Secure Your Network
Put Up a Wall, a Firewall

If you have an always-on Internet connection, such as dedicated Internet, DSL or cable service, you and your network have an open door to the Internet. Just as you wouldn’t want to leave the door to your home or business wide open, you shouldn’t leave your door to the Internet open.

To protect yourself from data loss or exposure and to ensure reliable network availability, you should have a firewall. A firewall is designed to prevent unauthorized access to a computer or network that is connected to another network such as the Internet.

What is a network firewall?

A firewall is a system or group of systems that enforces an access control policy between two or more networks. Quite often, the first network is your own computers and the second network is the Internet itself. But firewalls can be used to protect your direct connections to partners or vendors and more.

The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic.

The most important thing to recognize about a firewall is that it implements an access control policy. If you don't have a good idea of what kind of access you want to allow or to deny, a firewall really won't help you.

It is also important to recognize that the firewall's configuration, because it is a mechanism for enforcing policy, imposes its policy on everything behind it. As a result, the person or persons configuring a firewall have a heavy responsibility. Be sure to work with someone who knows and understands not only the technology but the company’s security policy.

Why would I want a firewall?

The Internet, like any other society, is plagued individuals who enjoy the electronic equivalent of creating graffiti, tearing off mailboxes, or just sitting in the street blowing their car horns. Other individuals are intentionally attempting to gain private or confidential information from you. Fortunately, most people are simply trying to get real work done over the Internet. A firewall's purpose is to keep unwanted individuals out of your network while still letting you get your job done.

What can a firewall protect against?

Some firewalls permit only email traffic through them, thereby protecting the network against any attacks other than attacks against the email service. Other firewalls provide less strict protections, and only block services that are known to be problems. Generally, firewalls are configured to protect against unauthenticated interactive logins from the "outside'' world. This, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside. The firewall can protect you against any type of network-borne attack if you unplug it.

Firewalls are also important since they can provide a single "choke point'' where security and audit can be imposed. Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective "phone tap'' and tracing tool. Firewalls provide an important logging and auditing function; often they provide summaries about what kinds and amount of traffic passed through it, how many attempts there were to break into it, etc. Because of this, firewall logs are critically important data. They can be used as evidence in a court of law in most countries. You should safeguard, analyze and protect your firewall logs accordingly.

What can't a firewall protect against?

Simply, firewalls can't protect against attacks that don't go through the firewall. Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through the Internet. Unfortunately, a magnetic tape, compact disc, DVD, or USB flash drives can be used just as effectively to take data. Many organizations focus only on their Internet connections but have no coherent policy about protecting removable media or dial-in access via modems. For a firewall to work, it must be a part of a consistent overall organizational security architecture. Firewall policies must be realistic and reflect the level of security in the entire network.

Another thing a firewall can't really protect you against is traitors or uneducated users inside your network. While an industrial spy might export information through your firewall, he's just as likely to export it through a telephone, FAX machine, or CD. CDs are a far more likely means for information to leak from your organization than a firewall. Firewalls also cannot protect you against ignorance or foolishness. Users who reveal sensitive information over the telephone are good targets for social engineering; an attacker may be able to break into your network by completely bypassing your firewall, if he can find a “helpful” employee inside who can be fooled into giving access another way. Before deciding this isn't a problem in your organization, ask yourself how much trouble a contractor has getting logged into the network or how much difficulty a user who forgot his password has getting it reset. If it’s relatively easy, then you have a problem that can't be fixed by tightening controls on the firewalls. Here's where sound security policies and training become vitally important.

Lastly, firewalls can't protect against bad things being allowed through them. If you allow any internal system to connect to any external system such as a mail server, then your firewall will provide no protection from this vector of attack. Security isn't "fire and forget''.

What are some of the basic decisions when considering in a firewall?

When considering implementing a firewall, there are a few basic issues that should be considered.

The first and most important decision reflects the policy of how your company or organization wants to operate the system: is the firewall in place explicitly to deny all services except those critical to the mission of connecting to the Net, or is the firewall in place to provide a metered and audited method of "queuing'' access in a non-threatening manner? There are degrees of paranoia between these positions; the final stance of your firewall might be more the result of a political than an engineering decision.

The second is: what level of monitoring, redundancy, and control do you want? Having established the acceptable risk level (i.e., how paranoid you are) by resolving the first issue, you can form a checklist of what should be monitored, permitted, and denied. In other words, you start by figuring out your overall objectives, and then combine a needs analysis with a risk assessment, and sort the almost always conflicting requirements out into a laundry list that specifies what you plan to implement.

The third issue is financial. It is important to quantify how much it will cost to buy, implement, and support long term. For example, the cost of a complete firewall product may be substantial for a high end solution which can be contrasted with a free solution at the low end. The free option may simply require some fancy configuring on an existing router or similar device. However, the systems management overhead is also a consideration. Building a home-brew is fine, but it's important to build it so that it doesn't require constant (and expensive) attention. It's important, in other words, to evaluate firewalls not only in terms of what they cost now, but continuing costs such as support.

How Veraciti Can Help You Secure Your Network

When selecting a firewall solution, Veraciti works with you to determine your security needs and then selects a solution that fits those needs. Having worked with firewalls since their inception, we have the experience and the knowledge to recommend, implement and support the best solution for your needs.

As certified partners for a wide variety of hardware and software firewall manufacturers such as Sonicwall, Symantec or Watchguard, Veraciti is an ideal source when you want to select a firewall solution. Our recommendations to your company are based on our extensive experience with servicing and supporting the products we recommend.

Once we have recommended the appropriate solution, we can implement and provide you with ongoing support to ensure your network security.