# Custom-built firewall



## gpatrick (Dec 10, 2011)

The company I work for is a Fortune 500 company and does a lot of in-house development instead of paying for commercial software.  Recently they implemented their own custom-built firewalls based on Linux and are in the process of eliminating firewalls from third-party vendors.  It is my understanding there was one individual who developed the firewall; and I have no knowledge of vulnerability testing or debugging procedures.

Has anyone ever heard of a company doing something like this before?  Apparently the reason cited is that third-party vendors don't offer firewalls that provide what they want to do (what that is I don't know).

I realize third-party vendors such as PIX, NetScreen, and FireWall-1 are closed source, but likely go thorough and rigorous testing and probably hire security consultants for testing before and after releases.  However, how can a company create a firewall in-house and be reasonably certain it will protect them in a way a commercial one can't?  Even the code from PF, IPFW, and IPF is released and if there are bugs, they would be found and patched. 

It just seems to be an ill-advised "adventure" to me.  I'd be interested to hear others thoughts and opinions.


----------



## gkontos (Dec 10, 2011)

The main issue when it comes to firewalls is support and expandability. That is the reason why most companies choose to go with large vendors. Supports means that my vendor is releasing updates that:

a) fix bugs
b) provide new features 

Depending on the size of a company and the data it needs to protect, this might be a critical factor or not. Let me explain a bit further. 

A company that is processing  financial transaction data, needs firewall(s) that are supported on a 24X7 basis, are easy to deploy and manage and have passed certain network specifications. In this case, an in house development will cost more than a large vendor would ask. 

A company needs firewall(s) to protect their corporate web site, mail server and outgoing traffic. Depending on their field of expertise, the cost could be balanced. 

Generally speaking, network firewalls are usually not a target for an attacker. The real target is the services exposed behind the firewall.

A firewall however can start rebooting for no apparent reason or increase its CPU usage to the point that it starts discarding packets. Some companies really don't care if this happens or they probably will never stress their firewalls to that point.

Regards


----------



## mix_room (Dec 11, 2011)

I guess they haven't really 'developed' their own firewall. The development probably went into the appliance. They use the Linux equivalent of PF or IPFW, then bolt on some management interface, add some other fancy stuff. IPSec tunnels for example, and are ready to go.


----------



## gkontos (Dec 11, 2011)

gpatrick said:
			
		

> This was coded from scratch and from what I've been told took a year-and-a-half to complete.



If you do the math... 18 months =  22 days * 18 months =  396 days roughly. Suppose that an average of 3 engineers are engaged full time, then it goes to 396 * 3 =  1188 man days!!! 

Try figuring out the cost


----------



## bbzz (Dec 11, 2011)

gpatrick said:
			
		

> Apparently the reason cited is that third-party vendors don't offer firewalls that provide what they want to do (what that is I don't know).



I'm just curious what _it_ is.


----------



## Beeblebrox (Dec 19, 2011)

Fortune 500 = US company, Right?
What firewall / security scheme does the NSA, Pentagon, Airforce, Cheyenne Mountain, Ad Nauseam use?

AFAIK many of the FreeBSD/linux security ports were developed in-juction with those agencies anyway.
Unless your F500 is something like Diebold, Halliburton, Northrp-Grumman (in increasing degree of conspiracy levels), I do not see the point in developing your own firewall. Then again, even if it is one of those evil corps, why develop? They must have the connections and "national security imperatives" to get the latest developed firewall from one of such agencies?

There is madness in their cunning!


----------



## SirDice (Dec 19, 2011)

Big companies usually use two or more different firewall manufacturers. You never put your money on just one horse. If one firewall has a bug it's quite unlikely the firewall from the other manufacturer has the same bug.


----------



## gkontos (Dec 19, 2011)

SirDice said:
			
		

> Big companies usually use two or more different firewall manufacturers. You never put your money on just one horse. If one firewall has a bug it's quite unlikely the firewall from the other manufacturer has the same bug.



Correct. Double or Triple vendor policy. There are also different vendor strategies regarding Internet / External facing firewalls vs Access / Distribution firewalls.


----------



## fluca1978 (Dec 19, 2011)

It sounds to me the developer is really good at vending himself or the management does not understand what the risk is. Assuming you have no a firewall guru or a very good kernel development, developing a firewall from scratch is like developing a full network stack. Moreover, how much it will be portable among different kernel releases?
I think the man is crazy and the company is too, but at least I hope the man has been payed well.

More likely the developer has changed the code base for iptables adding some fancy flag or queuing mechanism. After all, if this new firewall is so good, I believe it will be merged on the linux main stream. If not, it is not so good. This reminds me what happened when I worked at university: a student came into my office asking to help him developing a new operating system. I replied it is quite an hard task, and that the student should have deep knowledge of CPUs, scheduling, networking, busses, etc. And the student replied it was a really task, after all he could have used the INT of MS DOS.


----------

