dcsimg

Make Your Firewall Work for You

Download our in-depth report: The Ultimate Guide to IT Security Vendors

SHARE
Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Email  
I've recently had the opportunity to listen in on a couple of debatesregarding firewalls and their utility, as well as their future in thecorporate and educational environment.

Now there are two kinds of firewalls -- there is hardware which is mostfrequently network based, and software firewalls which are generallydeployed on local hosts. Network-based firewalls can be consideredperimeter or enterprise firewalls since they sit at the gateway to theInternet and inspect packets before allowing ingress or egress. But youknow all this already (or you've been pretending that you do).

Network firewalls consist of hundreds and hundreds of rules that packetsare matched against to determine if the packet is malicious. This is agood thing. However, if your network carries more traffic than thefirewall appliance can handle, it's a bad thing. The appliance usuallydefaults to ''open'' -- letting traffic through -- rather than ''closed''-- dropping the uninspected packets on the floor. The first can beproblematic for the security of the network. The second is problematicfor the people trying to get work done.

Another problem arises when you have extensive amounts of what might beconsidered anomolous traffic. This might be anything from JPEGS beinguploaded or downloaded (or even viewed in a browser) to plaintextinstructions on how to do something that contains URLs of various forms.This type of traffic can be flagged as Web attacks or directory traversalattacks, when they aren't at all.

This brings us to the downside.

Somebody, somewhere has to interpret the output of these appliances todetermine if there has been an attack. If there was, was it successful?And if so, how widespread might it be? You are either paying an employeeto do this or you are paying an outside organization to do it, but youare paying.

Plus, there is a significant investment in the tuning of your appliance.That is to take the default signatures (or rules) and disable the onesthat don't apply, and revise (if possible) the ones that should apply butgive so many false positives they're not very useful. Tuning alsoinvolves making sure that every time there is a significant change to thetopology of the network, it's reflected in the configuration of thefirewall. You are (or should be) paying someone to do that, too.

There is the issue of maintaining the firewall. There are newvulnerabilities and exploits coming out every day that must be added tothe signature (or rules) list. They have to be vetted to make sure thatinstalling them doesn't cause your little portion of the universe toimplode.

Finally, if your network is not one-size-fits-all, you may need to figureout which firewall rules should be employed in one segment of the networkand which should go in another segment of the network. This can be done,but it involves more hardware and more maintenance. And if your topologyisn't logically oriented (all the finance people on one subnet, all themarketers on another) then it can get kind of messy.

Enter the personal firewall.

Currently, both Apple and Windows have embedded firewalls in theiroperating systems. But there may be room for third-party solutions to thefirewall equation.

The Windows ICF (Internet Connection Firewall) is limited to incomingtraffic. Basically, when you turn on ICF it prevents any incoming trafficconnections that you did not initiate. Thus, it lets through your Webtraffic, but it does not let through an attempt to FTP to your machine.There's no tuning, no signatures -- strictly filtering all unsolicitedinbound traffic.

There are other considerations, however. If you've been compromisedthrough email, websurfing, instant messaging or any other user initiatedconnection, that traffic will go out whether you want it to or not. Youcan't use the ICF if you are located behind a NAT box (Network AddressTranslation) because it will drop all packets coming from the router(since you didn't ask the router for anything).

The Apple OSX firewall is more flexible... and then again, it's not.

It's certainly more transparent to the end user. It comes onautomatically, you can't turn it off, and it doesn't need to be tuned.While there are rules, you don't make them and you don't manage them.They are created as a function of the Sharing sub-menu in SystemPreferences. If you turn on Personal File Sharing or FTP access, thesystem writes rules to cover those activities. You can see these rules byopening a terminal window and typing: sudo ifpw list.

For the Windows user who needs more flexibility or more robustness in afirewall, there are many third-party products available.

Products are available from nationally known virus protection companiesto smaller vendors trying to break into the market. There are free onesand there are expensive ones. The one thing they all have in common,however, is that they must be managed. Configuration files need to becustomized, rule sets have to be tuned and maintained. In a sense, you'reback where you were with a perimiter device. Someone has to invest thetime and effort to go to each machine to keep it up to standards.

You may decide that it is simpler to centralize the headache ofmaintaining a firewall. Or you may have the luxury of being in anorganization where individuals are technically sophisticated enough tohandle their own firewall needs at the local host. Either way, there isoverhead. Decide what amount of aggravation you are willing to accept (orinflict on someone else) before you move forward.

And before you go out and plunk down your cash for some machine roommonstrosity, or a tiny download for $29.95, take some time to determinewhat you really need in a firewall and why you need it. Byreviewing your needs and your organization's needs, you can better ensurethat you solve the problem the first time.

I don't believe the firewall, in the larger sense of the word, is dead.The necessity of keeping the bad packets out and the other bad packets inis still very real. How that gets done is a very complex decision that isdifferent for everyone.

Until there is a new and better way to protect our assets, we have tomake what we have work for us.

Submit a Comment

Loading Comments...