By Jonathan Yarden
Long before worms and viruses became the hot button of Internet security, organizations employed firewalls to isolate internal networks from the public Internet. Implementing a mix of both network address translation and protocol proxies, perimeter firewalls typically act as the primary front-line defense for companies using the Internet.
However, as many companies have become painfully aware, traditional methods of network security are proving to be less than adequate. In most cases, there is no "one size fits all" security policy that works for every department of a large organization. The monolithic security approach also does nothing to stop a problem that has crept into a corporate network.
And consider that, in most companies, firewall systems are also singular devices, subject to the "single point of failure" concern that companies should try to avoid. One could certainly argue that every device on a network, including routers, falls under that single point of failure rule. I don't dispute this, and that's why I advocate that a company that depends on Internet access needs redundant access from multiple ISPs and multiple firewalls.
Most corporations, embracing the "centralized is better" viewpoint fostered by mainframe systems, don't have redundant Internet access or firewall systems. But considering that current trends point toward increasing worm and virus attacks, simply securing the perimeter of the network is no longer sufficient.
Most of the time, problems don't occur at the edge of the corporate network--they occur inside of it. And a monolithic perimeter firewall is useless to defend against a worm that's spreading inside private networks.
Distributed firewalling is a relatively new approach to network security, and it's increasing in popularity. It's especially useful when you consider the risks of private networks connecting to multiple branch locations.
In general, a distributed security architecture is more expensive to implement and maintain than a monolithic firewall, making cost the primary downside. And network security costs are traditionally not popular with the upper management of most companies.
But if you're a network manager looking for justification of distributed firewalling and better overall internal network security, look no further than the Sarbanes-Oxley Act. Although not specific regarding types of security, portions of this act mandate auditable "internal controls," which is usually a sufficient means to bring attention to the possible consequences of insecurity on internal networks.
Organizations often overlook private network security, but this issue is as large a concern, if not larger, than perimeter security. And worms and viruses inside the corporate network aren't the only factor; organizations must also consider issues involving employee access to internal servers and systems.
Using firewalls at appropriate points in an internal network can help prevent these types of problems. Implementing an intrusion detection systems (IDS) is also a feasible option, but pay close attention to where these systems "sniff" for data. An IDS in the wrong place won't provide useful information, and it certainly won't stop a worm.
Another issue that organizations should consider when using distributed network security is encrypted VPNs. In many companies, multiple branches connect through the central office for Internet access, or they allow employees to work from home.
This often requires the use of an encrypted VPN to connect to the corporate network. While VPN functionality sometimes occurs on the firewall, many organizations implement VPNs internally, bypassing the perimeter firewall entirely. A perimeter firewall or IDS won't be able to protect much if the VPN data doesn't pass through it.
The monolithic firewall has its place on the perimeter, but it's woefully unprepared to handle complex internal network security. For companies with distributed networks, distributed firewalling is a better approach for overall security.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.