By adopting open source software you can slash costs, vastly improve speed and reliability and, perhaps even more importantly, wrest control back from proprietary IT suppliers.

In this column we look at providing secure, fast and reliable Internet access for your business. We will be replacing a widely used, yet heavily criticised Microsoft product, Internet Security and Acceleration server (ISA).

What’s involved

Providing Internet access for a network is quite different from providing it for a single machine. On a single machine you attach a modem. For a network you have to have a dedicated machine (called a proxy server) that goes online on behalf of any machine on the network.
It grabs the requested content and then passes it to the machine that asked for it.

Most good proxy servers will also save a local copy of the content (Known as 'caching') so that only changes to the content need to be downloaded in the future. If your users look at some sites frequently, caching gives big savings on your bandwidth needs whilst also dramatically improving browsing speeds.

Providing secure access for a network is generally done with a firewall.
Firewall is a hugely misunderstood and ambiguous term - it can trigger religious wars amongst security experts. You'll be relieved to hear that for the sake of this article we're not going to join in and merely understand it to be a box you plug in to protect your network from bad things out there on the Internet.

Open source

We'll use Linux as our underlying operating system. On top of this we'll be layering some of the open source world's leading projects, all best of breed, and all included in the unbeatable purchase price (zero!) of your Linux system.

The proxying and caching is provided by Squid. Squid is almost certainly what your own ISP uses (ask them!). Why? Because it's the best. It's hugely reliable, tunable, and faster than anything else out there. It will do distributed and hierarchical caching (that is, several machines running Squid co-operate and share cached content) both within your network and/or with any of the global community of Squid users.

Its scalability is superb - serving a network of a thousand users will take four or five ISA Servers. Squid needs just one, or two if you want to go way over the top on resilience.

The firewall is provided by netfilter, Linux's next-generation packet filtering and stateful inspection engine. That mouthful of jargon simply means it inspects incoming and outgoing information and decides whether to pass it on or not - thus protecting your business from unauthorised access, illegal attacks (including well known attacks on your other Microsoft software), worms, trojans, etc.

In fact whatever you've read a proprietary firewall can do, netfilter does, and then some more. Better than this, it has an open, modular architecture. Modules for pretty much any security feature you can think of are available (such as application-layer filtering, load-balancing, etc.), enabling you to intercept, analyse or modify any protocol over any port.

Your Open Source Security & Internet Access server (as we're going to call it) is completed with the addition of SpamAssassin for email filtering, snort for intrusion detection, ntop for reporting, and Webmin for any-platform GUI administration.

You now have a system that beats Microsoft ISA on every score with no purchase costs or extortionate licensing fees every year. And it's future proof. When the next version is available, you simply update the modules you need.

You don't need to do the Microsoft thing and buy it all again and also buy a new, faster, bigger machine to run it on. This might be great business for Microsoft and Intel but expensive and disruptive for you. Those days are now gone!