FAQs
General
VPN
General
Do I need a preinstalled operating system for the firewall computer?
No, you don't. The real firewall computer is started from the SuSE
firewall live CD. On the other hand, your hardware has to be supported
by Linux (see the hardware requirements at the end of these FAQs). The
firewall live CD is based on Kernel 2.4.18 All necessary programs are
already included in the CD and no software is stored on the hard disk.
Does it mean that I do not need any hard disk for the firewall
computer?
Basically not. However, the computer needs disk space (regarding size,
please refer to hardware requirements) in order to "cache"
the data transfer of certain services (e.g. HTTP and FTP). If you want
to use functions such as mail proxy, you will need additional disk
space to temporarily store mails.
Do I need an additional Linux computer to configure and administrate
the firewall?
Yes. Due to security reasons the firewall administration takes place in
another computer by means of the graphical tool FAS (Firewall
Administration System). This computer, which is installed with the
so-called admin CD, contains, among others, the SuSE Linux operating
system version 7.2 (Kernel 2.4) and the FAS. The minimum hardware
requirements can be found at the end of these FAQs. The configuration,
stored on a floppy-disk, will be read by the firewall computer. This
floppy-disk must be read-only to ensure protection against firewall
manipulation. For security reasons, the firewall can only be activated
in combination with the previously created floppy-disk.
What tasks can SuSE Firewall on CD 2 perform?
Packet filtering, forwarding, masquerading, and proxying are the usual
tasks performed by this computer.
On which software is the packet filter based?
Filters are defined with iptables. In order to do this, you can use the
graphical configuration tool FAS. Furthermore, you can also define your
own rules manually. FAS supports the integration of these rules.
Does SuSE Firewall on CD 2 include a DNS server?
A forwarding/caching-only DNS server can be easily configured with FAS
(Bind8 Version 8.2.3.is available).
What about a mail server?
Postfix (Snapshot-20001005 incl. security updates) serves as mail
proxy. Since mails will be temporarily stored on the firewall computer,
it must have enough free disk space.
What proxy solutions does the SuSE Firewall on CD 2 offer?
Several proxies can be implemented: If you want to fetch web pages from
the Internet or even setup your own web server, you will need a http
proxy, such as Squid23. Proxy squid23 (version 2.3 incl. security
updates) is a very complete
program that can be flexibly configured with FAS. For example, FAS
allows you to control the access rights of internal clients or to block
certain Internet pages. If you want to check the validity of the ftp
protocol: You can either use squid or the SuSE FTP Proxy Suite. The
latter is required for transparent FTP.
Is it possible to check web pages?
HTTPF checks the HTML tags and attributes of web pages. Approved pages
will be forwarded whereas forbidden ones will be either deleted or
replaced and logged. Rules can be easily configured with FAS.
Where are the firewall computer log files saved?
SuSE Firewall on CD 2 gives you the option to save the log files locally
on a computer's hard disk and/or to protocol them on another
computer through the network. The admin host is prepared to assume the
tasks of the log host.
How can the firewall computer be accessed?
Openssh (version 2.9.9p2) on the firewall allows an encrypted connection
from remote hosts.
Can any additional software be installed on the firewall computer?
It is not possible to add further products, since the firewall is
installed on the live CD.
Where can I find further information?
You can regularly check our free available online database and look up
the key word: firewall.
VPN
What is VPN?
VPN stands for Virtual Private Network. Think of it as a tunnel
connecting two remote computers or networks. This tunnel provides
authenticated, encrypted communication through a public medium such as
the Internet.
How is VPN implemented on SuSE Linux Firewall on CD?
VP networks are implemented on the firewall by way of IPsec (secure
IP), a protocol family that enables a secure connection between
computers. Data routed through the tunnel is automatically encrypted.
How do remote hosts authenticate?
The authentication takes place through X.509 certificates or
"pre-shared keys". The X.509 certificate can be compared to a
personal ID that you issue for your computer.
How do I issue/import a certificate?
The graphical configuration tool FAS (Firewall Administration System)
allows you to issue and administer X.509 certificates. You can also
import and export certificates from/to DER, PEM, or PKCS12 format.
Which software is used to issue certificates?
Both keys and certificates are created with OpenSSL. (see http://www.openssl.org).
Which key sizes are suitable?
You can select a key size between 1024 and 2048 bits.
Must a certificate be signed?
Yes, it must. A certificate authority (CA) is needed to sign your
certificates. You can either hand your certificate over to an official
CA to have it signed, or generate your own CA and sign the certificates
yourself. The latter is sufficient for most purposes.
Can the firewall set up VPN connections as client or as server?
Both options are possible. The firewall can act both as client (start a
connection to a remote server) and as server (accept a connection from
a remote client). The firewall can even concurrently manage client and
server connections.
What connection possibilities does the firewall offer?
The following VPN connections can be set up on the firewall:
-
Client - client
-
interconnects 2 computers through a tunnel
-
Client - subnet
-
connects 1 computer to a network
-
Subnet - subnets
-
interconnects 2 networks
-
Roadwarrior - client
-
connects a client with a dynamic IP address to a computer (used
e.g. by field staff to log in to the company network from a laptop
via the Internet)
-
Roadwarrior - subnets
-
connects a client with a dynamic IP address to a network
You can set up different VPN connections at the same time, e.g. 5
client-to-client connections + 10 roadwarrior-to-subnet connections.
Can the firewall simply forward VPN packets to connected interfaces?
Yes, it can. For each external, internal, or DMZ interface, FAS enables
you to generate filter rules that admit and forward incoming IPsec
packets.
How many Ethernet adapters does SuSE Linux Firewall on CD support?
You can use up to 10 Ethernet adapters in your firewall machine.
|
