No one type of firewall that has been discussed can meet the needs of every situation. As mentioned earlier in this chapter, it is often a good idea to have several levels of defense against attack from outside your network. It is easy to segment your network so that it does not appear as one entity to the Internet. You can create several subnetworks, isolate them within your network using internal firewalls, and then enclose the collection of subnetworks with firewall protection from outside intruders.
You also can use more than one firewall between your network and the outside world. In the previous dual-
Most of the quality firewall products on the market today are
distinctly packet filters, proxy servers, or stateful inspection machines. Most are hybrids that
Because the firewall has become such an important component of the network, you will find many products that perform other functions
Look for the following things when evaluating firewall products:
A firewall protects you only at the point at which your network connects to an outside network. One of the most common mistakes administrators make is
The most important aspect of the firewall is the security it affords your network. Question the vendor about the specific
If you use the Internet connection only for the exchange of moderate amounts of email and an
Support is a critical item to consider. When purchasing an expensive firewall, many
Again, because a firewall is not something you simply configure and forget, the management interface is important. You should look for a product that provides easy access to configuration options so that you can review and modify them as needed. Reporting capabilities should be easy to understand so that you can review data and statistics
Finally, in many cases, remote management can be a plus, if it's implemented correctly. Any remote management capability should include a secure authentication technique. The firewall isn't much good if you use a clear-text password when logging in to it remotely. You should proceed under the pretense that someone is always watching what you do on the network.
Price should not be the most relevant factor in your decision. You can download some software firewall products from the Internet free. Some firewalls sell for a few hundred dollars, and some range up into the tens of thousands of dollars. The price of the firewall, however, does not
What to Expect from a Firewall
A common mistake is to assume that a firewall will do more than it can because of its
In fact, several kinds of applications and devices can be classified as firewalls. Do you need a packet filter? Do you need a device that can perform stateful inspection? Before you answer these questions, first decide what you are trying to protect and what methods you are currently using.
What Do You Want to Protect?
For example, if you have highly confidential information, such as patient records or financial information about customers, you should definitely get some good legal advice on your responsibility in keeping this information from the general public. Keeping important information on a dedicated server that cannot be accessed by ordinary users on your network is the first thing to do. However, assuming that an off-the-shelf firewall application will protect you from outside penetration is being a bit simplistic.
Determine your vulnerabilities and examine your current network. Look at how sensitive data is protected now and look at the means used to access it. Then factor in how your current safeguards will enable you to keep the data secure.
Some information usually is available to everyone in the network. For example, an employee home page that contains information about processes and procedures, such as how to request a vacation or get a purchase order approved, usually will not be
Of course, if you perform your payroll in-house, you are probably already aware of how sensitive this kind of information is. It must be protected from
Levels of Security
Because different kinds of information are on networks today that need various levels of security, you should
One connection to the Internet, through a firewall, can protect you. However, with one connection and one firewall, you must make sure that the firewall is the most
Another drawback is that many users
One method is to segment the internal network and use firewalls not only to keep intruders outside the company from getting access, but also to keep out those internally who might do mischief. Also, by creating different levels of security, you can act to prevent a single security breach that causes
Instead of using a single network, consider creating several smaller networks and using firewall technology to connect them. For example, in-house data that never needs to be accessed from external sources can reside on one network, whereas another network can host machines that provide WWW, FTP, and other services to your external
If you have data that is so confidential that its compromise could do severe harm, you should place it on a computer that does not have a connection to the Internet. Remember, there is no way to guarantee that a computer cannot be hacked via a network, short of pulling the plug.
Remember, firewalls can operate in both directions. Although the first thing that probably