Firewall Technology
Generally, he who occupies the field of battle first and awaits his
enemy is at ease. - Sun Tzu
Many companies connect to the Internet, guarded by "firewalls" designed
to prevent
unauthorized access to their private networks. Despite this general
goal, firewalls span a continuum between ease of use and security. This
page describes some of the considerations and tradeoffs in designing firewalls.
A vocabulary for firewalls and their components is offered, to provide
a common ground for discussion.
Why a Firewall?
Against those skilled in the attack, an enemy does not know where to
defend. Against the experts in defence, the enemy does not know where to
attack. -Sun Tzu
The rationale for installing a firewall is almost always to protect
a private network against
intrusion. In most cases, the purpose of the firewall is to prevent
unauthorized users from accessing computing resources on a private network,
and often to prevent unnoticed and unauthorized export of proprietary information.
In some cases export of information is not considered important, but for
many corporations that are connecting this is a major though possibly unreasoning
concern. Many organizations will want simply to address the problem by
not connecting to the Internet at all. This solution can be difficult to
implement. If the private network is loosely administered or decentralized,
a single
enterprising individual with a high speed dialup modem can quickly
effect an Internet SLIP connection which can compromise the security of
an entire network. Often it is safe to say that a firewall needs to be
put in place for the "CYA"1 factor. Even though
an employee could compromise proprietary information by carrying it
offsite on a DAT or floppy disk, the Internet represents a tangible threat,
populated with dangerous "vandals."2 It could very easily cost a network
manager his job if a break-in occurs via this route, even if the damage
is no more extensive than could have been inflicted over a dialup line
or by a disgruntled employee. Generally, for a would-be Internet site,
the technical difficulties of implementing a firewall are greatly outweighed
by the public
relations problems of "selling" upper management on the idea. In summary,
because Internet services are so highly visible, they are much more likely
to require official oversight and justification.
In configuring a firewall, the major design decisions with respect
to security are often already dictated by corporate or organizational policy;
specifically, a decision must be made as to whether security is more important
than ease-of-use, or vice versa. There are two basic approaches that summarize
the conflict:
-
· That which is not expressly permitted is prohibited.
-
· That which is not expressly prohibited is permitted.
The importance of this distinction cannot be overemphasized. In the former
case, the firewall must be designed to block everything, and services must
be enabled on a case-by-case basis only after a careful assessment of need
and risk. This tends to impact users directly, and they may see the firewall
as a hindrance. In the second case, the systems administrator is placed
in a reactive mode, having to predict what kinds of actions the user population
might take that would weaken the security of the firewall, and
preparing defenses against them. At Friendware we will do an indepth
study of your company's present posture in the baselining and auditing
process to determine exactly where your company's weaknesses are and the
results will determine exactly which firewall is best suited for your situation.
Firewalls are not all the same. Read on to discover the dufferent types
of firewalls. Page
2
1 800-404-8560
|
|
