While firewalls can secure Internet access, protect mission-critical information, and leverage the Internet to connect a global enterprise, they’re just the starting point for building a security fortress. Some organizations may believe they’re secure with current firewalls in place, but it won’t be long before they realize they need more tools for securing their next connectivity initiative, such as a VPN.
A recent TechRepublic poll indicated that very few organizations have completely secured the enterprise. Of 127 members surveyed, 46 percent reported that they’re satisfied with current firewall technology but also planning to improve it. Nearly 10 percent were dissatisfied with current firewall technology. Most surprising, and slightly scary, is that 4 percent don’t even have a firewall in place yet.
Whether you want to improve, replace, or initially install a firewall, it’s a good time to refresh your knowledge of firewalls and understand the vital steps, such as developing a security policy, that you must take before making any more security moves.
False firewall beliefs
A common misconception is that one firewall can protect every asset. While that might have been true a few years ago, it’s not enough protection, given the advancements in hacking and increasing external threats.
According to the CERT Coordination Center at the Software Engineering Institute (CERT/CC), the number of reported network security incidents has almost tripled in the past two years—from 21,756 in 2000 to 73,359 at the end of Q3 2002.
A second misconception is that a firewall device is a “connect, turn on, and forget about it” device. It’s actually a technology that requires constant review, fine-tuning, and evaluation.
In addition, many organizations plug firewalls into place without a security policy. Firewall deployment should be tied directly to security policies that address and support your company’s objectives. Enterprises must consider a multilayered security approach, with a security policy, firewalls, and additional security tools (such as virus software).
What a firewall can and can’t do
A firewall can be hardware- or software-based. The tightest security is obtained when the two options are used in combination. Yet, even in this approach, a firewall system has its limits:
- It can’t protect the enterprise from attacks and threats from within your network.
- Virus protection is limited without additional software and specialized technologies.
- A firewall can’t protect an organization from attacks that avoid a firewall—an external hack via a dial-up account can fully compromise the entire security plan.
Firewall technology, obviously, also can’t protect organizations from employee carelessness or mistakes with passwords and unauthorized access. Only specific tools and policy guidelines on expected computer use and access can thwart those issues.
The first step is analyzing risks
Before plugging in firewalls, you must do an internal risk assessment in order to make new purchase or upgrade decisions. This assessment requires analyzing the information that currently passes through your networks, and the path and direction it takes, so that you can identify real holes and potential holes. To do that, ask and answer the following questions:
- What asset(s) (corporate, customer, e-commerce) is/are at risk?
- What is the value of that asset? What are the ramifications relating to downtime, lost revenue, or lost client and customer confidence?
- What is the actual threat? Have internal threats been sealed off? What’s the potential for external breaches?
CIOs and network administrators need a complete and comprehensive understanding of not only Internet activities but also internal network traffic, such as bandwidth requirements, protocols in use, and access requirements. Remember that all access points are vulnerable and subject to attacks.
Once you have this information, you can move on to building a firewall architecture.
Basic firewall design considerations
When it comes to architecture, you have two choices: a single firewall or a multilayer firewall approach (see Figures A and B).
| Figure A |
 |
| Single architecture |
| Figure B |
 |
| Multilayer architecture |
To determine which would work best for your enterprise, you need to first flesh out and develop a security policy, because the two are tightly linked.
Developing the security policy
Because security policies are a direct reflection of a corporation’s security needs, the immediate decision is how much access is required. An organization can meter out services or deny all but the most critical required access.
The second policy issue, which also directly ties to any firewall decision, is the access level. Do you want all users to have basic access or limited access? This requires examining current use—does each user separately log into the Internet? What will be each user’s site restrictions? Don’t forget to examine the types of file extensions you want allowed and disallowed for downloading and document transfers. The policy also must determine the degree of redundancy your organization needs—should you have a failover backup or provide multitiered protections? Also, what, who, and how do you want to monitor network access and Internet use?
Finally, take into account the financial considerations of a firewall technology purchase—you don’t want to buy too much or unneeded protection, but you will have to provide for ongoing maintenance costs.
A few final tips
While a security policy and firewall plan should be created and developed, that’s not where security ends. IT administrators must ensure they have all vendor patches properly applied and that each system is kept up-to-date. The true value of a firewall system is in the constant maintenance of all resources.
I’ve developed a checklist that can help you make sure you don’t miss any of the crucial elements of a security effort. This checklist download, available to all TechRepublic members, is a quick and easy way to make sure nothing has been ignored.
Comprehensive security requires safeguards in a layered defensive approach. Keep in mind that your ultimate solution must be flexible enough to provide for scalability and growth.
