Long before worms and viruses became the hot button of
Internet security, organizations employed firewalls to isolate internal
networks from the public Internet. Implementing a mix of both network address
translation and protocol proxies, perimeter firewalls typically act as the
primary front-line defense for companies using the Internet.

However, as many companies have become painfully aware,
traditional methods of network security are proving to be less than adequate.
In most cases, there is no “one size fits all” security policy that
works for every department of a large organization. The monolithic security
approach also does nothing to stop a problem that has crept into a corporate
network.

And consider that, in most companies, firewall systems are
also singular devices, subject to the “single point of failure”
concern that companies should try to avoid. One could certainly argue that
every device on a network, including routers, falls under that single point of
failure rule. I don’t dispute this, and that’s why I advocate that a company
that depends on Internet access needs redundant access from multiple ISPs and
multiple firewalls.

Most corporations, embracing the “centralized is better”
viewpoint fostered by mainframe systems, don’t have redundant Internet access
or firewall systems. But considering that current trends point toward
increasing worm and virus attacks, simply securing the perimeter of the network
is no longer sufficient.

Most of the time, problems don’t occur at the edge of the
corporate network—they occur inside of it. And a monolithic perimeter firewall
is useless to defend against a worm that’s spreading inside private networks.

Distributed firewalling is a somewhat new approach to network
security, and it’s increasing in popularity. It’s especially useful when you
consider the risks of private networks connecting to multiple branch locations.

In general, a distributed security architecture is more
expensive to implement and maintain than a monolithic firewall, making cost the
primary downside. And network security costs are traditionally not popular with
the upper management of most companies.

But if you’re a network manager looking for justification of
distributed firewalling and better overall internal network security, look no
further than the Sarbanes-Oxley Act. Although not specific regarding types of
security, portions of this act mandate auditable “internal controls,”
which is usually a sufficient means to bring attention to the possible
consequences of insecurity on internal networks.

Organizations often overlook private network security, but
this issue is as large a concern, if not larger, than perimeter security. And
worms and viruses inside the corporate network aren’t the only factor;
organizations must also consider issues involving employee access to internal
servers and systems.

Using firewalls at appropriate points in an internal network
can help prevent these types of problems. Implementing an intrusion detection
system (IDS) is also a feasible option, but pay close attention to where these
systems “sniff” for data. An IDS in the wrong place won’t provide
useful information, and it certainly won’t stop a worm.

Another issue that organizations should consider when using
distributed network security is encrypted VPNs. In many companies, multiple
branches connect through the central office for Internet access, or they allow
employees to work from home.

This often requires the use of an encrypted VPN to connect
to the corporate network. While VPN functionality sometimes occurs on the
firewall, many organizations implement VPNs internally, bypassing the perimeter
firewall entirely. A perimeter firewall or IDS won’t be able to protect much if
the VPN data doesn’t pass through it.

The monolithic firewall has its place on the perimeter, but
it’s woefully unprepared to handle complex internal network security. For
companies with distributed networks, distributed firewalling is a better
approach for overall security.

Miss an issue?

Check out the Internet Security Focus
Archive, and catch up on the most recent editions of Jonathan Yarden’s
column.

Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Monday.

Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.