Every organization that connects its network to the Internet
needs a firewall to protect against intrusions and attacks from “out there.”
And today’s security vendors make firewall products to fit every budget. But if
your company plans to grow (and what company doesn’t?), it pays to keep
scalability in mind when selecting firewall solutions. Let’s take a look at how
a small business can build a scalable firewall infrastructure from the very
beginning.

Start small, think big

Many businesses are launched as one-person operations or
with only a few employees. Their networks consist of only a few computers,
often joined as a workgroup. The workgroup uses an inexpensive Internet connection
that is shared via Microsoft’s ICS or a third party NAT solution. Even if your
“business network” consists of a single Internet-connected computer, you still
need a firewall. But in a small business, it will often be the Windows Firewall built
into Windows XP (called Internet Connection Firewall or ICF prior to Service
Pack 2) or another low-cost host-based software firewall such as ZoneAlarm or Norton Personal Firewall.

When your company grows to include several computers on the
LAN, it’s time to start thinking about perimeter security. Many broadband
routers have basic firewall functionality built in, but these tend to be simple
packet filtering firewalls. Some include features such as MAC filtering and URL
filtering, but most are designed for consumer use, rather than business use. An
attack that crashes your network can affect your bottom line, so you need more
sophisticated protection.

Hardware vs. software solutions

The easiest way to go is with a relatively low cost
dedicated firewall appliance at the perimeter. This is often called a “hardware
firewall.” Examples include the PIX 501, SonicWall
Pro 1260, WatchGuard Edge X15 or NetScreen
5 series. They are “turn key” solutions that are easy
to set up. However, you may find that these low-end products are not very
scalable. They’re usually limited in the number of connections allowed and the
throughput bandwidth. It’s difficult or impossible to upgrade the hardware, so
as your network grows and your needs change, you may have to buy a new edge
firewall. Other appliances are capable of handling more capacity than their
initial cost allows; you only need to buy additional licenses to utilize that
capacity.

Although the initial cost may be higher and it may not be as
easy to set up, you may find that a “software firewall” such as Microsoft ISA
Server, CheckPoint, or Symantec Enterprise Firewall
can more easily grow with your business. These firewall products are installed
on top of a regular network operating system (Windows Server, UNIX, Solaris). That means you choose the box and configuration
and can easily upgrade to a faster processor or more memory if needed later.

Software firewalls also usually support a larger number of
connections than the low-end appliances, and throughput is based on the
hardware you choose. These business-level software firewalls are designed to
protect the network, and shouldn’t be confused with software firewalls that are
host-based or “personal” firewalls designed to protect a single computer.

Moving to a multiple firewall solution

As your network gets larger and more complex, a single
firewall at the perimeter may not be sufficient. At this point, you may have
branch offices in remote locations that connect to your LAN at headquarters,
and you may also want to control what enters the sub-networks of some
departments or divisions (such as accounting or personnel) from the rest of the
LAN.

This requires a different firewall deployment strategy and
the recognition that the Internet edge is not the only perimeter; there are
also interior perimeters you need to protect. This is analogous to a physical
security plan: you not only put locks on the gates (the outer perimeter), but
also put locks on the buildings and on individual office doors within the
buildings. Likewise, you can place departmental firewalls or branch office
firewalls at those perimeters to provide internal protection.

Another situation requiring multiple firewalls is the need
to have some of your servers accessible over the Internet by outside users who
don’t have accounts on your company network. In this case, the best solution is
to construct a “DMZ” (also called a “screened subnet” or a “perimeter network”)
by placing those Internet-accessible servers between two firewalls. One
firewall sits at the Internet edge and the other sits at the “entry point” to
your internal LAN. The computers and devices between the two firewalls are in
the DMZ. This means that if a hacker is able to compromise a computer in the
DMZ, he still doesn’t have access to the internal LAN.

Finally, you may need multiple firewalls to more efficiently
provide protection while maintaining performance. Traditional packet-filtering
firewalls are fast, but they miss attacks that are carried at the application
layer. Application layer filtering (ALF) firewalls do a more thorough job of
filtering, examining not just packet headers but also the contents of the
packets. However, that slows them down. For that reason, you might want to put
a traditional packet filtering firewall at the Internet edge where traffic is
heaviest, and then place multiple ALF firewalls behind it to perform the more
tedious content examination.

Use legacy firewalls to support growth

If you plan properly, you can continue to use the firewalls
you purchased when the network was small, as your company grows. The low cost,
lower capacity appliance that was once on the Internet edge can be moved “inside”
to serve as a departmental firewall when you buy a more powerful (and more
expensive) firewall to handle the outer perimeter traffic. The software
firewall that was installed on a low-end server can have its hardware upgraded
to handle higher capacity, or it can be moved to the LAN edge on the DMZ to
perform application layer filtering while a new, fast packet filtering firewall
handles traffic as it comes in from the Internet. If the software firewall
itself is retired or moved to a different machine, the server box can be “recycled”
to function as a file server or in another capacity on the network.

Planning your firewall infrastructure with growth in mind
from the beginning will ensure that you get the most value for the money you
spend on firewall hardware and software.