Industrial Strength Cluster Security for an Open Source Price

Neil Gorsuch

Computer security is big business. Worldwide annual revenue of the VPN/Firewall market was $2.7 billion in 2002 (Source: Infonetics Research, Inc.). Upfront licensing costs for proprietary industrial strength cluster security solutions can range from thousands to hundreds of thousands of dollars depending on cluster size. However, use and deployment of open source solutions can reduce the total cost of ownership. This paper describes the deployment of an industrial strength open source firewall solution based on an easily configurable packet-filtering compiler system for clusters.

Stateful packet-filtering firewalls can provide excellent security from network attacks, but are difficult at best to set up and maintain. When packet filtering is combined with packet forwarding, NAT'ing, and pseudo-interfaces, a single machine can provide firewall protection for a private network of machines. Thus, protected machines have complete access to the general networks and visibility at general network addresses, while maintaining their firewall protection. A configurable packet-filtering compiler system for clusters can provide all these benefits.

Introduction

Total cost of ownership (TCO) is often overlooked in designing and deploying large-scale computing solutions. A potentially significant percentage can be added to the TCO when security costs, both initial and ongoing, are factored in. Industrial strength cluster security solutions can entail upfront licensing costs that quickly multiply when proprietary security solutions are licensed on a per-node basis (16x, 32x, 64x, 128x...). Using and deploying open source solutions can lower the TCO by eliminating the software licensing cost component of the equation.