FIREWALLS

Firewalls are the second layer of a multiple-layer defense against intrusion and unauthorized access from outside the internal network. A Firewall provides 'packet-level' security and inspection and can also allow or deny traffic through specific ports, by ingress or egress filtering, like a Router does.

A properly configured network would have a Firewall placed where the various types of network traffic intersect, i.e.; where internal servers connect to the Internet, where internal servers connect to Web or Mail servers, and where Web or Mail servers connect to the Internet.

While Routers can look at fields in data packets, Firewalls perform this function faster. By using 'Network Address Translation' a Firewall can also shield internal network addresses from the outside world. The recommended configuration would have all internal network addresses connecting to the Internet with only one external IP (gateway) address. NAT works to modify the outbound packet changing from internal private address to public NAT'd address.

As with any security configuration, a properly configured Firewall should deny traffic not specifically allowed, but this configuration but must be monitored and tweaked as necessary, so as not to limit legitimate traffic.

In an article for Healthcare Information Security-Newsletter in May 2002, CISSP Bob Cartwright writes , 'Packet filtering is minimal inspection' ⁶ He explains that a Firewall should use a set of rules and those rules should act as a filter to allow or deny the traffic. Cartwright lists 5 types of Firewalls and explains the differences:

• Stateful Application Gateway Proxy-tears apart packets and rewrites them, which can be a slow process

• Software or Appliance firewall-An Appliance is more expensive, gives better throughput, and is easier to install

• Packet filtering-Doesn't permit those not listed from incoming or outgoing, is fast, can be complicated, but vulnerable if configured poorly

• Application proxies-Are more secure, more flexible, slower, and use more system resources; and,

• Stateful inspection firewalls-A compromise of secure application proxy and less secure packet filtering, with better speed, but must be configured correctly

The catch to proper configuration is that a Firewall must be opened just enough to allow remote users and legitimate traffic to connect to inside resources. But doing this can allow 'black-hats' or other unauthorized users a way inside the network. When accessing Firewall configurations, it is recommended that each setup be tested first, then saved to revert back to in case the configuration is too restrictive .

One type of Firewall not previously mentioned are software based Firewalls. Well-known software-based Firewall applications such as 'ZoneAlarm' or 'Black Ice Defender' should not be used exclusively on individual servers or workstations in a medical center or hospital environment. Such software firewall on local servers should not take the place of network-based firewalls, but could be used in addition to them.

The security assessment of a Firewall can also be done by running penetration software such as 'Nmap', 'Nessus', 'Enum', 'Netcat' or other such programs. Be sure to get written permission first. As always, enable audit logs and check for signs of attempted or successful intrusion.

There is nothing about securing a Firewall that is specific to the healthcare industry. InfoSec 'best practices' are recommended, but no special Firewall configuration is required by HIPAA.