Make Your Firewall Work for You
eSecurityPlanet columnist Linda LeBlanc says until there's a better way to protect our assets, we have to make the firewall work for us better.
Now there are two kinds of firewalls -- there is hardware which is most frequently network based, and software firewalls which are generally deployed on local hosts. Network-based firewalls can be considered perimeter or enterprise firewalls since they sit at the gateway to the Internet and inspect packets before allowing ingress or egress. But you know all this already (or you've been pretending that you do).
Network firewalls consist of hundreds and hundreds of rules that packets are matched against to determine if the packet is malicious. This is a good thing. However, if your network carries more traffic than the firewall appliance can handle, it's a bad thing. The appliance usually defaults to ''open'' -- letting traffic through -- rather than ''closed'' -- dropping the uninspected packets on the floor. The first can be problematic for the security of the network. The second is problematic for the people trying to get work done.
Another problem arises when you have extensive amounts of what might be considered anomolous traffic. This might be anything from JPEGS being uploaded or downloaded (or even viewed in a browser) to plaintext instructions on how to do something that contains URLs of various forms. This type of traffic can be flagged as Web attacks or directory traversal attacks, when they aren't at all.
Somebody, somewhere has to interpret the output of these appliances to determine if there has been an attack. If there was, was it successful? And if so, how widespread might it be? You are either paying an employee to do this or you are paying an outside organization to do it, but you are paying.
Plus, there is a significant investment in the tuning of your appliance. That is to take the default signatures (or rules) and disable the ones that don't apply, and revise (if possible) the ones that should apply but give so many false positives they're not very useful. Tuning also involves making sure that every time there is a significant change to the topology of the network, it's reflected in the configuration of the firewall. You are (or should be) paying someone to do that, too.
There is the issue of maintaining the firewall. There are new vulnerabilities and exploits coming out every day that must be added to the signature (or rules) list. They have to be vetted to make sure that installing them doesn't cause your little portion of the universe to implode.
Finally, if your network is not one-size-fits-all, you may need to figure out which firewall rules should be employed in one segment of the network and which should go in another segment of the network. This can be done, but it involves more hardware and more maintenance. And if your topology isn't logically oriented (all the finance people on one subnet, all the marketers on another) then it can get kind of messy.
Enter the personal firewall.
Currently, both Apple and Windows have embedded firewalls in their operating systems. But there may be room for third-party solutions to the firewall equation.
The Windows ICF (Internet Connection Firewall) is limited to incoming traffic. Basically, when you turn on ICF it prevents any incoming traffic connections that you did not initiate. Thus, it lets through your Web traffic, but it does not let through an attempt to FTP to your machine. There's no tuning, no signatures -- strictly filtering all unsolicited inbound traffic.
There are other considerations, however. If you've been compromised through email, websurfing, instant messaging or any other user initiated connection, that traffic will go out whether you want it to or not. You can't use the ICF if you are located behind a NAT box (Network Address Translation) because it will drop all packets coming from the router (since you didn't ask the router for anything).
The Apple OSX firewall is more flexible... and then again, it's not.
It's certainly more transparent to the end user. It comes on automatically, you can't turn it off, and it doesn't need to be tuned. While there are rules, you don't make them and you don't manage them. They are created as a function of the Sharing sub-menu in System Preferences. If you turn on Personal File Sharing or FTP access, the system writes rules to cover those activities. You can see these rules by opening a terminal window and typing: sudo ifpw list.
For the Windows user who needs more flexibility or more robustness in a firewall, there are many third-party products available.
Products are available from nationally known virus protection companies to smaller vendors trying to break into the market. There are free ones and there are expensive ones. The one thing they all have in common, however, is that they must be managed. Configuration files need to be customized, rule sets have to be tuned and maintained. In a sense, you're back where you were with a perimiter device. Someone has to invest the time and effort to go to each machine to keep it up to standards.
You may decide that it is simpler to centralize the headache of maintaining a firewall. Or you may have the luxury of being in an organization where individuals are technically sophisticated enough to handle their own firewall needs at the local host. Either way, there is overhead. Decide what amount of aggravation you are willing to accept (or inflict on someone else) before you move forward.
And before you go out and plunk down your cash for some machine room monstrosity, or a tiny download for $29.95, take some time to determine what you really need in a firewall and why you need it. By reviewing your needs and your organization's needs, you can better ensure that you solve the problem the first time.
I don't believe the firewall, in the larger sense of the word, is dead. The necessity of keeping the bad packets out and the other bad packets in is still very real. How that gets done is a very complex decision that is different for everyone.
Until there is a new and better way to protect our assets, we have to make what we have work for us.