Last updated September 18th, 2024 by Erez Tadmor
Open source NGFWs combine the fundamental aspects of network security with the benefits of open source software.
Open source firewalls can be a cost-effective network security option if you have the right people to manage them. Under most open source licenses, you can use, modify, and share the software while having access to the source code.
With this visibility, you can better understand the firewall’s architecture and behavior. However, this also means that you need to have people with the technical knowledge to implement and manage the firewalls, especially since many lack the bells and whistles that commercial firewalls offer.
To determine whether relying on or integrating open source firewalls is right for your use cases, you should understand what they are, the functionalities that different ones offer, and the challenges that come with them.
Common Open Source Firewall Rules
Installing an open source firewall is not automatic network security. Some best practices for configuring an open source firewall include:
- Deny by default: Denies all incoming and forwarded traffic while allowing outgoing traffic
- Allow established connections: Allows packets related to ongoing sessions to come through while still enforcing security
- Allow essential services: Keeps traffic to applications and critical services available
- Implement port scanning protection: Prevents reconnaissance attacks used to exploit vulnerabilities
- Allow ping requests: Enables traffic that helps with troubleshooting and network management
- Use a VPN: Encrypts traffic to mitigate risks arising from network-based cyberattacks
- Implement web filtering: Block access to sites associated with malware, phishing, and viruses
Open Source Firewalls vs Commercial Firewalls
When choosing a firewall solution, you might find yourself trying to understand the pros and cons of open source firewalls versus commercial firewalls. Open source firewalls offer the advantages of transparency, flexibility, and cost-effectiveness, allowing you to customize features and adapt to changing security needs. On the other hand, if you want a more “hands off” approach, then commercial firewalls may be more practical since they typically provide robust support, user-friendly interfaces, and a range of built-in functionalities.
Pros of Open Source Firewalls
Open source firewalls offer several advantages by being:
- Cost-effective: Free alternative that enables organizations to allocate resources efficiently
- Customizable: Flexibility for companies with unique operational or regulatory needs
- Transparent: Source code available for identifying vulnerabilities and validating integrity
Cons of Open Source Firewalls
Despite these benefits, open source firewalls have limitations. You should be aware that they require:
- Technical expertise: Networking and security protocol knowledge required for installation and maintenance
- Limited functionalities: Fewer advanced security features which limit capabilities
- User interface: Lack of a central console for managing deployment
- No funded development: No development team to evolve and advance the open source firewall capabilities
Optimize Rules
The larger your environment grows, the more firewalls you incorporate. You may have a combination of open source and commercial firewalls that makes management even more challenging. You should ensure that you optimize your rulesets to ensure:
- Deny traffic rules remain at the top of the rulebase
- Specific rules granting access stay near the top of the rulebase
- High-use rules are prioritized
- Low-use rules are removed as necessary
If you have too many rules, your network slows down. Tufin can automate the firewall optimization process by identifying risky or unused shadowed and disabled rules for cleanup and decommission.
Continuously Monitor and Adjust
Whether you’re adding new users and applications or removing them, you need to continuously review and adjust your firewall configurations. As part of the change management process, you should:
- Understand data flows across your internal network
- Review connectivity to the public internet
- Identify risks that changes can create
- Document the risk analysis process and any approvals required
Network change analysis and implementation can be time-consuming and tedious. However, it’s the type of necessary evil that auditors require. Tufin’ centralizes and automated network security policy management, improving efficiency by 94%.
Managing Commercial and Open Source Firewalls with Tufin
While you may choose to manage your traffic with open source firewalls, using an open source network topology mapping tool can undermine your overall network security. Those tools can provide a picture of your network, but they may be incomplete or inaccurate and often lack capabilities for managing changes to firewall rules or compliance monitoring for critical requirements, like ISO 27001, HIPPA or PCI-DSS.
Tufin’s suite of solutions provides holistic security policy orchestration and automation for complex networks. Our vendor-agnostic Universal Security Policies enable consistency across multiple open source and commercial firewalls, including Cisco, Palo Alto, Check Point, and Fortinet.
To see how Tufin can make managing your hybrid network easier, contact us for a demo.
FAQ
Q: What are the most common open source firewall features?
A: Typically, the best open source firewall has features similar to commercial firewalls, including:
- Packet filtering: Predefined rules blocking/allowing packets
- Network address translation (NAT): Mapping local private IP addresses to a single public IP
- Deep packet inspection (DPI): Examining data payloads and application layer information
- Intrusion detection system (IDS)/intrusion prevention system (IPS): Analyzing network traffic for abnormal behavior and potential threats
- Multi-WAN connections: Load balancing and routing traffic in real-time for improved network security and performance
Q: What are the most common open source firewalls?
A: OPNsense Firewall: A FreeBSD-based stateful firewall and routing platform, originally a fork of pfSense and M0n0wall. It offers a dashboard and user interface for management, aliases for grouping IPs or hosts in firewall rules, traffic shaping, two-factor authentication, captive portal, VPN (IPsec, legacy, OpenVPN), intrusion detection and prevention via Suricata, and a weekly firmware upgrade path for security updates.
Untangle: Now part of Arista Edge Threat Management, this NGFW offers some free functionalities, with additional coverage via a subscription. Free features include Virus Blocker (antivirus for HTTP, FTP, SMTP), basic firewall, intrusion prevention with pre-configured signatures, Phish Blocker (SMTP protection against phishing), application control, basic web monitoring, ad blocker, spam blocker with RBL, captive portal, OpenVPN for remote access, and Tunnel VPN for encrypted connections.
IPFire: A Linux-based OS providing stateful inspection and easy rule configuration. Features include network security (DMZ, guest networks, DoS protection), VLAN, DHCP, dynamic DNS, web proxy, WAN support (Fibre, DSL, Cable, 5G/4G/3G), VPN (IPsec, OpenVPN), QoS, intrusion prevention with deep packet analysis, and DNS management (DNSSEC, local hostnames, recursive DNS servers).
Iptables: A Linux-based command-line tool that monitors inbound and outbound server traffic using tables of filtering rules. It operates with three types of rules (chains): Input (incoming connections), Forward (connections not delivered locally, like from routers), and Output (outgoing connections).
Don't miss out on more Tufin blogs
Subscribe to our weekly blog digest