Users tout open source security

When the right technology doesn’t exist or isn’t available at the right price, many large companies get creative and build their own custom systems, such as routers, firewalls or VPN gear.

Linux and open source software is proving to be a valuable tool for businesses that have taken the build-it-yourself approach when it comes to some network systems. Many say the software included in Linux and in some free software packages is as good or better than commercial offerings and costs less to deploy.

When Rochester Midland was looking to move frame relay to a multisite IP Security (IPSec)-based VPN last year, Tony Karakashina, then a network administrator for the company, was charged with rolling out the network.

He first had companies such as Cisco Systems Inc., Check Point Software Technologies Inc. and Nokia Corp. in mind for implementing the company’s firewall and VPN infrastructure. Then he was told that he would have to set up the network as inexpensively as possible.

“Why pay (US)$20,000 on firewall products, which require a lot of work and are not 100 per cent secure anyway?” he says. Instead, he decided to experiment with Linux-based PCs and an open source IPSec VPN software package called Free Secure/WAN (Free S/WAN). He used surplus PCs the company had in storage (Pentium 133-MHz and Pentium II 400-MHz machines).

“When I said we had most of the hardware already to build the network and that the software would be free, [management] liked that idea,” he says.

Free S/WAN is an open source software package that can be installed on Linux servers and lets them act as site-to-site and remote-access VPN gateways. The software can be used to establish secure connections between two networks over the Internet or to connect PCs with a Windows XP VPN client to the corporate network.

Karakashina then had the challenge of bringing T-1 WAN connectivity hardware to the Linux/VPN PCs.

“Since most people don’t plug a T-1 connection directly into a PC,” Karakashina says, there were limited products from which to choose. He chose US$850 T-1 cards from Sangoma Technologies, which makes modules that fit into a PC’s PCI bus and supported Linux drivers for the hardware.

One key to making the open source VPN work, Karakashina says, was a good working knowledge of Linux. He had experience working with Linux from his college days, which helped when he had to configure and tweak the Linux software on the VPN PCs to get the Sangoma cards to work with the operating system.

The result of the project was a savings of several thousand dollars per month for Rochester Midland by switching from point-to-point frame relay service to an Internet service and using the Free S/WAN PCs to connect over encrypted IP Sec tunnels.

In addition to using Linux to securely connect remote offices, users are putting Linux in as a firewall to keep out network intruders.

Thompson Financial in Milwaukee recently installed Linux as a firewall at one online trading data center. Ten Linux boxes were configured as single-purpose firewalls and sit in front of a data center of IBM RS6000 Unix servers, which were set up as back-end electronic trading servers for eTrade’s front-end Web site.

“We’re using Linux as our security platform as a way to keep costs down,” says Doug Moorhouse, a network administrator at the facility, who now oversees the network security.

The data center used Cisco PIX firewalls in the past and then moved to Unix server-based systems running Check Point software, which let Moorhouse customize the devices’ configurations and software builds. When the organization’s budget was tightened, he decided to switch to Linux and Intel servers, which were less expensive to deploy and maintain than the Sun and IBM RS6000 boxes he’d used previously.

Moorhouse used the firewall software that is built into the Linux kernel, which had all the packet filtering and security features he was looking for, he says. The Red Hat Linux software he used came with setup tools that made it easy to install only the more essential software packages on the servers.

Moorhouse says support and management tools for the Linux firewalls aren’t as polished as black-box firewall gear from makers such as Cisco or Nokia, he says. Having a working knowledge of Linux and its firewall features is enough to keep the devices running smoothly.

“We have some pretty important information being protected by those Linux boxes,” Moorhouse says, adding that the performance of Linux firewalls has been good.

“All companies that are feeling the hurt from the recession have to find cheaper and better ways to operate,” Moorhouse says. “Using Linux helps us do that.”