Formatted and Installed on an 4 GB DVD
IPFire was designed with both modularity and a high-level of flexibility in mind. You can easily deploy many variations of it, such as a firewall, a proxy server or a VPN gateway. The modular design ensures that it runs exactly what you've configured it for and nothing more. Everything is simple to manage and update through the package manager, making maintenance a breeze.
The IPFire development team understands that security means different things to different people and certainly can change over time. The fact that IPFire is modular and flexible make it perfect for integrating into any existing security architecture. Don't forget that ease-of-use is a key principle. If all this sounds a little too much for you, IPFire comes with great default settings out-of-the-box, meaning it's a snap to get going quickly!
SecurityThe primary objective of IPFire is security. As there is of course no one, single way to achieve network security, it is important for a network administrator to understand their environment and what the term security means in the context of their own network. IPFire forms the base of a secure network. It has the power to segment networks based on their respective security levels and makes it easy to create custom policies that manage each segment (see the Firewall page for more information).
Security of the modular components is a top priority. Updates are digitally signed and encrypted, as well as can be automatically installed by Pakfire (the IPFire package management system). Since IPFire is typically directly connected to the Internet, it is going to be a primary target for hackers and other threats. The simple Pakfire package manager helps administrators feel confident that they are running the latest security updates and bug fixes for all of the components they utilize.
FirewallIPFire employs a Stateful Packet Inspection (SPI) firewall, which is built on top of netfilter (the Linux packet filtering framework).
During the installation of IPFire, the network is configured into different, separate segments. This segmented security scheme means that there is a perfect place for each machine in the network. These different segments may be enabled separately, depending on your requirements.
Pakfire The IPFire package management systemFrom a technical point of view, IPFire is a minimalistic, hardened firewall system which comes with an integrated package manager called Pakfire. The primary task of Pakfire is to update the system with only a single click. It is very easy to install security patches, bugfixes and feature enhancements, which make IPFire safer and faster - or simply: better.
Another task of Pakfire is to install additional software that adds new functionality to the IPFire system. Some useful of them are:
File sharing services such as Samba and vsftpdCommunications server using AsteriskVarious command-line tools as tcpdump, nmap, traceroute and many more.UpdatesIPFire is based on Linux, which is the best Open Source kernel around. Additionally, IPFire is not based on any other distribution like Knoppix is on Debian. It is compiled from the sources of every single package. This comsumes a lot of work, but finally gives the opportunity to not rely on the update cycles of others. The advantages we gain is that we are able to select very stable versions of software and build the distribution from them. For example is the most part of the distribution quite well tested and long maintained - in contrast to the kernel which is very recent and regularly updated with patches to support as much hardware as possible and more importantly fix security errors.
This is what makes IPFire a very strong and hardened system.
To keep up that strength and be prepared for new hardware, we give out the so called Core Updates which are issued in about every four weeks and updating collected fixes. If there is a security emergency, we provide updates in less than a day to overcome zero-day holes in the system.
All of the updates can be installed by the package management system and users are notified by mail. So in all cases, the update is just a simple click and your system is running safe again.
DialupIPFire as an Internet Gateway is able to dialup through various techniques to connect to the Internet.
It supports all popular types of broadband access, as well as mobile access:
VDSL VDSL is short for Very High Data Rate Digital Subscriber Line and it currently offers bandwidth up to 50 Mbit/s downstream and 10 Mbit/s upstream. VDSL brings the possibility of using new technologies such as IPTV. With IPFire, a conventional router can be replaced by a full-fledged system that brings the IPTV stream into your own home network.ADSL/SDSL Conventional DSL is also supported, although it is technically called also PPPoE or PPPoA. In some countries, the PPTP protocol is also widely used and it is also fully supported by IPFire.Ethernet Over Ethernet, IPFire can also be connected to the Internet and obtain an IP address either via DHCP or static configuration.4G/3G Mobile broadband connections over USB modems, which are also known by the names UMTS, 3G, CDMA, HSDPA or LTE are also supported by IPFire.Web proxyIPFire includes a full-fledged web proxy, which is the well-known, open-source software Squid. It is used by ISPs, universities, schools and large companies use because of its diversity, stability and mature development. Even for small home networks, it is a useful feature. In addition to the stateful paket inspection (SPI) filtering by the firewall on the TCP/IP layer, the web content which is transmitted over HTTP, HTTPS or FTP can be analyzed and filtered as well.
Security: The client does not query web servers directly, it queries the proxy first. The server response goes back to the proxy and not to the client, which actually does not technically even appear on the Internet. A related attack would therefore primarily reach the proxy and not the client. There are also functions available for data privacy, which is an significant advantage in comparison to a pure NAT router.Authentication: Using the access lists, the web proxy can also be configured to allow access only after a user has been authenticated. At this point you have the choice between LDAP, identd, Windows, Radius or local authentication methods. The web proxy can connect, for example to a Microsoft Windows domain controller and only the users of that Windows domain can be granted access to the Internet.Authorization: If the Internet access needs to be limited to specific time of a day, or if it should be even completely disabled for any clients, is this easily configured by the “network-based access control”, which can also be found on the IPFire web interface. A useful application for this feature can be for example, a school classroom.Logging: Since each access can be logged over the proxy, possibilities for the examination of the accessed content can be very useful, as well as statistics and bills can be issued afterwards. Through the use of a logfile analyzer named Calamaris, log files can be charted by varying criteria on the IPFire web interface.Bandwidth management: The download management function allows for control of the bandwidth to specified zones. Thus, content-based throttling (for example for binary files, CD images or multimedia content) is configurable with bandwidth limitations for individual zones or for each host in a particular zone.VPN Virtual Private NetworksIPFire also includes functionality to create virtual private networks (VPN). A VPN is a gateway which connects remote networks to the local one using an encrypted link. Uses for a VPN include business connections to branch offices or datacenters, as well as providing traveling staff with a secure portal to the corporate network.
For maximum flexibility, IPFire uses both IPsec and OpenVPN protocols, giving administrators maximum flexibility when configuring their VPN. Use of these protocols allows IPFire to connect to a variety of VPN endpoint devices by manufacturers such as Cisco, Juniper, Checkpoint, etc.
IPsecIPsec is a widely-deployed VPN solution that was originally developed to be used in conjunction with IPv6. Because it was so secure and IPv6 was so slowly deployed, it was backported to secure IPv4 traffic as well.
In contrast to SSL-VPNs, IPsec is hard to set-up. In IPFire, we thought about how to make this technology easy-to-use and as a result, there is a web user interface that handles all settings and takes care of the rest of the configuration for you. It also keeps the tunnels alive and re-establishes them automatically after a remote site has lost the connection. A secure connection to a branch office, a business partner, or a home office is done within a couple of minutes and compatible with all other implementations.
This high-level of compatibility is achieved by using the free implementation called strongSwan. It is maintained by Andreas Steffen, who is a professor for security in communications and head of the Institute for Internet Technologies and Applications at the University of Applied Sciences Rapperswil, in Switzerland. StrongSwan also works with all current, major operating systems, such as Microsoft Windows 7, Microsoft Windows Vista and Mac OS X.
OpenVPNOpenVPN is a frequently-encountered and most popular representative of the class of Open Source SSL VPNs. Its relative ease of configuration has again, been made easier by the IPFire web interface. The firewall settings are controlled by IPFire automatically, as well as the required certificates will be generated with a few mouse clicks and can be downloaded and distributed as a very compact client package.
Due to its high compatibility to all sorts of operating systems, such as Microsoft Windows, Mac OSX, Linux, Android and many more, it is perfectly useful for roadwarrior connections. With those, it is easy to connect your laptop, phone, tablet or other devices to your company network, which makes it easy to work from anywhere in the world.
But besides connecting portable devices, OpenVPN can also be used to securely connect branches to the headquater. This makes it easy to access resources on other networks remotely without any complicated configuration on each client on your local network.
Intrusion detection systemAn Intrusion Dection System (or IDS), is a piece of software designed to detect attacks against computer systems and networks. Thereby the IDS will analyze the network traffic and search for attack samples. If someone scans the ports of the IPFire-System to see which services are available, the IDS will immediately notice it.
An Intrusion Prevention System (or IPS), in addition to the detection system, will perform actions. The IPS gets the information from the IDS and reacts accordingly. That means, recalling the example above with the portscan, the system would automatically block the attacker immediately in order to prevent further inquiries.
It is possible to use IDS and IPS on the IPFire system. We call this system "Intrusion Detection and Prevention System" (or IDPS). A very important deputy of this system is Snort, the free Network Intrusion Dection System (NIDS). It analyzes the network traffic and if something abnormal happens, it will log the event. IPFire gives you the possibility to see it very explicitly in the web interface.
For automatic prevention, IPFire has an add-on called Guardian which can be installed optionally.
An IDPS is a wise addition to the normal packet filter. It makes intelligent decisions about incoming and outgoing network traffic and how to deal with it.