Firewalls should play an integral role in defending your organization from external and internal security threats. Whether your organization uses firewall software, hardware, or both, the system’s overall effectiveness depends upon the security policies used in conjunction with the software/hardware.

Implementing these policies is a four-step process, which includes creating policies, training personnel on these policies, implementation, and finally, monitoring the policies. This article will examine the first two steps in this process and is designed to help CIOs and MIS Directors prepare their network administrators and desktop support personnel for the tremendous job of putting these policies into place.
While this article is geared toward the CIO or MIS Director, we wanted to include it on the Support Republic to illustrate the importance of including support staff in firewall policy development and implementation. We also hope to get some feedback from support pros on their firewall policy experiences. After reading this article, please let us know whether you were a part of creating the firewall policies for your organization.
Creating your policies
When developing your organization’s firewall policies, you must look at the total picture. Ask yourself, what does your network offer now, and what do you want to offer in the future? Does your network have an intranet? Will it offer a B2B solution for your corporate partners? Do you now or will you in the future conduct e-business through your company’s Web site? Do your employees need remote access to your network? You must consider these environmental factors before developing your security policies.

A feasibility study should be performed to lay out the steps for implementing security policies. I can break the study down into three areas:

  1. Personnel training
  2. Looking at your needs
  3. Equipment purchasing

First, the study should determine if your network administrators and desktop support personnel have an adequate knowledge of firewall security. To be successful, it is extremely important to know how skilled your staff is at implementing and monitoring firewalls.

Second, take a look at what your network is offering now and what you predict it will offer in the future. What underlying services is the network broadcasting? What services do you see it offering in the future? What will your employees need in the way of remote access?

Finally, your feasibility study should include the amount of security you will need in terms of equipment. In this article, I am going to focus on hardware firewall solutions, as I believe they are currently the most secure option. Which brand and type of firewall are best suited to your needs will depend on the size of your organization and what you want to do with your network. Cisco Pix, SonicWall, and Rapture firewalls are all good solutions, but the product you choose will ultimately depend on your number of users and what you want to offer them.
Did you have a say in your organization’s firewall policies? If so, what role did you play? If not, why? Post a comment or send us a note and share your experiences.
Train your network administrators and desktop support staff
To get a feel for where your organization stands on security skills, talk with your network administrators and desktop support staff. Ask them key questions like, “Do you know what active services are running on our network?” and “Do you know what ports we have open?” If you get a glazed-over look, you should probably plan for a significant amount of security and firewall training.

On the other hand, if they demonstrate some firewall knowledge, ask them for their opinions and suggestions. After all, your net admins are in the trenches working with the network and its users on a daily basis. They probably have a good idea of which defensive strategies will work best.

Above all, it’s essential to not blindside your network administrators and desktop support staff with new security policies. I suggest getting them involved during the earliest stages of policy development. Schedule regular meetings and make sure to get their thoughts and opinions. If additional skills are required, plan to have your network administrators professionally trained by your firewall vendor. Your network administrators can then train your desktop support staff.

Training your IT personnel can be a time-consuming project, but I believe it is the most important part of this four-step process. Without a well-trained staff, even the most restrictive security policies can fail. You can learn more about how to train your staff by reading the National Institute of Standards and Technology’s “Information Technology Security Training Requirements: A Role- and Performance-Based Model.” (You will need Adobe Acrobat Reader to read it.)

Until next time
Sound network security policies are critical, whether your organization has a small, 10-user LAN or massive, 10,000-user global WAN. Adequate firewall policies are essential to developing a secure network. My next article will continue this discussion, examining the best ways to implement and monitor firewall policies.
Now it’s your turn to grade us. What do you think of Matthew’s firewall policies suggestions? Post a comment or write to Matthew Mercurio and let us know what you think.