The $330 IPCop/Copfilter firewall 25 watt appliance

The $330 IPCop/Copfilter firewall 25 watt appliance

Summary: A lot of you probably already know my disdain for desktop anti-virus because of how sluggish it makes your computer and how it actually becomes more of a liability in terms of security. I've talked about how wonderful it would be if you could run your anti-virus at the gateway to protect all of your computers.

SHARE:
TOPICS: Hardware, Networking
70

A lot of you probably already know my disdain for desktop anti-virus because of how sluggish it makes your computer and how it actually becomes more of a liability in terms of security. I've talked about how wonderful it would be if you could run your anti-virus at the gateway to protect all of your computers. The one thing I couldn't really offer up until recently is how you actually implement this with a practical and relatively cheap solution.

One of the things a lot of people did was to take an old computer that made a lot of noise and probably takes a lot of power which adds up on the electricity bill. Another option was to buy a $600 embedded appliance which is too expensive. The third option which Justin James attempted was to order something all the way from China which took nearly 2 months along with a steep money transfer fee and shipping costs. I got so desperate that I even thought the Apple TV would make a nice low-power cheap appliance only to find out that the EFI BIOS was going to be a pain to deal with.

A year has passed and I'm happy to inform you that the bad old days are over and you can finally buy a low-cost low-powered x86 appliance for a little over $330 with no gimmicks or hacks. Enter Logic Supply's Perimeter B4 appliance for $291 which includes 3 gigabit ports and 1 FastEthernet port as shown in the picture above and below which I got a chance to review. It's an all metal chassis that can be mounted on the wall or just placed in the corner somewhere. [See gallery for a closer look.]

This particular model came with a 2.5" hard drive and 512 MB RAM, but the current model being sold only has 256 MB RAM and 256 MB flash. I'm not sure why they no longer offer the hard drive and more memory option on their website but you might be able to custom order it. If not, you can buy 512 MB of DDR2-533 memory for $9 including shipping and a 20 GB 2.5" hard drive for $29 including shipping. This is the recommended amount of memory you'll need for running IPCop/Copfilter and the hard drive is perfect for transparent caching which speeds things up immensely. If you spend $14.38 including shipping for 1 GB of RAM, that would give you more room to grow.

The noise level in this device is moderate with the three small fans inside (1 for CPU and 2 for chassis). It's a lot quieter than your 1U Cisco switch or router and quieter than some PCs, but it's no silent enough for under-desk operation in my opinion and you might have to make some modifications to the fan to slow them down. You can generally replace the yellow wire leading up to the fan with the red wire which cuts the voltage from 12 to 5 volts and that will significantly slow down the fan. The temperature seemed to be low enough that you could reduce the speed of the fan. I did complain to Logic Supply that they should implement variable speed fans that only speed up and make noise when the system is getting too hot.

Inside the chassis you'll find a standard mini-ITX Jetway J7F2WE-1G motherboard with 1 GHz Via C7 processor which is plenty of performance for a gateway device like this. Typical power consumption was around 25W so it should cost about $22 a year to operate 24x7 at 10 cents per kilowatt*hour.

Here I detached the hard drive and the Gigabit Ethernet daughter card. The hard drive is a standard 2.5" PATA IDE hard drive mounted on a metal holder. There is only one DDR2-533 slot for memory so make sure you buy enough memory.

The system comes with a 10/100 FastEthernet interface on the motherboard and a 3-port gigabit Ethernet card which uses three Realtek RTL8110SC network processing chips all compatible with Linux and BSD. Note that the CPU in this appliance isn't fast enough to turn this thing in to a gigabit router but it's plenty fast as a gateway device. This particular daughter card actually uses the strange 120-pin plug (see gallery for higher resolution image) in the picture above.

IPCop and Copfilter are free Open Source applications and Justin James has a simple guide on how to install IPCop here if you want to get started right away. I'll be following up with a more detailed guide.

Topics: Hardware, Networking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

70 comments
Log in or register to join the discussion
  • No PSU?

    I assume this comes with a brick PSU that is on the outside of the device. I don't see it in the picture, so I am only assuming.
    nucrash
    • Yes it comes with a brick, I didn't photograph it.

      nt
      georgeou
  • Isn't this DLink Device easier and cheaper?

    http://www.dlink.com/products/?sec=1&pid=486

    I would prefer this, it's cheaper, seems to do everything a home user needs.
    james_p
    • Of course not...

      George has spoken and his solution obviously must be better than anyone elses. Heck, why spend $99 for a solution when you can pay $300?
      jasonp@...
    • Not necessarily

      There are lots of hidden costs associated with this product. The Dlink Device uses the MacAfee security product, with licenses for 4 PCs. If you have more than 4 PCs, you need extra licenses. How much do they cost? The MacAfee security software is a license that you're going to have to renew every year. How much will that cost? It's like the deal I saw at Target a couple of years back, where they were selling an entry-level ink-jet printer for $35. Problem is, replacement ink cartridges cost $45.
      muzhik
    • You still have a client to deal with

      You still have a client to deal with on each machine. That still slows down your system even though it provides a gateway scanner. A sort of bottle neck.

      I was supposed to review this device for George, but when he saw the client for it, he passed.

      I still like the idea of the Zone Labs device better, but I haven't taken the time to review it.

      This is a better unit: http://www.zonealarm.com/store/content/catalog/products/z100g/index.jsp

      Built by the people who do CheckPoint which isn't a bad for SMB market although George has had a few issues with them. I might have to review the item yet.
      nucrash
    • 200 MHz versus 1000 MHz, quad RAM, 100x storage

      The DLink box requires clients to do the work. The gateway device caches and scrubs before it reaches your PC.
      georgeou
      • That is correct!

        I read a little more and the diagrams from DLink do indicate that Virus protection runs on the computer. So it's not a true stand alone network device. Seems to me, upon further review, this is a device that just feeds off the cash-cow security fears of users. So you still have to run AV - AntiSpyware on the PC, plus fork over money for a network device that really doesn't deliver fully protection on it's own.
        james_p
        • Yup, I say open source free AV all the way

          Yup, I say open source free AV all the way. Having that cache on the gateway is a HUGE benefit. Imagine you run a school network and you got 100 kids wanting to see the same YouTube video. If it comes through the cache, you only download it once and every other time gets transparently cached. 100 Windows Updates become one windows update as far as your internet connection is concerned.
          georgeou
      • Just the Gateway?

        Does it scrub viruses if someone brings the virus in on a jump drive? Or would that cause everyone on the lan to get infected?

        Howie
        hforman@...
        • If it's a big enough LAN, the file/mail servers would have AV protection

          If it's a big enough LAN, the file/mail servers would have AV protection already. If the network is properly locked down and the clients don't have wide-open write permission, viruses shouldn't spread on the LAN. If it's a properly locked down LAN, the end users will not have local machine administrative privileges which pretty much stop any viruses from infecting the machine. The gateway is just one line of defense.
          georgeou
  • what is the goal here?

    It's a nice box, for sure. But I'm not sure why I would use this thing. First, I don't get the reason for using ipcop. Running an antivirus at the firewall only limits your detection to internet downloads. This is mostly true, but limiting. Second, ClamAV (which I believe is the only free supported antivirus for IPcop) is not that good in comparison to other desktop options. You also claim that transparent caching speeds up things a lot. This is true for a large business, but for a home this is overkill. In my opinion, the real advantage of an IPcop firewall is for content filtering.

    Now let's assume that we need IPcop. Then why this box? The IPCop website has links to boards that come with IPCOp pre-installed and have been tested on. I haven't read the details, but I think they are cheaper.

    So the question here is what are you trying to achieve? You can get routers from Fritz and others that include printer/mass storage server, IP telephone ports, WLAN, etc for 150 euros. With less power consumption and zero noise.

    It's a nice box, but I don't know why I'd buy such think
    patibulo
    • Replies

      1. IPCop provides transparent caching. When you have multiple clients on your LAN, it really speeds things like Windows Update or YouTube up if all your users view the same video.

      2. You get content filtering on the gateway.

      3. $330 is a good price for this set of features in an embedded device. I can build a wood or acrylic chassis for cheaper but that requires a lot of work. If you have suggestions for something comparable but cheaper, please do share.
      georgeou
  • IpCop is wonderful

    I've been using it for years and love it.
    DemonX
    • As good as or better than ISA server too!

      Our infrastructure used to be Windows servers, including ISA Server for our firewall.

      In 2005 I started the migration to Linux. I recall how I hardened a linux box into a bastion host, then was going to install IPCop. To my delight, I discovered that IPCop is a complete Linux distribution! No hardening required, as it is a purpose-built flavor of Linux. I also recommend Banish for preventing hack attempts from certain networks. COPFilter and URLFilter are nice add-ons too.
      SpikeyMike
      • ISA is a totally different animal than IPCop and they don't really compete

        ISA is a totally different animal than IPCop and they don't really compete. ISA shops typically stay ISA and don't switch just like IPCop shops stay IPCop. There isn't a whole lot of overlap between the user bases.
        georgeou
        • Overlap

          The overlap in the user base is practically non-existent due to what? Blinders? I'll agree that most Microsoft-only shops tend to stay that way, due to what I can only speculate.

          Ours was MS-only until I started looking at alternatives. We had an employee leave under less than agreeable circumstances. He did what lots of irate folks do - He called the BSA and told them a bunch of lies. That's what motivated me to look elsewhere.

          We're amazed at the speed and resilience of our infrastructure, now that we're non-windows. Thanks BSA!

          ISA is a firewall and web cache, which required client software if you were going to place any restrictions on the user. IPCop is a Firewall, web cache, IDS, and more, not requiring any client software for full control of web surfing. From my perspective, they both perform the same task(s), though they do so differently.

          -Mike
          SpikeyMike
  • Linux in your wireless router?

    Aren't the Linux loaded wireless routers like the WRT54GL a viable option? There are a number of Open Source projects that improve security and add features to these low power boxes.
    Programmer1028
    • You get 5x less processing, 4x less RAM, 100x less storage

      You get 5x less processing, 4x less RAM, 100x less storage if you go with a Linksys box. That's not suitable for the feature set I'm trying to cover here.
      georgeou
    • VOIP

      I've seen articles on how you could get Asterisk to run on one of those too!

      http://www.voip-info.org/wiki-Asterisk+Linksys+WRT54G

      -Mike
      SpikeyMike