If you think deploying a firewall is the start and end of the security effort, you’re right—at least from the point of view from crackers, virus pushers, and other assorted bad guys.

Getting a firewall to do what it promises—protect the network that sits behind it—doesn’t begin with an equipment purchase and end with the plug-in. In fact, the plug-in is when the real work begins. As one technical coordinator says, “it’s a never-ending job.” Firewall implementation starts with a full security assessment and continues with constant vigilance over the solution put in place.

The prefirewall effort
The first and most critical element is realistically assessing the enterprise’s needs to determine how much firewall is needed, according to security experts.

“The most important part is determining exactly what job you expect the firewall to be doing,” explained Elizabeth Zwicky, a director at Counterpane Internet Security, a leading security firm, and co-author of Building Internet Firewalls, published by O’Reilly & Associates.

“Many companies use firewalls effectively as security blankets; they don’t actually know what they want, aside from ‘security’ and they don’t have any specifications to configure or test to.”

Buying the right firewall
The assessment provides definitive information for determining which product, and what level of security complexity, is warranted.

“The most common mistakes are in configuration, not product deficiencies,” said Dave Aylesworth, product manager for eSoft Inc. Because different products require vastly different skill levels to manage, buyers also have to look for products that provide management tools appropriate to their skill level. “This reduces the risks of human error during configuration,” he explained.

In choosing a firewall, you shouldn’t place complete trust in certifications; several certifying organizations don’t get far enough into the nitty-gritty, according to firewall experts.

“Often the bar is set low due to the fact that the vendors pay the certification group,” explained Mike Lee, the senior product marketing manager for Check Point Software Technologies. “In addition, certifications only occur on an annual basis at best, so any threats that emerge aren’t covered by certification. So, although certifications are good, they are not absolute.”

An organization’s security goals are key to a product decision, said Chris Blask, VP of business development for BorderWare Technologies Inc. The goals dictate how much money and time will be spent on the firewall.

“It is simply a matter of taking a few moments to ask some questions: What do I want to protect—patient records, corporate data? What do I want to achieve communicating—Web access, e-mail, data transfers? Then ask how much resource is it roughly worth (in time and money) to protect all this,” said Blask.

Keeping the security wall strong
Once a firewall is in place, you can’t step away. Careful reading of firewall logs and reports and intrusion detection systems (IDS) can alert administrators of shortcomings.

“Read the logs and, furthermore, keep up on the firewall rules,” advised Steve Scarbrough, the technical coordinator for the Storm Lakes Community School District in Iowa. “I had an assistant who added 10 rules and opened holes bigger than we wanted—and deleted a default rule” that should have remained intact.

Testing, of course, is the major way to see how a firewall is operating. Tina Bird, a computer security officer at Stanford University and co-owner of loganalysis.org, a nonprofit organization devoted to furthering the state of log analysis, suggests establishing tests that answer four questions:

  • Is internal-to-external Internet usage policy being enforced properly?
  • Is external-to-internal traffic being controlled properly?
  • Is the firewall itself protected from direct attacks?
  • Does the firewall block malicious activity on the traffic that it allows access to internal machines?

Port scans and “firewalking” test whether external-to-internal traffic is being controlled, and vulnerability scans can test the firewall itself. Bird predicts that content inspection—the fourth question on the list—will grow more prominent this year due to increased malicious activity overall.

The key is staying alert
Even if the best firewall product is in place, and you’re doing regular testing, there’s still no room for complacency. Scarbrough advises CIOs to have network administrators walk around facilities and check things out on a regular basis—and not only the server rooms, but all areas. He recalled an incident in which heating system analysts had installed a modem to the heating system without telling the network administrators. The new addition was noticed before security was compromised.

Firewalls, which can be loaded with a wide array of security and other features, are complex, but the basic idea is simple. You must figure out what the enterprise needs, keep product purchases within the enterprise’s budget, and remain vigilant. There are no shortcuts, and cookie-cutter approaches won’t work.

“Different organizations want very different things from their firewalls, so there’s no single formula,” Zwicky said. “The process is much like the process for evaluating any computer system, where you look at performance, compliance to specifications, and user satisfaction.”