astaro Security Gateway section. For those who do not have an account, click the Join MyAstaro button to create an account. This section explains the tasks that are necessary to create a user account.
Step 2. The Join MyAstaro screen appears. Enter the required information then click the Sign up to MyAstaro button. A confirmation email is sent to the email address.
Step 3. Open the confirmation message from your email’s inbox and click the enclosed URL. When the URL link is clicked, the Personal Information screen appears in the browser. Update the information and click Save My Personal Details button.

This completes the task to create an Astaro User Account. The next task is to download the Astaro Gateway software. Click the “MyAstaro Login” button in the main option bar to login to your account.

Download the Astaro Gateway Software

A successful login will result in the MyAstaro Licensing Portal to appear. There are four steps that are necessary to download the installation file. A form with several fields must be completed and an email that contains the URL for the software and installation key is then sent to you. The URL directs your browser to an FTP site where the download is initiated.

The following are the steps that are necessary to download the Astaro Security Gateway software.

Burning the Astaro Security Gateway Installation Disc

The file just downloaded must be burned on to a CD ROM. This is done with Windows Explorer or other file management utility. Locate the file and use the “Burn disc image” option to create the CD ROM image. Identify the CD ROM by writing “Astaro Security Gateway v8” on the disc.

This completes the task to download and create the installation disk for the Astaro Security Gateway. The next task is to plan and document the network devices that make up the local area network.

Planning the Network Devices

It is a good practice to establish some standards for the network and devices on the network. For example, device naming, local IP address, and administrator name and password should be predetermined where appropriate. When a server, router, or other network device is added, changed, or removed, these standards should be used. This establishes consistency and helps manage the network over time and the documentation is an excellent method to accumulate administrator names and passwords for the devices.

We recommend using a worksheet that is used by the person who maintains the network to record this information. The worksheet should be stored in a safe place to safeguard the administrator passwords. The following is an example of a worksheet that can document your common network devices.  This worksheet can be printed by a right-click on the image and select the “Print Picture” option.

Below is an example of a network device worksheet that has been completed.

Installing the Astaro Security Gateway

Insert the CD you created for the Astaro Security Gateway in a bootable CD ROM drive. Boot the computer. Note that all data on the hard drive is lost as a result of the install process. Just as the Windows Home Server formats the hard drive, the install process of the firewall deletes all the data on the hard disk.

The installation process is fairly straight forward. The hardware is detected and you are asked to select a network interface for administrative purposes. This is the NIC that is used for the connection to the local area network. Using your worksheet, identify the MAC address.

Next, enter a local address of the Astaro Security Gateway server. This is the IP address that is used by a browser to administer the firewall server. Do not use 0, 1, or 255 for the last octave of the IP address as they are reserved addresses. Refer to General Network Threats for an explanation of DNS, DHCP, and private IP addressing.

This finishes the basic installation of the Astaro Security Gateway server. The last install screen will direct you to browse to the IP address you previously identified with port 4444 appended. Write this number on your network device worksheet.

Reboot your firewall server and connect the internal NIC to the local area network. In some instances it may be difficult to identify the internal NIC and a trial and error method may be needed to locate it.

This completes the installation of the Astaro Security Gateway server. The final step is to configure the firewall so that you can connect to the Internet and that the firewall server protects your local network.

Configuring the Firewall Server

Configuring the Astaro Security Gateway server is straight forward and easy to follow. Like most routers, the Astaro Security Gateway is administered using a browser. From your workstation enter https://192.168.X.Y:444 where ‘X’ and ‘Y’ are based on your assignment and worksheet. After you log on to the administrator settings, record the user name and password on the network device worksheet.

Logon to the Astaro Security Gateway WebAdmin website. The basic system setup wizard starts to capture information about the computer and site, DHCP, and settings for the WAN.

The wizard continues and collects information for the firewall, intrusion prevention, instant messaging, peer-to-peer, web security, and email security. The initial configuration is intuitive and consists of assigning configuration settings by the use of check boxes. After completing these screens the firewall is fully functional but does not permit any web traffic to enter the local network from the Internet.

Final Configuration

There are a few areas that need to be configured to finish the firewall configuration. These are configuration items that are necessary on any router.

DHCP Range

The default DHCP range for the Astaro firewall router is 1 through 254. Using this range, it is possible to assign two computers with the same IP address if static addressing is defined on the computer. The range for the DHCP server should be changed.

To change the range, go to Network Services/DHCP. Click on the Servers tab and click the Edit button and change the start and end range of IP addresses that will be assigned by the DHCP server. Click the Save button.

Static IP Maps

When all the Static IP mapping of local servers and Internet port mapping is completed, your firewall is fully configured to be safely and securely accessed from the Internet. Review your network device worksheet to ensure that it accurately reflects the configuration of the local network.

Static IP assignment at the computer should be avoided because of the possibility of assigning two computers with the same local IP address. The preferred method is to assign computers static IP addresses with the DHCP server.

Static IP maps are created for every server and router that is used inside the local area network. This includes matching the MAC address with an IP address for devices like the firewall server and Windows Home Server. Review your network device worksheet for the MAC’s and local IP addresses of each server or device that requires a static IP address.

The Windows Home Server is an example of a network device that should be assigned a static internal IP address.

To add a new static map, select Network Services/DHCP. Click on the Static Mappings tab and click the New DHCP mapping… button. Using your network device worksheet as a guide, enter the MAC and local IP address of the server. Enter the name of the server in the comment field. Click the Save button.

Repeat this process for every device that requires a static IP address.

Internet Port Maps

Internet port map rules are necessary to permit servers or computers to be accessed by the Internet. For example, an inbound remote access rule to the Windows Home Server from the Internet must be defined to permit external remote access.

If this is desired, create a rule to permit activity from port 4125 to enter the network. Select Network Security/NAT and click on the DNAT/SNAT tab and click the New NAT rule… button.

Click the green plus for Traffic Service and create a service definition for ‘WHS Remote Access’ with Destination and Source port of ‘4125’. Click the Save button.

Click the green plus for Destination and create a network definition for your Windows Home Server. Enter the name of your home server, select Host for the Type, select Internal for the Interface, and enter the IP address. The Name and IP address can be obtained from your network device worksheet. Lastly, check the Automatic packet filter rule field. Click the Save button.

Repeat this process for every port that is allowed to be forwarded from the Internet.

When all the Static IP mapping of local servers and Internet port mapping is completed, your firewall is fully configured to be safely and securely accessed from the Internet. Review your network device worksheet to ensure that it accurately reflects the configuration of the local network.

Conclusion

We have provided a definition of firewall routers and explained the differences between hardware and software routers. We then explained the importance of planning for the installation of the router and how to configure the Astaro Security Gateway server for a home with a Windows Home Server. We used some technical terminology and have provided links to other blogs that explain them.

We hope that we explained software based firewall routers and the ease with configuring the Astaro Security Gateway. The software is free when used in home networks. If you find this product appealing, you can consider it as a cost effective solution for protecting your network perimeter from Internet threats.