If you can do nothing else to harden your network, you need to implement a firewall. The reason for this is simple: a firewall is the single device that can do more to keep unauthorized traffic from entering a network than any other device. Now you might have heard that firewalls aren t effective anymore because so many things use port 80 to pass traffic; however, those situations are a small, small portion of all the threats that exist from which a firewall can protect you. In addition, when implementing an application-filtering firewall, you can gain the ability to filter application content, identifying legitimate web requests from illegitimate web requests . Finally, remember that a firewall, although the best single choice you can make, is most effective as a component of security, being complemented by an intrusion detection/prevention system (IDS/IPS) and content filters.
Although many folks think of a firewall as something used to protect their network from Internet-based threats, do not overlook the value of using firewalls at other locations on your network. For example, you can use a firewall on your WAN perimeter to filter traffic to and from frame relay or point-to-point circuit connections across a public internetwork. Likewise, you can implement a firewall to filter traffic between internal LAN segments, protecting critical business resources such as HR servers and application servers from unauthorized traffic. There are a few types of firewalls to consider:
Stateful packet-inspecting/filtering gateways
Application proxies are identified by their ability to read and process an entire packet to the application level and make filtering decisions based on the actual application data, not just the packet header. Application proxies receive all incoming packets and completely decode them to the Application layer. The actual application data can then be scrutinized to determine whether it is legitimate data. If this data is legitimate, the firewall will rebuild the packet and forward it accordingly . Because of this capability, application proxy firewalls can apply a significant amount of intelligence before making a filtering decision. One drawback is that this type of filtering introduces latency to network communications and requires significant amounts of processing power. Another drawback is that unless the firewall has the proxy capability for a given protocol or service, it might not be able to facilitate communications with the given protocol or service. Secure Computing Sidewinder G2, Microsoft s Internet Security & Acceleration (ISA) Server 2000, CyberGuard firewall/VPN appliances, and Symantec Enterprise Firewall are examples of application proxy firewalls.
Packet-inspecting/filtering gateways are generally not able to process the packet to the application level to make a filtering decision. Instead, packet-inspecting/filtering gateways tend to process the data to the Network/Transport layer and make filtering decisions based on the protocol and port numbers contained in the packet header only. Packet-inspecting/filtering gateways also typically implement a stateful packet inspection model, which allows the firewall to maintain a record of the state of all conversations occurring through the firewall, automatically permitting responses for legitimate outbound requests. IPtables, IPchains, SonicWALL, Clavister, and many of your SOHO firewalls such as Linksys and D-Link are examples of packet-inspecting/filtering gateways.
More and more today, most firewalls fall into the hybrid category. Although they typically perform stateful packet filtering/inspecting for making most filtering decisions, they may have some application proxy functionalities built in for specific high-risk protocols and services such as HTTP and FTP. Most of the firewalls on the market today are hybrid firewalls. Examples of hybrid firewalls are Check Point Firewall-1 NG, Cisco Secure PIX, and Netscreen Deep Inspection Firewall.
There is no one right answer as to which firewall to use for your environment. This is one of the rare cases when I really can t give you a definitive answer. You will need to make a decision based on your requirements and your environment. For example, if you require extremely high throughput, a packet-filtering firewall would be a good choice to implement. If you are using standard protocols and require the most rigorous application inspection, an application proxy would be a good choice to implement. In some environments, you might even need both ”a packet-filtering firewall to perform initial packet inspection on all traffic, and an application proxy behind that to perform the more detailed application filtering. Regardless of which type of firewall you decide is best for your environment, however, if you do not currently have a firewall, make sure you get one. Any of the firewalls mentioned are better than having none at all.