This week I tested a half dozen linux and bsd based firewall distributions (ClarkConnect, M0n0wall, Smoothwall Express, SME Server, IPCop, and RedWall if you care). I tested each with three windows clients, a windows servers, and a linux server behind them. I did this all from the comfort of my laptop. I did this with VMWare Workstation
VMWare makes virtualization products (more info here, here, and here). I first learned of VMWare Workstation (version 2 if I recall) in college when they succesfully lured me into their shinyness with a $99 academic license. I toyed with it through college (mostly running CorelDraw while my machine was booted into Linux), yet forgot about it for a few years.
About a year into the job, I purchased and began using VMWare GSX Server for server consolidation I used it quite conservatively (more on that process some other day). I didn't quite learn how much glee VMWare could bring me until I recieved a copy of Workstation for attending one of their sales seminars. But this isn't a piece on all the things I have done with VMWare Workstation, this is a description of how I used it to test Firewalls.
The first thing I needed was a handful of basic virtual machine setups. That was easy, considering I already have standard virtual machine images setup for a linux server, a windows server, and the three windows workstation setups I use.
Next I installed a firewall, configured it, and connected it to a virtual network. VMWare's virtual network setup enables you to connect virtual machines in various ways without having to get a real switch involved.
Next I installed a firewall, configured it, and connected it to a virtual network. VMWare's virtual network setup enables you to connect virtual machines in various ways without having to get a real switch involved.
Finally I powered up a handful of virtual machines and tested the actual behavior of the firewall. I experimented with the admin interface (which are mostly web based); watched the logs as I did things that should and should not show up there; tested general performance; and timed reboot times. Now I couldn't test throughput this way. While I was doing these tests, my laptop was hammered in pretty much everyway. While I could get an idea at how well a firewall could handle lower traffic levels (in the 10mg range), I couldn't test it at 100 (most linux and bsd distributions do not have the needed drivers to enable a faster than 10mb network card within VMWare). These tests will have to happen in the real world.
With this general setup I could perform basic testing on a firewall setup in about 30 minutes. Having performed this type of testing with real machines in the past, I would estimate a savings of about 4 hours for the initial setup and about an hour per firewall. I wouldn't have to go through that initial setup if I actually had the funds, space, and assistance to have a proper test lab with a variety of spare. The testing of each firewall was sped up in ways that couldn't be done with physical machines. A key item for this testing was the ability to take snapshots (a save of the state of a virtual machine) of both the firewall and the test machines. With these snapshots, I could bring back the exact same setup over and over again in just a minute or two.
The story of what firewall I choose and why is for another week.
