Sponsored By
Efika 5200B Project
High-Performance Transparent Network Filterin category Applications & Software
proposed by jjw on 19th October 2006 (accepted on 19th October 2006)
Project Summary
Introduction
Firewalls are indispensable devices in any contemporary computer network.
Usually, they are implemented as network-layer packet filters and/or
application gateways, and placed in concert with the network physical/logical
structure, addresing, etc. Therefore, the insertion of such a firewalling
device into an existent network is at least troublesome, if not impossible,
for many reasons (fixed addressing schemes, IP based licensing, NAT ban, etc.).
With the help of open source tools, it is possible to set up a so called
transparent firewall, implemented as datalink-layer filter, but capable also
to filter/capture network traffic according to a set of network/transport
layer based rules. Usually, three NICs are needed for such a device, two
for the actual filtering, and the third (optional) one for maintenance,
logging, traffic capture, etc. Moreover, there is no need to assign a
network-layer address to the interfaces at all, which makes the installed
devices quasi-invisible within the network.
Several such devices, PC-based, with trimmed-down OpenBSD/i386 onboard, were
already set up within our network, proving to be reliable and extremely secure,
but plagued with the standard problems of ordinary PC hardware (size, cooling,
powering, etc.). Unfortunately, available embedded PC platforms are simply
not powerful enough for such applications, because high-speed transparent
filtering is quite CPU intensive.
Proposal
An EFIKA board based, high-speed transparent network filter (HSTNF :-) ),
preferrably running OpenBSD, but other operating systems, ported to EFIKA,
would be also evaluated, searching for the best stability and performance.
An additional, two-port NIC is needed to perform the filtering, and also
here, several NIC boards would be tested. The NIC fixed onboard will be used
preferrably for administrative tasks, but it should be also possible to use
it for filtering in companion with an ordinary one-port NIC, for less-demanding
purposes.
Rationale
The EFIKA MPC5200B CPU is supposed to provide enough horsepower for an HSTNF,
in contrary to many embedded PC platforms. Morever, the standard PCI slot
onboard enables one to test/use popular, and therefore relatively cheap,
NIC hardware.
Dependency problems and potential drawbacks
This proposed project depends on the results of various operating system
porting efforts, the availability of appropriately working NIC drivers and
their quality/stability.
Project Blog Entries
The Linux-based incarnations of HPTNF/EFIKA with one-port additional NICs are working quite stable now and with reasonable throughput (ca. 0.4-0.8 of the maximum, depending on the particular NIC and the filtering setup). The best performers tested so far: Intel PRO/100 S and 3Com 3C905C-TX.
Unfortunately, multiport NICs are still a no-no in combination with EFIKA and Linux, at least for now, but we'll see :-)
I'm putting high hopes in the newly acquired RB44G 4-port NIC here.
A more detailed progress report with other goodies is available online at my Efika Projects site.
After a quite long testing period with various NICs, I've eventually prepared a first downloadable version of my HPTNF. It is Linux based for now, but I hope to get an OpenBSD/EFIKA version up and running someday, too :-)
hptnf-lx2.6.21.5-14-irfs.img
hptnf-lx2.6.21.5-14-irfs.md5
For a more detailed progress report, etc., cf. my EFIKA Projects Wiki