Upgrading and Repairing Networks (5th Edition) - page 290

Hybrids

No one type of firewall that has been discussed can meet the needs of every situation. As mentioned earlier in this chapter, it is often a good idea to have several levels of defense against attack from outside your network. It is easy to segment your network so that it does not appear as one entity to the Internet. You can create several subnetworks, isolate them within your network using internal firewalls, and then enclose the collection of subnetworks with firewall protection from outside intruders.

You also can use more than one firewall between your network and the outside world. In the previous dual- homed host example, this was done because the host served as a proxy firewall that was connected to a router that performed packet filtering.

Most of the quality firewall products on the market today are not distinctly packet filters, proxy servers, or stateful inspection machines. Most are hybrids that incorporate the functions of all these firewall technologies, although by different degrees depending on the implementation. As long as you understand the concepts of the functions a firewall performs , you are in a better position to make an informed choice of what will work best for your environment.

Because the firewall has become such an important component of the network, you will find many products that perform other functions related to security that are not easily classified . For example, some firewalls can be used to screen the content of email or other data that passes through the firewall. You can contract with a service provider to obtain a list of known "offensive" or otherwise undesirable sites on a periodic basis and have your firewall block access to these sites. Some firewall products come with built-in virus screening.

Look for the following things when evaluating firewall products:

Security (of course)
Performance
Support
Price
Manageability

Caution

A firewall protects you only at the point at which your network connects to an outside network. One of the most common mistakes administrators make is assuming that the network is secure and overlooking the modems that sit on many desktops throughout the enterprise. Even if a modem is used only for dial-out purposes, you still run risks of virus infections and other security problems when users dial out to other sites and download programs or data to their workstations, which are connected to the network. Worse yet, modems used for dial-in purposes, such as remote access for users, present an easy entry point for those who would do harm. If you do allow dial-in access, be sure that users understand the implications of downloading from the Internet using the same computer. If not, viruses and other malicious programs can be downloaded from the Internet, and then transfer themselves to your LAN via the dial-up connection. Most of this can be caught using a good firewall and antivirus programs. However, it can take a few days, or longer, after a new virus is discovered before a remedy is found.

The most important aspect of the firewall is the security it affords your network. Question the vendor about the specific methods used in the product, and whether the product has been evaluated by outside sources.

If you use the Internet connection only for the exchange of moderate amounts of email and an occasional Web-browsing session, performance might not be a significant factor in your choice. However, if you expect heavy demand on the Internet connection, from within or without, check to be sure that the product you acquire can handle the load. Packet filter firewalls provide a higher degree of performance; the trade-off is that they do not protect you as well as a proxy server might if it's configured properly. Because a proxy server is responsible for closer examination of each packet and can be configured to perform other tasks , it is inherently slower than a packet filter.

Support is a critical item to consider. When purchasing an expensive firewall, many vendors include on-site assistance in configuring and setting up the firewall. Additional support, including consulting and hotline help-desk services, is important because the Internet is in a state of rapid growth, and what works today might not be sufficient tomorrow. Unless you have a highly skilled technical staff capable of making decisions about firewall techniques and implementing them, support from the vendor should be a major consideration.

Again, because a firewall is not something you simply configure and forget, the management interface is important. You should look for a product that provides easy access to configuration options so that you can review and modify them as needed. Reporting capabilities should be easy to understand so that you can review data and statistics audited by the firewall. Another important aspect of the management interface is the capability to notify you when something appears to be targeting your network with not-so-good intentions. Alarms that appear onscreen are fine, if you have a round-the-clock operations staff that will be monitoring the screen. The best products will email or page you when specific events occur that you have set a trigger for beforehand.

Finally, in many cases, remote management can be a plus, if it's implemented correctly. Any remote management capability should include a secure authentication technique. The firewall isn't much good if you use a clear-text password when logging in to it remotely. You should proceed under the pretense that someone is always watching what you do on the network.

Price should not be the most relevant factor in your decision. You can download some software firewall products from the Internet free. Some firewalls sell for a few hundred dollars, and some range up into the tens of thousands of dollars. The price of the firewall, however, does not indicate its safety or capabilities. In fact, some of the free firewalls you can get from the Internet are actually quite good. One of the things that the Linux platform excels at is implementing firewall technology. Its robust speed and low overhead make it a good choice for this type of chore. However, no matter what product you choose, be sure you have the skills and know-how to properly configure and operate it.

What to Expect from a Firewall

A common mistake is to assume that a firewall will do more than it can because of its name . In the building trade, a firewall that is used to protect individual units in an apartment complex or a condominium is designed according to rules laid down by the local authorities. In the networking trade, no authorities specify what a product must do to carry the "firewall" label.

In fact, several kinds of applications and devices can be classified as firewalls. Do you need a packet filter? Do you need a device that can perform stateful inspection? Before you answer these questions, first decide what you are trying to protect and what methods you are currently using.

What Do You Want to Protect?

For example, if you have highly confidential information, such as patient records or financial information about customers, you should definitely get some good legal advice on your responsibility in keeping this information from the general public. Keeping important information on a dedicated server that cannot be accessed by ordinary users on your network is the first thing to do. However, assuming that an off-the-shelf firewall application will protect you from outside penetration is being a bit simplistic.

Determine your vulnerabilities and examine your current network. Look at how sensitive data is protected now and look at the means used to access it. Then factor in how your current safeguards will enable you to keep the data secure.

Some information usually is available to everyone in the network. For example, an employee home page that contains information about processes and procedures, such as how to request a vacation or get a purchase order approved, usually will not be considered a high-priority security item. Other information, such as information you keep about your customers, not only is important to your bottom line if you want to keep the customer happy, but also might be confidential, such as a doctor's records about patients . This kind of information should receive your utmost attention when you're trying to decide how it can be accessed after you connect to the Internet. It might be generally available to a large number of employees , depending on your business, or it might be sequestered by OS protections so that only a single department can use this kind of data.

Of course, if you perform your payroll in-house, you are probably already aware of how sensitive this kind of information is. It must be protected from prying eyes both inside your network and outside your network.

Levels of Security

Because different kinds of information are on networks today that need various levels of security, you should carefully structure your network to handle the way information is accessed.

One connection to the Internet, through a firewall, can protect you. However, with one connection and one firewall, you must make sure that the firewall is the most restrictive you need to protect the most sensitive data that you have. One firewall to protect the entire network is one point of failure. One mistake, and the whole network is vulnerable.

Another drawback is that many users resent extremely restrictive access mechanisms and, if allowed, circumvent them.

One method is to segment the internal network and use firewalls not only to keep intruders outside the company from getting access, but also to keep out those internally who might do mischief. Also, by creating different levels of security, you can act to prevent a single security breach that causes extensive damage. This is especially important if your organization (such as a library) offers unsecured wireless access to the public and also has a closed network.

Instead of using a single network, consider creating several smaller networks and using firewall technology to connect them. For example, in-house data that never needs to be accessed from external sources can reside on one network, whereas another network can host machines that provide WWW, FTP, and other services to your external clients . The firewall that connects this network to the Internet would not have to be as restrictive as the one that joins the two networks at your site.

If you have data that is so confidential that its compromise could do severe harm, you should place it on a computer that does not have a connection to the Internet. Remember, there is no way to guarantee that a computer cannot be hacked via a network, short of pulling the plug.

Tip

Remember, firewalls can operate in both directions. Although the first thing that probably jumps into your head when you think about a firewall is that it will keep out unwanted packets, the reverse also can be true. For example, you might want to connect your network to the Internet to allow email or FTP access to and from customers and your employees. You might not want your employees to access Web pages, however, and you can block their outgoing requests to prevent this type of access.

Buy on amazon.com >>

Ogletree T.W., Soper M.E.

<< Previous page

Table of contents

Next page >>