Not long ago, I found myself in a discussion with a recent IT graduate (whom I'll call Tom) over the virtues of using open-source components versus commercial products for managing and participating in a network. As is typical with many IT graduates of late, Tom believed (or was taught) that commercial products were the be-all and end-all of the networking scene. To him, nothing else was worth considering.

I suspect that most IT graduates are learning only about commercial offerings while in school (no doubt due to the sweet deals that Microsoft and other vendors use to coerce institutions of higher learning); hence his preference for them. He was quite surprised to learn not only that the Internet is based largely on open-source software but also that a company's entire network could be built, secured, and managed using only open-source products. In fact, when I told him, he threw down the gauntlet and challenged me to prove it to him. Never one to back down from a challenge (particularly when I know I'm right), I took him on a tour of some of the well-known open-source software and tools available for both Internet and intranet use.

The Internet Services Infrastructure

The first things I pointed out to Tom were a few of the many open-source software products that support the Internet. (I've mentioned them in previous articles, so I won't elaborate.) The short list includes Berkeley Internet Name Domain (BIND), which provides the vast majority of DNS services for the Internet; Apache Web Server, which serves up HTML for the majority of Internet Web sites; and Sendmail (and work-alikes Postfix and qmail), which move the majority of all that spam--I mean email--from place to place.

Tom conceded that open-source and the Internet seemed to be inextricably linked, since I picked what he considered to be the "Big Three" on the list of things that happen on the Internet. Of course, I also could have pointed out that other services that people cannot seem to live without, such as instant messaging and audio streaming, are handled adroitly by projects such as Jabber and Icecast, respectively. But since he didn't ask, I didn't volunteer that information. (I hate it when people continue to argue even though they've won the argument!)

Having easily survived the first round, I directed our discussion to a relatively simple network that can be found in the majority of businesses across the country if not around the world. You probably have one of these yourself.

The Network Scope

The network we considered is typical of what many readers of this column use: one or more subnets (to keep departmental traffic segregated), a connection to the Internet, perhaps a few servers that provide email and Web services to the outside world, and finally a few more to handle their internal file/print serving, intranet Web site, and business applications. The users of this hypothetical network may have wireless connections within their company locations and probably access the internal network from the Internet via some kind of virtual private network (VPN). For the most part, the client computers are running some version of Windows. The servers are most likely running UNIX or UNIX-like OSes, the iSeries, or even Windows.

The Network Appliances

When designing a network, we have to make decisions that affect performance and security. Using routers in combination with switches allows us to direct packets efficiently to their destination while maximizing our use of available bandwidth. The routers allow us to segregate groups of users (thus minimizing useless intergroup traffic), while the switches keep collisions between devices to a minimum. To enforce our security policies, the firewall is always the first line of defense.

The most famous name in the business of routers and firewalls would probably be Cisco Systems, and the quality of its products is excellent. But you can duplicate a great deal of the functionality of the Cisco boxes using open-source software. Cisco does have some proprietary extensions that, if you need them, are worth the price of admission. But for a run-of-the-mill site, an excellent substitute is readily built.

Take any Pentium-class computer, add two network interface cards, 32 MB or so of RAM, and Linux, and you have a machine capable of becoming a router or firewall. A quick search for "Linux Router" on Freshmeat yields projects that provide some sophisticated routing functionality, including the ability to do traffic shaping (for Quality of Service applications) and Network Address Translation (NAT). There are projects meant to be run from a single floppy, a CD, or even a compact flash memory module. Linux really wants to route traffic for you and can be configured to do so with a few simple commands.

What about a firewall? The Linux kernel has had the capability to do network packet filtering for a long time. The latest kernel versions, 2.4 and 2.6, have extremely powerful capabilities in this regard. Most Linux distributions will allow you to enable the firewall during installation so that your local box is properly protected from the rest of the network. More-sophisticated firewall configurations can be built from the command line, or if you like doing system management via a GUI, an open-source tool such as fwbuilder will generate the script for you. A search of Freshmeat for "Linux firewall" yields yet another plethora of options from which to choose.

If you read any of the literature concerning open-source firewalls, you undoubtedly will read a disclaimer warning you (in so many words) that you can easily shoot yourself in the foot should you configure your firewall improperly. I'm convinced that statements like that are generated by those with a vested interest in your not doing the setup yourself. Sure, if you don't know what you're doing, then you certainly could shoot yourself in the foot. But you can just as easily cause bodily harm using a proprietary product under the same circumstances. That a solution is commercial is not a guarantee of its efficacy or security. This stuff isn't rocket science; with some effort, you can learn what you need to know to configure a firewall. But if you really want to feel secure, then hire someone who has experience configuring firewalls to do it for you, be it a commercial or an open-source solution. Of course, now you get to worry about whether or not he or she did it properly, but at least you didn't make the mistake.

By the way, you can also use the fwbuilder program I mentioned earlier to configure your Cisco Pix firewall if you purchase the commercial license for the product. Learn to use that tool and your knowledge is transportable between the commercial and open-source world!

Addressing

The basics of running a TCP/IP network include managing the IP addresses for your machines--both assigning them (via dhcpd) and resolving the address for a given host name (via named, a.k.a. Bind). There isn't much to discuss here; virtually every distribution includes the servers that you'll need to accomplish this. (Notable exceptions are distributions that sell "workstation" versions, such as Red Hat Enterprise Workstation, since they are billed as workstation products. You wouldn't normally run these types of services on a workstation machine). The configuration of these services are well-described both in the online documentation (man pages) and at The Linux Documentation Project site, so I won't mention it further. Suffice it to say that UNIX had TCP/IP before most of the other OSes did, so its capacity to handle related tasks is a given.

Authentication

Only the most grossly simple networks, such as a husband-and-wife, two-computer network, require no user authentication (although I'm sure many married couples would refute that statement!). Once again, the open-source world can provide the required authentication services.

For a Windows network, Samba may fit the bill. But if a more-generalized authentication system is appropriate, then there is always OpenLDAP or Kerberos. Servers for all three of these methods are available and usually are included in Linux distributions. Keep in mind, however, that Samba has some limitations within a Microsoft-managed domain. Also, the version of Kerberos that is included with Linux distributions conforms to the official Kerberos standard (not the bastardized standard created by Microsoft), so there are some interoperability issues between the two versions.

Externally Accessing the Network

Our users want to access our network from their homes, and we want to let them--but only if it can be done securely. The same holds true for the wireless access from within the buildings. Wireless access points are notorious for security breaches. The solution in both cases is a VPN. The concept is simple: Join two secure networks together across an insecure one by creating an encrypted tunnel between the two.

There are a number of ways to accomplish this task. Many take advantage of the ssh tool and its ability to redirect ports from one machine to another. For simple situations, it works well, but for more complete solutions, turn to something like OpenVPN. This project runs on Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X, Solaris, and Win2K/XP and can be used to build the required VPN between your employees' homes and the office network or between wireless devices and the office network.

Keeping Watch

Of course, once your network is up and running, there is always the task of monitoring its status. For that, Nagios is hands down the most powerful open-source tool. Nagios can monitor the status of your servers, your managed switches, even network-attachable temperature monitors. It provides an excellent graphical view of your network status. And it can do customary notifications (email, pagers, cell phones, etc.). Thus, you can have a professional-grade network operations center at an extremely reasonable price: free.

Although Nagios will tell you when there is a problem, you sometimes need a network protocol analyzer to track down the problem source. Among open-source aficionados, the tool of choice for this task is thereal. Ethereal will allow you to watch the bits flowing across the wire. It will organize the results for you, letting you follow the conversations between devices. It even speaks EBCDIC, so it can be useful when tracing packets to an iSeries.

Should I or Shouldn't I?

The decision to use open-source instead of commercial, proprietary solutions comes down to a few factors. Ask yourself the following questions:

• Can I get all of the functionality I need using open-source tools, or is there something I want that is proprietary? (If you answer the latter, then your decision is simple.)
• Will what I'm planning to do be something that comes up frequently, or is it a one-shot deal? (You may not want to take the time to learn to configure routers or firewalls if it's unlikely to come up again. But, if you learn to do it yourself, you'll be able to add a firewall at will, wherever it makes sense. This holds true for both commercial and open-source products.)
• What do I have more of--time or money? (Learning how to configure all of this is rewarding and can be extremely useful. It also can save lots of money. But even though I know how to change my oil and perform basic car repairs, I don't have lots of time, so I pay someone else to do it for me.)
• Do I have lots of old equipment available on which to learn? (If you have some spare computers around, then you can resurrect them from the dead and once again make them useful. There is some gratification in recycling equipment besides the result of stretching your budget.)

What About Tom?

Once I outlined all of this to Tom (and showed him some of it running on my laptop), he was convinced that what I said was indeed correct. Now, he runs Linux on one of his two home systems so that he can learn more about the networking aspects of the operating system.

How about you? Interested in giving open-source a try on your network?

Barry L. Kline is a consultant and has been developing software on various DEC and IBM midrange platforms for over 21 years. Barry discovered Linux back in the days when it was necessary to download diskette images and source code from the Internet. Since then, he has installed Linux on hundreds of machines, where it functions as servers and workstations in iSeries and Windows networks. He also co-authored the book Understanding Linux Web Hosting with Don Denoncourt. Barry can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

Barry L. Kline is a consultant and has been developing software on various DEC and IBM midrange platforms since the early 1980s. Barry discovered Linux back in the days when it was necessary to download diskette images and source code from the Internet. Since then, he has installed Linux on hundreds of machines, where it functions as servers and workstations in iSeries and Windows networks. He co-authored the book Understanding Web Hosting on Linux with Don Denoncourt. Barry can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it.

Also Read

Practical OSS: MkDocs for the IBM i, Part 2

Practical OSS: MkDocs for the IBM i, Part 1

Practical OSS: MMAIL from EASY400