A surprising number of small businesses have connected their office networks to the Internet with consumer grade NAT routers. These devices are inexpensive and easy to setup, but they lack features that most businesses should have. These devices are often left unsecured with default passwords and access levels. More importantly when something goes wrong they are useless when it comes to helping the network admin (or consultant) diagnose an issue. Luckily there are several open source solutions that provide firewall protection and so much more. One solution that I have found to be useful and extremely flexible is IPCop.
IPCop is a Linux NAT firewall distribution that is built on Linux from scratch. It has its own easy to use web based interface and most importantly a large and well developed set of add on tools. The current version is 1.4.21 and a new version should be out this year with even more features.
IPCop was designed to be used on “older hardware” or very low powered hardware. There are people running IPCop on original Pentium class machines without issue. Since you will probably want to take advantage of some of IPCop’s add ons, I highly suggest a more modern machine. In today’s environment one can build a brand new Atom based system, or get a whitebox, or even an off lease deal from TigerDirect or NewEgg and get a perfect machine to be your office’s router for $300 USD or less. The old Dell that used to be at the front desk that needs a new hard drive, but is under your desk might be a good candidate too.
A smart setup for a small office involves the base IPCop setup plus the addition of the url-filter and update accelerator. The two addons provide great functionality for businesses. Objectionable or inappropriate content is blocked from all work stations via url-filter, while anti-virus and windows updates will be cached locally with the update accelerator. Together with transparent web proxying businesses with limited bandwidth get a bit of a network performance boost with this setup. It’s especially effective when large windows updates have been pushed out. [Take the time to purposely setup one PC to upgrade before the others in the office. This "preloads" the cache so that no other computer has to go to the internet for OS or AV updates]
There are lots of other addons to choose from and IPCop has some great features built in, including the ability to set up site to site secure VPNs. IPCop provides basic qos settings, traffic graphs, and connection tracking. Setup can be accomplished painlessly in less than 30 minutes (10 minutes if you’ve done some planning), has no “default passwords”, and I’ve personally had an IPCop machine with more than a year of uptime (ups mandatory) on a heavily loaded fiber internet connection.
IPCop plus an old PC or a cheap PC is an excellent, secure, cost effective way to protect a small network. The capabilities are easily extensible and it’s powerful enough to give some big name commercial security products a run for their money. IPCop is highly recommended.