Yes, it can be done, but remember since you’ll be using a software firewall, you lose the most important type of protection a hardware firewall gives you, namely preventing certain types of trojans from shutting it down and allowing unprotected access.
the classical LAN definition of a switch is a layer 2 device - a multi-port bridge - that makes forwarding decisions based on MAC addresses, preferably really, really fast, preferably while running Spanning Tree to prevent loops… Building that on a PC platform will take some serious low-level coding. Building it so it perfoms anywhere like a proper switch with custom-made ASICS ? Forget it.
If the question is more one of “Can I run my home network on just one box?” - yeah, well, you can. I don’t think you’ll be happy with the performance - you’ll probably be forced to make all forwarding decisons on the IP address level (level 3), and that’ll slow things down, especially if you expect to move data between your client PCS.
If I were you, I’d stick with the good idea: Linux-based FW - install just two NICs in the PC, load Linux and install a firewall. (There are several products out there.) Then use a real switch to attach your client PCs to the inside interface. Can you make it 100% secure ? Nah. Burt you may just up the ante enough that it’s your neighbour that gets hacked instead…
You cannot build a switch, but you can do a firewall. Q.E.D. is incorrect stating that there is such a thing as a “hardware” firewall. Nope. It’s just a dedicated box running some kind of software.
But they are susceptible to plenty of other attacks. Like, say, it leaks out that the company hard-coded an admin access password that can’t be changed and now any bozo on the disclosure list has full control of your firewall config. I don’t have a cite handy (and I wouldn’t post it here if I did), but I’ve seen lists of backdoor passwords to various brands of router/firewall products from many vendors. Hardware firewalls are great but they’re not invulnerable.
Software firewalls still have their place, especially when they are on a sole-purpose box like the OP is intending. If you install Linux with minimal services, no GUI, no unnecessary apps, and go through a lockdown procedure prior to setting up the firewall, you can have a very strong router/firewall. I’ve done this many times for NAT/firewall boxes, but I’ve never tried to do a switch so I can’t really help the OP.
I wasn’t trying to put words in your mouth. You clearly said that hardware firewalls were not vulnerable to a certain type of virus, which is true. I was merely pointing out that security against one type of threat does not equate with actual security. Everything is a compromise, and while hardware firewalls have many advantages, they also have several disadvantages caused by the very fact that the user can’t easily modify the software they run. I can patch an exploit in a software firewall within hours, often minutes, of disclosure. With a hardware firewall, you’re faced with either shutting it down or living on the edge of your seat until the vendor bothers to patch for you.
I’m sure you understand this, but I thought your comments about “the most important protection a hardware firewall gives you” could be misconstrued to mean “the most important protection a firewall gives you”. That is, while that feature may lead the list of advantages provided by a hardware-only solution, it’s way down the list of important features provided in general by a firewall and may be balanced by either disadvantages of the hardware-only solution or advantages provided by the software solution if you actually do a full risk assessment.
There is/was a freeware project called Smoothwall. This branched into something called Ipcop due to a political split among the members of the project. It is a customized version of Linux that functions as a firewall using two NICs. Quite easy to setup and doesn’t need a lot of space. The packet handling code is in the kernel so it’s fast. I used Smoothwall at one time and it worked quite well (until the PC it was on died). Now I just use one of those 4 port router/firewall things you get for $80 at Best Buy.
As for perfomance, no software solution will ever come close to dedicated hardware though.
Wrong. As someone who’s built two successful companies that built hardware firewalls, I can tell you that they are mainly software, typically built on mainstream O/S’s (such as Linux or FreeBSD), occasionally with some hardware assist (i.e. chips), but the chips are almost always for performance improvements, not security ones. Yes, the software is typically (but not always, not even mainly) put in a rom, but that isn’t to make the box more secure. It’s to make it cheaper and more reliable, since a hard drive isn’t required. Cite.
The short answer to the OP is: yes you can build a firewall/router from what you have, and if you’re into it, it might even be fun. Off the shelf linux will do (almost?) everything you need.
Put either 2 or 3 nicks in the box, point one at the Internet, one at your secure area (your PC’s that will use the Internet, and possibly hang a DMZ off the third where you can put a server for others to access if you’d like.
If you have 8 pc’s, you’re better to buy a cheap hub and connect it to the PC. If you really want to, you can put several NICs in the router, but it’ll just be a big config mess (and also performance won’t be optimal, but it won’t be horrible either) with no real benefit.
So, you’re saying that hardware firewalls are susceptible to being taken down by a backdoor-type trojan? Cause that’s all I said. I said nothing about why harware firewalls are built the way they are.
To which you said - well, what I quoted you above.
Urban Ranger was correct. As far as trojans go, a well-setup software firewall is invulnerable to those as well. Which is really what a hardware firewall is: a well-setup software firewall that’s put in a rom. And often it’s not even put in a rom. Nokia’s box for example is either the #1 or #2 seller amongst hardware firewalls and it has a hard drive, running a unix and Checkpoint software. Doesn’t even have hardware assist.