Linux Firewall Installation Media

Linux firewallOne of the more interesting features that Linux has over Windows is that it can be run from a variety of media. While Windows is notoriously difficult to configure to run from a CD-ROM (but still possible: see www.ubcd4win.com for the Ultimate Boot CD for Windows), there are Linux distributions that are capable of running off a traditional hard disk install, CD-ROM, a Universal Serial Bus (USB) drive, or even a floppy disk. Each media type offers some security pros and cons, and not every distribution will be available on every media type. If you need the features of a specific distribution that doesn’t come on the media you prefer, you may need to make a compromise. You will need to research the different media options and choose one that fits in your environment. We will review some of the pros and cons of each for Linux firewall installations.

Linux Firewall: Hard Disk Installation

The full install is the traditional install to a system’s hard disk. Much like Windows, you boot up an install CD and walk through a guided install process. Most of the Linux distributions installed on the hard disk offer graphical user interface (GUI) install programs that walk you through the installation steps. There is no great advantage to using this type of distribution other than that the size of the hard disk allows you to install a lot of extra software. For a firewall, you generally want to keep the software running to a minimum to enhance security, so this shouldn’t be a very big consideration. This type of installation also has the advantage that it will be easy to modify and alter the configuration if needed.


On the down side, this type of installation has all of the same disadvantages of a Windows bastion host: the entire system is sitting on the hard drive, and if a hacker manages to compromise the root account, they will be able to install a virus or Trojan on the system that can survive future reboots. This type of install isn’t any better or worse than if you were using Windows for your bastion host OS. Despite these concerns, it is the most common type of Linux firewall installation, and most versions of Linux install the firewall components by default. This means if you download a version of Linux you like and install it to a hard disk, you will have a firewall waiting to be configured when you’re done.

Linux Firewall: CD-ROM Installation

While you can get Windows running off of a bootable CD-ROM or live CD, it takes a lot more work than it does with Linux. There are many versions of Linux designed specifically to run from a CD-ROM, allowing you to turn virtually any machine into a Linux firewall, router, or general-purpose PC. There is an obvious security advantage to having all of your configuration information on read-only media media. Even if a hacker manages to compromise the system, all it takes is a reboot and it can be restored to its previous condition. The system can still fall victim to a hardware failure such as a failed central processing unit (CPU), all you would need to do to restore your firewall would be to move the CD to a new system and reboot.

The primary advantage to a CD-ROM-based Linux firewall installation is also the primary disadvantage. If you burn the entire OS and configuration settings to a CD, any time you need to make adjustments you would need to burn a new CD-ROM. The cost of the CD media should not be an issue, but such a configuration may hinder your ability to remotely administer the system, which would be limited to making changes to the running configuration. Changes that remained after a reboot would require someone local to insert the CD-ROM containing the new configuration. If you needed to implement and test changes that required a reboot to take effect, this type of setup would make things more difficult. Finally, due to simple space limitations on a CD-ROM, you may not be able to fit all of the needed software or functionality on a CD-ROM. That being said, if the firewall rules are relatively static and don’t require frequent adjustment, a live CD could be a very attractive option.

Linux Firewall: USB Drive Installation

If the space limitations are acceptable, a Linux firewall booting from a USB disk may offer the best compromise in security and flexibility. Having the operating systems and firewall software on a pen drive offers the same type of flexibility that a CD-ROM-based system provides, with increased storage capacity over that of a CD-ROM. If you purchase a USB disk that includes a physical write protect switch, you can make changes on the fly, like a live system, and then write protect the disk against modification when you are done. As the storage capacity of USB drives increases, you will be able to use a USB-based distribution that includes increasingly greater functionality. One key consideration with this type of media is that not all systems will support booting from a USB disk. While almost all newer systems support this option, some of the older systems that you may wish to install a free firewall on do not.

Linux Firewall: Floppy Disk Installation

Although the functionality is typically very limited, there are many versions of Linux that can fit on a 3.5-inch disk, and that can be used for Linux firewalls. The primary advantage of these distributions is their low resource requirements. Often, the systems only require 8 or 16 megabytes of memory and a 486 to function. The ability to toggle the write-protect switch on the floppy can also provide a high degree of configuration flexibility and security. Considering the unreliable nature of floppy disks, it probably wouldn’t be appropriate for use if an outage cannot be tolerated. At the very least you should have duplicate floppy disks available in the event of a failure. Another disadvantage to these is functionality. Generally, these floppy-based distributions are single purpose devices and lack much in the way of functionality. Another consideration is that due to the space restrictions on a floppy disk, these floppy-based distributions are almost always command line only, with no GUI for configuration or management.

Now that we’ve covered installation media for Linux firewalls, we can cover the operation of a Linux firewall, which we will in the next article.


External Links:

Ultimate Boot CD for Windows site

Devil-Linux – a distribution which boots and runs completely from a CD-ROM or USB flash drive

Damn Small Linux – the original Linux on a CD-ROM/USB drive distro

Be Sociable, Share!

Speak Your Mind

*

© 2013 David Zientara. All rights reserved. Privacy Policy