Build an Open-Source Enterprise Firewall & IDS/IPS for less than $250

Hi! Today I’m going to share with you a successful project that I carried out and that might be helpful to some cybersecurity professionals that have to struggle with network security at some point in their careers.

If you haven’t introduced yet professionally into the cybersecurity world, let me let you know that, unfortunately, not all companies have got (or are willing to spend) a big budget to cover its cybersecurity needs. Some of them don’t dispose of even a specific budget to their cybersecurity needs (like tools, security appliances, or any other resource). Beyond that, the fact that the price of almost any security tool at an enterprise level is very expensive does not help to get a purchase approved for those cases where the cybersecurity team doesn’t have an annual budget at their disposal. This problem turns the work harder to their cybersecurity employees and force them to be creative and to pull open source tools.

In my professional career, I found myself in this situation, where I faced a complex scenario with 0 security and no budget for cybersecurity. The 90% of the staff (~50 employees) was working in the same headquarters, doing critical operations in a daily basis without even a single firewall in the office. One of the first projects I carried out was to design and build a secure network for the headquarters, what includes to put in a firewall among other things. But the company wasn’t going to spend $5000 to get a Cisco Firepower, so I decided to build an open source firewall that cost less than $250 and which currently, is still being fully functional despite the x5 growth the company got with more than 200 employees nowadays (the network has been escalated with more network devices what includes more firewalls, being these others exactly the same as the one I described).

So, if you find yourself at the necessity of setting up a firewall with very low budget, here is a simple guide about getting a firewall solution for less than $250.

Please note that I’m not going to enter into deep explanations about the firewall configuration or network configurations since it will cause a very large guide. If you guys find helpful this guide and it receives some claps I may plan to create a complete configuration guide with in-depth explanations.

Getting the hardware

First off and most important, acquire the device where we’ll install our firewall software (that will be pfSense). After searching and considering several options, I decided that a Mini PC with 6 network adapters, 8gb RAM and an Intel Core i3 processor will be a perfect fit. I got a similar device to this:

The computer attached in the image above is from Aliexpress (link). I purchased a similar one from Aliexpress as well without any issue. I can confirm that for a network of 150–200 endpoints an i3–6100U processor with 8GB RAM and 128GB SSD is more than enough.

Getting the Firewall software

For this, again after considering (and testing) several open-source firewall softwares, I opted for pfSense.

I dare to say that it’s the most complete and reliable open-source network firewall at the moment of writing this. I also found Opnsense (a fork of pfSense) a very good option too, in fact seemed more friendly, but it is less stable. And as I said, the purpose was to build an Enterprise firewall so we need the most reliable software possible.

Many of the Mini PCs, like the one I suggested, come with Windows preinstalled. We’ll remove it and replace it by pfSense. So you’ll have to download the latest version of pfSense and burn into an USB drive to install it.

Next Steps

Once you have installed pfSense, then we’ll have to do the most difficult: set it up. This depends on your needs, but I consider a must doing the following in order to build a proper minimum of secure network:

• Configure the network adapters adding also a DMZ if needed
• Configure VLANs, including VLANs with trunk links
• Install an IDS (Suricata or Snort) and tune the rules

If you want to go further, or you need a design for big headquarters, you also may want to do the following:

• Configure a Load Balancer for a dual Internet line for High Availability
• Link Aggregation / Port Trunking in order to get better bandwidths
• Install a Web Proxy (Squid) to control that endpoints can’t visit prohibited sites
• Install a OpenVPN server or configure NAT to allow remote access to a specific endpoints in the office
• Enable the IPS

Unfortunately, almost everything open-source means also a high grade of configuration required behind it. If this article gets some claps I’ll do a guide to configure the most important points of the aforementioned.

I hope this would be helpful to you as an introduction to get an Enterprise firewall for a very affordable price.