Introduction to firewalls
Types of firewalls
Choosing a firewall
→ Who is responsible for firewalls?
→ Security risk assessment
→ Firewall purchasing advice
Firewall implementation and placement
Firewall management and maintenance
WHO IS RESPONSIBLE FOR FIREWALLS?
Information security extends beyond networks and has much wider domain coverage. It's always a good practice to have a separate InfoSec department that works with all the business units and departments and helps implement the organization's information security management system (ISMS). In regards to networks, Infosec works as an architect whereby they create IT security designs, policies, procedures and define IT security controls based on information security standards for network security. A network team takes these as inputs and helps implement and enforce the same on their network infrastructure. An example of this is controlling inbound/outbound access through firewall rules.
This text was excerpted from network security expert Puneet Mehta in his response to the question Who is responsible for firewalls?
SECURITY RISK ASSESSMENT
Once you have chosen the team responsible for rolling out your security solution you will have to choose the most appropriate one for your enterprise. The way to determine this is to list and understand the risks your network and enterprise are facing. Risks are threats to your objectives. A proper risk analysis should be done before making any technology decision. When considering adopting firewall/VPN technology, here are some key security risks and standards which should be considered:
To assess risk ask the following questions:
- What is at risk?
- What is its value?
- What are the threats?
- What is the probability of occurrence?
- Some of the common security risks are as follows:
- Single point of failure
- Loose security policies
- Support protection
- Limitation of technology
- False sense of security
- Weak encryption
Here are some firewall/VPN standards to consider:
- Open architecture
- Packet filtration
- Default to denial
- Auditing capabilities
- Access control
- Logging capabilities
- Intrusion detection
- Extended user authentication
- Secured subnets
- Strong encryption
- Network management systems
- Secure back-up
- Statefull inspection
- Real-time traffic monitoring and alerting system
- Device management
- Secure tunneling
- Application layer traffic inspection
To choose the best perimeter security solution, first and foremost, consider the functionality of the firewall. The good news for those deciding between products is that mainstream firewalls all have the same core functions. Each performs stateful inspection packet filtering and allows the implementation of basic perimeter defenses. Security expert Michael Chapple recommends honing in on functional requirements. Ask yourself: Do you need to emphasize network throughput or enhanced security features?
One major point of differentiation between firewalls is their ability to perform application-layer inspection. (See the Introduction
to firewall types section of this guide to learn more about application-layer firewalls.) Many
firewalls simply don't have application-layer inspection, while others implement basic
functionality (such as URL filtering). Some products, like Secure Computing Corp.'s Sidewinder G2
firewall and F5 Networks' BIG-IP Application Security Manager, have deep application inspection
capabilities. These types of firewalls allow for complex application rule bases that limit the
types of actions carried out over a connection. For example, you might limit inbound HTTP requests
from the Internet to GET commands, while internal users might be able to issue POST commands. This
functionality allows you to protect the enterprise against application-based attacks as well as
Finally, consider the vendor itself. When investing in a firewall product, you're making a long-term decision. The financial commitment is only the tip of the iceberg; your firewall administrators will invest significant time and energy building and customizing a rule base for that particular product. In general, rule bases are not portable between platforms, so any future platform change will require a substantial commitment of human resources, so it's wise to make sure the vendors on your short list are all stable companies with solid financials. You certainly don't want to get on board a sinking ship. This advice was given by Michael Chapple at SearchSecurity.com.
>> Continue to our Firewalls implementation and management section
This was first published in January 2008