Evaluation of Firewall Open Source Software

Diogo Sampaio

and Jorge Bernardino

1,2

Polytechnic of Coimbra, ISEC, Coimbra Institute of Engineering, Rua Pedro Nunes, 3030-199, Coimbra, Portugal

CISUC, Centre for Informatics and Systems of University Coimbra, Pinhal de Marrocos 3030-290, Coimbra, Portugal

Keywords: Computers Systems Security, Open Source Software, Free Software, Firewall, Web Applications Firewall.

Abstract: Computers systems are virtually in every area of our life, but their use has several risks. This is particularly

relevant for small business that are beginning to resort in informatics systems for all their activities, and

where a breach of security can have catastrophic consequences. Most risks or security vulnerabilities,

besides inadverted errors, originates from criminal activity, which anonymously thrives on the Web and can

outbreak any organization, mainly for profit but sometimes just for the challenge of doing it. Consequently,

creating and managing a security system is often the main form of precaution and it is the solution that

guarantees better success rates. In this paper, we are interested in software with a lower financial cost,

therefore our focus is in Free and Open Source Software. To this end, the following types of security tools

are analyzed: Firewall and Web Applications Firewall (WAF).

1 INTRODUCTION

Securing computers and cyberspace is one of today’s

grand challenges for science and engineering.

However, the use of the Web entails a high number

of risks and security threats, and to ensure their

feasibility, companies must be able to protect

themselves and avoid criminal attacks from hackers

with the primary purpose of undermining their

business (Osmanbegovic and Zahirovic, 2013).

Computers are under continuous threat from

attackers who want to steal credit card numbers,

intellectual property, and other sensitive

information.

Computer security refers to the protection of all

components of a computer system that includes

hardware, software, firmware and all stored

information and data, in order to provide

Confidentiality, Integrity and Availability (Razzaq et

al., 2013).

It is a great concern that a large proportion of

SMEs – Small and Medium Enterprises do not

associate computer security as one of their main

worries, particularly in the current time of global

economic crises. One of the main reasons for the

insufficiency or nonexistence of security policy by

SMEs is the tight budget that they have, that is often

spent on other expenses, mistakenly thought by

managers as more important (Tawileh et al., 2007).

This reality takes truly an alarming dimension

when a significant percentage of companies, around

45.6%, have already experienced some form of data

corruption by cybercrime, with capital losses

associated with it (Computer Crime and Security

Survey, 2012). Our paper aims not only to draw

attention to this problem, but also to offer viable

solutions to solve it.

In our work we assume that a first line of

defense can be achieved through two types of

software: Firewall and Web Applications Firewall.

Opting only for free and open source software is, as

we will demonstrate, an option with many

advantages (Bernardino, 2011), such as the lack of

financial costs or the access to the source code, that

for example, allows a better integration with

complementary software and minor changes that

will bring the application to the business needs.

The remainder of this paper is structured as

follows. In section 2 we present some computer

security background, discussing the importance of a

security policy. In section 3, we describe the firewall

software systems (Host-based and Web

applications). Next, in section 4 we evaluate the

software solutions. Finally, the concluding remarks

and future work are presented in section 5.

356

Sampaio, D. and Bernardino, J.

Evaluation of Firewall Open Source Software.

DOI: 10.5220/0006361203560362

In Proceedings of the 13th International Conference on Web Information Systems and Technologies (WEBIST 2017), pages 356-362

ISBN: 978-989-758-246-2

2 COMPUTER SECURITY

BACKGROUND

Still a few years ago, companies enclosing their

documents in drawers, put padlocks on the doors and

installed an alarm on its premises, and that was

enough to ensure effective protection of the most

important information. But, today most of the

company's information resides in computers and

with the increasing importance of the Web and the

Cloud the security measures mentioned above are

completely obsolete and ineffective.

Cybercrimes are now one of the major threats to

business endurance. Given this new and growing

wave of crime, a new kind of security necessarily

had to arise to ensure the protection of digital

information and computer systems, usually

designated as computer security or IT security.

We assume the definition of computer security

as protection of computers, to ensure the ultimate

goal of preserving the confidentiality, integrity and

availability of information resources, which includes

hardware, software, firmware, information and data

(Razzaq et al., 2013).

It is important not to confuse computer security

with data security. Being data security all the

process to ensure confidentiality of information

when transmission of this same information between

two terminals in a network. Usually cryptography is

the most common method.

The volume and sophistication of cybercrimes

are increasing and include: scams, data theft, virus,

etc. Thousands of infections are being launched and

discovered every day, as new attack methods.

Hundreds of millions of records have been involved

in data breaches. Huge financial losses have been

recorded in recent years (Ponemon Institute, 2013).

A company unprotected or that does not have the

resources to create an efficient security in a few

moments may be in bankruptcy (Dowd

and McHenry, 1998). The risk of cyber crimes is

increasing, and all signs indicate that this growth

does not have a tendency to slowdown (Kessel and

Allan, 2013).

Users, as is well known, are the weakest link in

the computer security layout. Often they assume an

inadequate and relaxed attitude, ignoring safety

guidelines and taking risk approaches that increase

immensely the danger of damage. Moreover the

security system is in most cases only based on

software, which is not able to anticipate or eliminate

every threat. The inability of regular users to

understand the various IT terms and notions

specifically related to computer security, whether

they are related to prevention, as the firewall or

threats such as virus, is perhaps the major difficulty.

The lack of concern with the risks has also to do

with the lack of knowledge of the real hazard (Adele

et al., 2012). In this sense, (Liang, 2010) reached to

the following conclusions: “…to motivate computer

users to avoid IT threats, they need to be convinced

that the threats exist and are avoidable. If users fail

to see a threat, they will not act to avoid it. If they

see the threat but believe it is unavoidable, they will

not act to avoid it, either. Thus, both the threat

appraisal and the coping appraisal are necessary to

motivate security behaviors”.

3 FIREWALL

A firewall is a software or hardware-based network

security system that controls the incoming and

outgoing network traffic based on an applied rule

set. A firewall establishes a barrier between a

trusted, secure internal network and another network

(e.g., the Internet) that is not secure (Oppliger,

1997). In other words, a firewall is a system

designed to prevent unauthorized access to a

computer as well as unauthorized outflow of data.

Another notion that is important to mention is that

firewalls don’t decrease the processing speed of

computers but optimize it (Garantla and

Gemikonakli, 2009), which is against common

sense.

There are two basic types of firewalls: hardware-

based and software-based. Each has its own

advantages and disadvantages. In next sections we

analyze firewalls based on software, and focusing on

the host-based and Web applications firewalls.

3.1 Host-based Firewall

Firewalls are the cornerstone of computer security

and the primarily line to security defenses. However,

most types of firewalls requires a detailed

understanding of data networking elements, such as

routers or switches, as well as a detailed

understanding of network protocols.

Host-based firewalls or personal firewalls

eliminate most of technical difficulties, since these

types of applications are simple and able to ran by

any user. These applications are designed to support

just a few protocols in order to function. Simplicity

makes verification of the rule set simpler as well.

The effectiveness of host-based firewall comes for

defining a security policy responsible for a single

host or machine, like computers or similar, having

Evaluation of Firewall Open Source Software

357

the ability to protect the machine even if it is moved

from network to network.

Another advantage is the specificity, as host-

based firewall can be adjusted to support a unique

set of applications and to block everything else.

Host-based firewall is also well defined for each

machine type, which can be an improvement, since

every machine may have different needs, as well the

network in which the machine operates.

To select the host-based firewalls to test we used

the work of (Meredith, 2010) and (Schroder, 2012).

Based on this study we choose the following three

systems: IPcorp, pfSense and Zentyal Community.

In next sections, we describe the key features of

the firewall applications listed above. The list of

features to be compared is based on the work of

(Sulaman, 2011).

3.1.1 IPCop

IPCop (www.ipcop.org) is an open source host-

based firewall software system, developed by

IPCorp Team for operating systems based on Unix,

like Linux (IPCorp, 2016). Its last stable version is

IPCorp 2.1.9 and it is distributed under the license

GNU GPL.

IPCop is a secure software system, highly

configurable and easily maintained with several

features, such as Caching DNS proxy (to help speed

up Domain Name queries), Web caching proxy (to

speed up Web access), Intrusion Detection systems,

Traffic Shaping, Web Antivirus, Web Content

Filtering, OpenVPN, and more. IPCorp also has the

ability to partition the network into a green, safe

network protected from Internet, a blue network for

the wireless LAN and a DMZ or orange network

containing publicity accessible servers, partially

protected from the Internet.

IPCop uses a Web based interface, that once

been installed, the dialup setting are added via

browser based from a client on the LAN. Although

not officially part of IPCop, there is many add-ons,

that include extra features to IPCop, such as QOS,

virus check email, traffic control, extended

interfaces to control proxy, etc.

IPCop is available for multiple languages:

Bulgarian, Czech, Dutch, English, French, Greek,

Italian, Polish, Portuguese, Swedish, Romanian, etc.

IPCop also has a system of monitoring and

performance charts that quickly warns if there are

trouble spots. IPCop can be downloaded at:

http://ipcop.org/download.php.

3.1.2 pfSense

pfSense (www.pfsense.org) is a open source host-

based firewall/rooter software system for FreeBSD

operating systems. Distributed under the license

BSD License, pfSense is developed by Electric

Sheep Fencing, LLC and started in 2004 as a fork on

the Monowall project. From beginning it is focused

on full PC installations, as opposed to Monowall that

is on embedded hardware (pfSense, 2016). Its last

stable version is pfsense 2.3.2.

pfSense is a software tool known by is

reliability, with several features such as: Network

Address Translation, Filtering by: source/destination

ip, protocol, os/network fingerprinting; Flexible

Routing; Packet Scrubbing; Web Content Filtering;

OpenVPN; Traffic Shaping, etc. pfSense uses a Web

interface that allows the configuration of all their

components. There are several companies that

already use this software, some examples are: Check

Point, Cisco PIX, Cisco ASA, Juniper, Sonicwall,

Netgear, Watchguard, and Astaro.

As happens with IPCop, there are many add-ons

available for pfSense, including language packs,

dashboards, etc, which not only significantly

improve the use of the tool, but also increase the

range of functionality, like add-ons directly

connected with the detection of threats. pfSense can

be downloaded at: http://www.pfsense.org/

download/index.html.

3.1.3 Zentyal Community

Zentyal Community version (www.zentyal.com)

formerly known as eBox Platform cannot be

considered a typical firewall, but as its creators

claim to, a server for SMEs. However, its features

and functionalities meets what is expected from a

firewall and because of that it is relevant to our

analysis (Zentyal, 2016). Zentyal is an open source

system available for operating systems based on

Linux, distributed by GPL and its last stable version

is Zentyal server 4.2.

Zentyal is a very robust software tool with many

features: Intrusion Preventing System, IPSec,

OpenVPN, Firewall failover capability, Traffic

Shaping, and more. Zentyal is composed of several

open source software packages: Apache Web server,

mod_perl CGI engine, OpenLDAP, OpenSSL

cryptography, BIND DNS server, Web cache, APT,

CUPS, APT and more. Zentyal Community can be

downloaded at: http://www.zentyal.org/server/

#server-feature

WEBIST 2017 - 13th International Conference on Web Information Systems and Technologies

358

3.2 Web Application Firewall

The growing development of web applications and

its massive usage has increased exponentially

attacks on web application layer, which is a trend

that shows no tendency of decreasing (Beechey,

2009). This fact becomes even more critical when

the collected data indicates that 71% of all attacks

could have been mitigated or totally eliminated

using firewall solutions for Web applications

(Security Statistics Report, 2012). Therefore, there

was the necessity to use tools and solutions,

designated as Web application firewall (WAF),

which will minimize the risks for users and

businesses.

One of the main advantages of Web applications

firewalls, is its greater capacity when compared with

network firewalls, to prevent attacks like Script

injections, parameter tampering, Forceful browsing

or buffer overflows (Pałka and Zachara, 2011).

The selection of systems to analyze was based

on the work of Abdul Razzaq and colleagues,

(Razzaq et al., 2013). In the next sections we study

the following tools: ModSecurity, WebCastellum

and Ironbee.

Defining a security policy responsible for a

single host or machine, like computers or similar,

having the ability to protect the machine even if it is

moved from network to network.

3.2.1 ModSecurity

ModSecurity (www.modsecurity.org) is an open

source Web applications firewall that works on

Apache system supported by Trustwave’s

SpiderLabs Team, released under the Apache license

2.0 (ModSecurity, 2016).

The main features of ModSecurity are: Simple

filtering, regular expression based filtering, URL

encoding validation, Unicode encoding validation,

Auditing, null byte attack prevention, upload

memory limits and server identity masking.

ModSecurity is also a well-documented application,

essential for users with less computer expertise.

ModSecurity uses four different security models:

Negative Security, Positive Security, Virtual

Patching, and Extrusion Detection.

ModSecurity can be downloaded at:

http://www.modsecurity.org/download, and it is

available for Microsoft Windows, Ubuntu/Desbian

and Fedora/CentOS.

3.2.2 WebCastellum

WebCastellum (www.webcastellum.org) is an open

source Web applications firewall developed in Java.

It is able to protect the system against some threats

like SQL Injection, Cross-Site Scripting (XSS),

Cross-Site Request Forgery (CSRF), Parameter

Manipulation, etc (WebCastellum, 2016). Its last

stable version is 1.8.3 and it is release under Eclipse

Public License.

WebCastellum is a very robust software tool

with many features: URL Encryption, CSRF

Protection, Form Protection, Stateful Attack

Detection, etc. WebCastellum, also enables a

monitoring of response and request. The handling

and processing of responses which can be switched

on as required makes possible, for example, the

automatic filtering out of confidential information so

that these are not transferred to the client.

WebCastellum uses a Rule-based defense: a

category of defensive function based on a complex

recognition of patterns related to e.g. request

parameters, form values, cookies, IP addresses or

protocols. The patterns to be used when scanning are

defined based on regular expressions. WebCastellum

can be downloaded at: https://sourceforge.net/

projects/webcastellum/.

3.2.3 Ironbee

Ironbee (www.ironbee.com) is an open source Web

applications firewall, distributed under the BSD

License and Apache 2.0 (Ironbee, 2016)

Ironbee is a very reliable and scalable software

tool, with many features: implementing custom

security logic, User agent profiling, inbound and

outbound traffic analysis, Behavioral monitoring (IP

addresses, sessions and users), Passive vulnerabilty

scanning, Cookie encryption and signing, Policy

decisions, Tailored defense, etc.

Ironbee also allows a perfect interaction with

external security systems (e.g., firewalls) and data

exchange. Ironbee is still a relatively recent

application and seeks to become the most complete

application of the WAF in the market, with strong

community support. Ironbee can be downloaded at:

www.github.com/ironbee/ironbee.

4 COMPARISON OF OPEN

SOURCE SOFTWARE TOOLS

In this section, we compared the free and open

source software tools described in the previous

sections. This analysis will be done by categories,

which distinguishes the different types of software

presented. We begin by comparing the firewall tools.

Evaluation of Firewall Open Source Software

359

In Table 1 are compared the key features to firewall

applications. The choice of features to be compared

is based on the work of Sardar Sulaman (Sulaman,

2011), and the feature list of each application on

theirs official websites.

According to our comparison, pfSense

demonstrates to be the most complete host-based

firewall open source system. It reveals a clear

superiority in terms of available features when

compared with the other systems studied in this

work. The union of 10 of the 12 features compared,

allows to apply a security policy more efficient and

with a greater number of options.

Table 1: Host-based firewall tools comparison.

IPCop PFSense Zentyal

Stateful

firewall

Yes Yes Yes

Web

antivirus

(http,ftp)

Yes Yes

Web url

blacklist

Yes Yes

Web

content

filtering

Yes Yes

IPSec Yes Yes Yes

OpenVPN Yes Yes Yes

Firewall

failover

capability

Yes Yes

Load

balancing

Yes Yes

Traffic

Shaping

Yes Yes Yes

Network

IDS system

Yes Yes Yes

Policy

routing

Yes

RRD

Graphs

Reporting

Yes

pfSense besides being the most featured full firewall

distribution has also the ability to generate simple

and intuitive reports witch is a huge advantage over

other solutions. Furthermore, pfSense is a solution

that has less power consumption, needs less space

and generates less heat. It also has a simple

installation process and a clear and easy learning

interface.

Figure 1: 1pfSense Dashboard.

Now we will focus our study on Web Applications

Firewall (WAF). Table 2 shows the comparison of

the most important features, according to the work

of Abdul Razzaq (Abdul et al., 2013).

Table 2: Web Applications Firewall (WAF comparison).

ModSecurity

Web

Castellum

Ironbee

Simple

filtering

Yes Yes Yes

Regular

expression

based

filtering

Yes

Auditing Yes Yes

Null byte

attack

prevention

Yes

URL

Encryption

Yes Yes

Stateful

Attack

Detection

Yes Yes

ModSecurity, as illustrated in Table 2, is the best

open source system of WAF. It has a superior

number of features in comparison with the other two

tools systems. Additionally, the requirement of

authentication is also a positive argument.

The main disadvantage of ModSecurity (see

Figure 2) is the need to be configured manually,

which can hinder the inclusion of users with lower

computer literacy. However, we do not consider this

disadvantage represents an insurmountable

difficulty, since can be circumvented using its large

community as its manual user. The setup and

installation can also be a negative point for less

experienced users, but once again, the community

and user's guide are useful.

WEBIST 2017 - 13th International Conference on Web Information Systems and Technologies

360

Figure 2: Console of ModSecurity.

5 CONCLUSIONS

In this paper, we proposed to design a security plan

based only in free and open source software that

could eliminate or at least mitigate the damage for

the most common threats, such as: Trojan, antivirus,

spyware, phishing, cookies and spam. Following

this, we consider that the first approach to computer

security will be Firewall host-based and web

application firewall systems.

We analyze firewall systems that aim to apply a

security policy to a particular point in the network,

to control the traffic denying access to any malicious

program. Firewall host-based has two great

advantages: offering maximum flexibility and high

configurability on a per-machine basis. According to

our evaluation, pfSense is the most complete open

source firewall available in the market. Web

applications firewall use the same technology as

firewall host-based but directly for the protection of

web applications, increasingly more used.

ModSecurity is clearly the best open source system

of WAF available with its superior number of

features and capacities.

These tools are intended to be the first line of

defense, and each company must have the

knowledge to understand their security needs, and

add more security-related IT tools if necessary. We

consider that is necessary to study the tools in a real

environment and test its effectiveness.

As future work, we also pretend to evaluate and

present a data security management evaluation,

respecting the limitation of reduced costs, which

means a investigation mainly focused in free and

open source software systems.

REFERENCES

Abdul, R., Hur, H. and Shahbaz, S., 2013. Critical analysis

on Web applications firewall solutions. IEEE

Autonomous Decentralized Systems - ISADS.

Adele Howe, I. Ray, M. Roberts, M. Urbanska, 2012.The

Psychology of Security for the Home Computer User.

IEEE Symp. on Security and Privacy, pp. 209-223.

Beechey, J., 2009. Web Application Firewalls: Defense in

Depth for Your Web Infrastructure.SANS Institute.

Bernardino, J., 2011. Open source business intelligence

platforms for engineering education. WEE2011,

Lisbon, Portugal, pp. 693-698.

Computer Crime and Security Survey, 2012. 15th Annual

Computer Crime and Security Survey 2011/2012. CSI

Computer Security Institute.

Dowd, P. W.; McHenry, J. T., 1998. Network security: it's

time to take it seriously. Computer, vol.31, no.9,

pp.28.

Garantla and Gemikonakli, O., 2009. Evaluation of

Firewall Effects on Network Performance. 3rd IT

Conf. for next generation, Univ. of East London, UK.

IPCorp, 2016. Official website from www.ipcop.org.

Ironbee, 2016. Official website from www.ironbee.com.

Liang, H., 2010. Understanding Security Behavior.

Journal of the Association for Information Systems

Vol. 11 Issue 7 pp. 394-413 July 2010.

Meredith, M., 2010. 7 of the best Linux

firewalls.Available on techradar.com.

ModSecurity, 2016. Official Website from

www.modsecurity.org/

Oppliger, R., 1997. Internet security: firewalls and

beyond. Communications of ACM 40, 5 (May 1997),

92-102. DOI=10.1145/253769.253802.

Osmanbegovic and Zahirovic, 2013. Perception of

Information Security of Management of Banking and

Insurance Companies in Countries of Western

Balkans. Research in Applied Economics, Vol. 5 (2).

Pałka, D., and Zachara, M., 2011. Learning Web

Application Firewall - Beneﬁts and Caveats. Computer

Science Volume 6908, 2011, pp 295-308.

Paul van Kessel and Ken Allan, Under cyber attack EY’s

Global Information, 2013.

Pfsense, 2016. Official website from www.pfsense.org/

Ponemon Institute, 2013 2013 Cost of Cyber Crime Study:

United States. Sponsored by HP Enterprise Security

Independently conducted by Ponemon Institute,

available http://media.scmagazine.com/documents/

54/2013_us_ccc_report_final_6-1_13455.pdf.

Razzaq, A. Hur, A., Sidra Shahbaz, Muddassar Masood,

Farooq Ahmad, H., 2013. Critical Analysis on Web

Application Firewall Solutions. 013 IEEE Eleventh

International Symposium on Autonomous

Decentralized Systems (ISADS).

Razzaq, Ahmad, H., Muddassar, M., 2013. Cyber

Security: Threats, Reasons, Challenges,

Methodologies and State of the Art Solutions for

Industrial Applications. Autonomous Decentralized

Systems (ISADS), 2013 IEEE Eleventh International

Symposium, pp 1-6.

Evaluation of Firewall Open Source Software

361

Schroder, C., 2012. 5 best open Source firewalls.Available

on smallbusinesscomputing.com.

Security Statistics Report, 2012. 12th addition- Industry

Benchmarks. official Website.

Sulaman, S., 2011. An Analysis and Comparison of The

Security Features of Firewalls and IDSs. Master thesis

Performed in ISY (Information Coding).

Tawileh, A., Hilton J. and McIntosh S., 2007. Managing

information in smes: a hollistic approach. Highlights

of the Information Security Solutions Europe/

SECURE 2007 Conference, UK, pp 331-339.

V. Liggans 2006. The importance of firewall technology.

Article conducted for the purpose of applying for a full

scholarship for a bachelor's degree in Jonhson C.

Smith University.

WebCastellum, 2016. Official Website from www.

webcastellum.org/

Zentyal, 2016. Official website from www.zentyal.com.

WEBIST 2017 - 13th International Conference on Web Information Systems and Technologies

362