SmoothWall Hardware Requirements - Security

As mentioned earlier, SmoothWall needs a dedicated machine to run on. The good news is that the requirements for this machine are quite low since it will be running only the firewall software. The minimum specifications required for SmoothWall are a Pentium-class Intel-compatible PC running at 200Mhz or higher with at least 32MB of RAM and 512MB of disk space. A more optimal configuration would be a 500Mhz processor with 64MB of RAM and 2GB of disk space. These specifications should be easy to meet on all but the oldest machines. You will also need a CD-ROM drive and at least one network card (typically two, if the WAN interface is Ethernet).
 
 
SmoothWall Express Versus SmoothWall Corporate

If you have a little money to spend and are considering other commercial alternatives, you might look at the SmoothWall Corporate edition. This firewall has all the benefits of the Express version with the following important differences:

• Enhanced IDS support
• Connection fail-over capabilities
• VPN roaming support (dynamic IPs)
• Additional graphs and reports
• Enhanced graphical user interface
• Certificate authentication support for VPN

You can see a complete list of the differences at

http://download.smoothwall.org/archive/docs/promo/
CorporateServer_vs_ Express_Comparison_20040113.pdf.

Pricing for the commercial version is quite reasonable (check the Web site for the latest prices). The cost is significantly less than what you’d pay to buy a server to run it on. SmoothWall also makes other software products for network monitoring and content filtering. Check out their full product line at www.smoothwall.net.

Installing SmoothWall

Caution: Remember, installing SmoothWall will erase any data on the hard disk and put its own operating system on it. Do not run this installation on a computer on which you have data or programs you need.

1. You must first create a bootable CD-ROM disk. To do this, use CD-writing software, such as Nero or Easy CD Creator, and create a disk from the .iso image file from the SmoothWall directory on the CD-ROM that accompanies this book. The disk it creates will be bootable.

2. Set your PC to boot from the CD-ROM first. Otherwise, it will search the hard drive and load the operating system it finds there. You usually do this in the BIOS settings of a PC accessed at boot-up before the OS loads. Many PCs use the F2 function key to enter this mode.

3. Boot the machine from the CD-ROM. A title screen displays some basic licensing and disclaimer information. Click on OK.

You have the choice of loading from the CD-ROM or HTTP. Remember, do not enter this mode unless you are ready for all the data on that hard disk to be erased and replaced with the SmoothWall software.

Choose CD-ROM, and the installation will begin.

You will see it formatting the disk and then probing your machine for its network interfaces. It should auto-detect any network interface cards (NICs). It lets you accept or skip each one and set them up as firewall interfaces. For example, if you have two NICs on your computer but only want to use one as a firewall interface on the firewall, you would define that here.

4. Define the attributes of each selected interface. Assign them an IP address and subnet mask. After this, SmoothWall installs some additional driver files and asks you to eject the CD-ROM. You have finished installing the program and will automatically enter setup mode.

5. In setup mode, you will be asked for a hostname for the SmoothWall. You can use the hostname to access the machine instead of using its LAN IP address.

6. Next it asks if you want to install the configuration from a backup. This nifty feature allows you to easily restore your firewall to its original configuration if the system crashes (assuming you made a backup, which is covered later in this section). Don’t select this unless you are in the process of restoring from a backup.

7. Assuming you chose to set up a new firewall (not from backup) in the previous step, you will be prompted to set up several network types:

• ISDN: Leave this set to Disable if you aren’t using ISDN. If you are, then add the parameters appropriate for your IDSN line.
  
  
• ADSL: This section is necessary only if you are using ADSL and actually have the ADSL modem in your computer. Leave this on Disable if you aren’t using ADSL service or if the provider gives you an external modem to plug into. Otherwise, click on the settings for your ADSL service.
  
   
• Network configuration: SmoothWall divides its zones into three categories:

- Green: Your internal network segment to be protected or your “trusted” network.

- Red: The external network to be firewalled off from the LAN. The “untrusted” network, usually the Internet or everything that is not your LAN.

- Orange: This is an optional segment that can contain machines that you generally trust but need to be exposed to the Internet (the DMZ mentioned earlier). This protects your internal LAN, should one of the servers be compromised, since DMZ nodes don’t have access to the LAN by default, and also allows these machines to be accessed by the outside world.

Select the configuration that is appropriate for your network. Most simple networks will use Green (Red is for modems or ISDN), or Green and Red if you have two NIC cards in the machine.

8. Now it is time to set up the DHCP server. If you want your firewall to be responsible for handing out and managing dynamic IP addresses on your LAN, enable this feature. Otherwise leave it turned off. You can set the range to be assigned, and the DNS and lease times for the addresses given out.
 
9. You now set several passwords for different levels and methods of access. The “root” password is accessible from the console and command line interface and acts just like UNIX root in that you have total control over the box. You then assign a password for the “setup” user account. This user can also access the system from the console and command line. This user has more limited powers than “root” and can only run the setup utility program.

10. Finally, set up a Web interface user account. This isn’t a UNIX-type account and can’t be accessed from the command line. It is strictly used to control access to features from the Web interface.

11. Now reboot the machine and your SmoothWall firewall should be up and running. You can log into the machine from the console using either the root or setup user. You can also SSH into the box from a remote location and get the command line interface.

However, one of the truly nice things about this program is that there is a powerful and easy-to-use GUI accessible from any Web browser that makes administering the firewall a snap.

Administering the SmoothWall Firewall

The easiest way to manage the SmoothWall firewall is using the Web interface. This gives you a powerful tool for administering and adding other functionality to your firewall. You can access this interface two ways: via port 81 for normal Web communications or via port 441 for secured Web communications using SSL. Either way, you put the IP address or URL with the port number in the location window of a Web browser. For example, if your firewall LAN interface card has IP address 192.168.1.1, you would enter the following into the Web browser

    http://192.168.1.1:81/
for normal Web communications, or
    https://192.168.1.1:441/

for secure Web access.

This will display the SmoothWall opening screen. To access any of the other screens you will need to enter your user name and password. The default user name is admin and the password is the one you entered for the Web interface during the setup process. There are several main menus accessible from the main page (see Figure 3.7)

Figure 3.7. SmoothWall Main Menu

Each menu has a number of submenus underneath it.

• Control: This is the firewall homepage and contains copyright and uptime information.
  
  About Your Smoothie: This has a number of useful submenus:
  
• Status: This shows you the status of the various services on the SmoothWall.
  
• Advanced: This screen contains detailed information about your system.
  
  
• Graphs: This is one of the cooler features in SmoothWall. This enables you to create bandwidth graphs so you can analyze your network traffic on different interfaces at different times of the day and on different days. You can use this as a quick way to find network problems. If you notice huge bandwidth increases on the weekend or late at night without any known reason, you know that something is amiss (see Figure 3.8).

Figure 3.8. SmoothWall Traffic Graph

• Services: This is where you configure various basic and optional services on the SmoothWall (see Figure 3.9).
  
  
• Web Proxy: If you want to be able to set up your SmoothWall to act as a proxy for anyone surfing the Web, this function can be set up here.
  
• DHCP: The built-in DHCP server is configured here.
  
• Dynamic DNS: If your ISP assigns you a dynamic IP address but you still want to allow services in from the outside, you can set up the SmoothWall to update a DNS record automatically with its new IP address. It can be configured to use any one of several online services such as dyndns.org and dhs.org.
  
• Remote Access: This section controls access to your SmoothWall from anywhere but the console. You can enable SSH (it is disabled by default) and control what specific addresses can get access.
  
• Time: This configures the time settings on the machine. This can be very important if you are comparing its log files to other servers. You can set it up to get time from a public time server, which makes logs more accurate.
   
  

 
Figure 3.9 SmoothWall Services Screen
 

• Networking: This is where you configure anything associated with the firewall and network functions of the SmoothWall. This includes adding, deleting, or modifying the rule sets and other functions:
  
• Port Forwarding: You can forward a specific port or series of ports to an internal protected host.
  
• Internal Service Access: Click here if you need access to an internal service from the outside.
  
• DMZ Pinhole: This lets you set up access from a host on your DMZ to a host on your LAN. This is normally not allowed as part of the function of a DMZ.
  
• PPP Settings: If you are using the SmoothWall to connect to the Internet via dialup, you set the various phone settings here such as number, modem commands, and so on.
  
• IP Block: This is a nice feature that allows you to easily block an IP or range of IP addresses from your network without having to write any rules.
  
• Advanced: Several miscellaneous network settings such as Universal Plug and Play (UpnP) support are found here.
  
• VPN: Here is where you configure the SmoothWall to act as a VPN for secure remote access from another network. The details are covered later in this chapter.
  
• Logs: Access to all the log files kept by the SmoothWall is facilitated through this screen. The interface allows you to easily scan different types of log files such as system and security.
  
• Tools: There are several standard network tools here including ping, traceroute, and whois. They also include a nifty Java-based SSH client so you can access SSH servers from your Web browser.
  
• Maintenance: This section is used for system maintenance activity and has several submenus.
  
• Maintenance: This section keeps track of any patches to your SmoothWall operating system. It is important to keep the SmoothWall OS patched. Just like any operating system, there are security holes discovered from time to time that are fixed in the patches. New features or compatibility are added periodically as well.
  
• Password: You can change any of the logins and passwords for the system here (assuming you have the old passwords).
  
• Backup: You can make a backup of your SmoothWall configuration so that in the event of a crash you can easily restore it. You should make a backup as soon as you get the SmoothWall configured to your liking to save your settings.
  
• Shutdown: This will safely shut down SmoothWall.