Addressing SMB needs along with those rogue departments in large organizations that can never seem to wait for IT, NetMAX has stepped up to provide a line of easy-to-use business-ready Linux servers. The NetMAX server idea is to make the power, reliability, and flexibility of Linux available to sites lacking a lot of IT experience and resources.

The biggest roadblock in Linux marketing has historically been the dearth of expertise in running Linux systems at SMB sites. These are often Windows-only system sites. To address that hurdle, NetMAX focuses on shielding the administrator from the complexities of the underlying Linux operating system using simplified step-by-step Web-based menus to set-up and manage both Linux and related applications that make up a particular "Internet appliance."

Helping to simplify the basic configuration of the firewall is the fact that NetMAX starts with the Red Hat Linux 9.0 distribution. Red Hat has historically been one of the most flexible and robust of all Linux distributions when it comes to configuring network devices. For example, the ability to easily assign multiple virtual IP addresses to each Ethernet NIC is an extremely powerful capability when combined with NAT and masquerading in a multi Web hosting scenario.

During the installation of NetMAX the first Ethernet NIC discovered (eth0) will be presented for initial configuration. All other NICs will be installed but neither configured nor enabled. Typically, two or three NICs will be used in the firewall to create network zones based on levels of allowed network access: the external or firewall connection; the internal network, which is usually given permission to access outside services, but protected from incoming traffic; and a DMZ, where servers are configured to provide limited access to outside clients for various Web and e-mail services.

Configuration and debugging of the firewall are aided significantly by all of the network details that NetMAX reports on each NIC. For our tests, we used a broadband cable modem to connect the lab network to the Internet. This configuration is complicated by the fact that no details of the external cable provider's network are published. This decision is as much a marketing as security issue. The operative assumption is that virtually all Internet connections will be made using a Windows machine by a naive home user. As a result, the only help available from the cable company is a wizard-based utility that runs on Windows.

How serious of a problem is that Windows-only marketing decision? In truth, it is far more of a nuisance than it is a problem. Nonetheless, NetMAX goes a long way toward demystifying what lies on the other side of that cable modem, which makes solving the rare connectivity crisis far more tractable.

At this point, it would seem time to tackle the problem of configuring rules for the firewall. For many if not most network scenarios, this would absolutely be the case. The one exception comes when a site plans on having a DMZ. Named after the infamous concept of a demilitarized zone surrounding hostile boarders, a DMZ is a separate network for servers that will be accessed from systems on the public side of the firewall. These systems will provide such common services as e-mail, file distribution, and Web access.

Configuring these servers on a separate network makes it easier to create the necessary firewall rules to instantiate the DMZ. The idea is to isolate these servers, which will be more vulnerable to attack from the site's desktop and server systems, which need to be as secure as possible and not accessible in any fashion from the outside world. If the DMZ is compromised, making it an isolated network is an easy way to prevent crackers from hopping on to the secure internal network.

There is nothing in the NetMAX menu system to make it easier to configure a DMZ in the traditional way of using separate network addresses. Typically this is done in a firewall by declaring each NIC as an internal, external, or DMZ interface. In turn, this designation changes how the firewall deals and reports on the devices on each network. As demonstrated by the reports on devices discovered on our cable provider's network, NetMAX treats each NIC in the same manner.

This approach can be quite annoying for an administrator when first attempting to configure a DMZ; however, NetMAX does have its own unique and more intuitive solution to the problem. NetMAX has a means to define roles for servers within a domain and then to create rules based on those roles, not on network addresses.

To support the creation and use of roles for machines, NetMAX supports assigning multiple machine aliases to devices to give them more than one hostname. As a result, different hostnames can be used in conjunction with DNS registration to identify a server by the different purposes that it serves—web.open-mag.com or mail.open-mag.com. Once this is done, the final step to simplify firewall rule creation using NetMAX is to create machine groups such as Web servers or e-mail servers.

These machine groups represent all of the possible roles that could be assigned to a server at a particular site. Once the roles are assigned, NetMAX then makes it easy to create rules for these roles. That's because a menu entry can be created that generically references a role that in turn will generate dozens of rules for each network address of a server playing that role. It is important to note that all of the machine aliases and machine groups are explicitly tied to one or more network address. These addresses are what NetMAX will eventually use to create traditional rules in Iptables for the firewall.

In line with our first law of firewall scripting, NetMAX begins firewall configuration menus by identifying the kinds of traffic to be denied (dropped) by default on a particular domain. Certainly for the external (public) interface, the safest route is to deny all incoming traffic. Such a draconian approach, however, suffers from a serious drawback: It will take numerous exception rules to make the system usable.

Fortunately, NetMAX provides a number of options that can be combined to cover most of today's common access scenarios. For our test scenario, the lab is physically isolated from all production e-mail and web servers. That leaves us free to bias our choice of rules towards a high degree of security for all systems behind the firewall. We chose five deny options, created a server (machine group)  rule allowing external pinging of our NIS server, and added a custom rule to permit the firewall's NTP daemon to make time requests. These options created 89 special NetMAX rules, which in turn generated approximately 400 entries for Ipchains.

To script all of the entries for Iptables manually would have required us to know the complete list of protocols being used. In the case of an e-mail server, the list is going to include protocols like SMTP, POP, LDAP, and maybe HTTP for Web access. Next we would need to know the transport protocol: TCP or UDP for each e-mail protocol. Then we would need the port numbers on which our e-mail server listens for the appropriate transport protocols. At last, we would be ready to write the correct Iptables’ syntax that would allow each of these protocols to be accepted at the firewall and then routed to the e-mail server.

The NetMAX FireWall Suite can also be used to filter content of URLs. In particular, a blacklist of IP addresses can be created and all packets from these addresses will be dropped. This ability to filter URLs can be used to block annoying pop-up ad windows. For the most part, these bothersome advertisements are generated by specialized servers at URLs such as doubleclick.com and unicast.com. Using the Web proxy/cache server simplifies the work needed to block these URLs via the ability to block by domain name rather than IP address.

Getting that list of specialized advertising servers is made all the easier thanks to NetMAX's traffic report. This facility offers two reports which are essentially two different views of the same data. These reports can best be thought of as answering the questions: "What sites are being accessed by whom" and "who is hitting which sites." The former report is the best way to get at which sites it might be more useful to block, while the later report is unfortunately needed by many larger organizations to monitor potential employee abuse of the Internet.

Surprisingly NetMAX does not include an open source intrusion detection package such as Snort. In terms of operational utility, a traffic report is far more valuable; however, an intrusion detection report is often one of those check-off items that keep security auditors happy.

Priced at $231, the NetMAX FireWall ProSuite is quite a bargain and is a marvelous introduction to Linux for the prototypical Windows-only SMB site. At the same time, NetMAX FireWall ProSuite provides the sophisticated Linux site with a labor-saving and easy firewall that can be popped out of the box, loaded on a low-end server, and be up and running in an hour.