Firewall appliances: is your network safe? - News - Communications

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Australia.
--------------------------------------------------------------

Firewall appliances: is your network safe?

By Mark Snell and Michelle Hutchinson, Technology & Business magazine
January 14, 2002
URL: http://www.zdnet.com.au/news/communications/soa/Firewall-appliances-is-your-network-safe-/0,130061791,120262375,00.htm

Configuring firewalls can be a nightmare. Can plug-and-play appliances really be the answer, or are they plug-and-pray?

RMIT IT Test Labs put firewall appliances through the wringer and found that protecting your network can sometimes be far from simple.

You know the upside of being connected to the Internet: you have access to a wealth of information from around the world on just about any subject imaginable. But, of course, for every upside there is a downside.

And in this case, it's the fact that connecting your LAN or computer to the Internet also makes it possible for everyone else who's connected to access your valuable data. How do you protect yourself? With a firewall.

Just like the firewall of a building that prevents flames from spreading from building to building, a network firewall stops unwanted network traffic from spreading from the Internet to your network and vice versa. The unwanted traffic is usually someone outside your network attempting to access your resources.

You can also use firewalls to prevent your users from going places on the Internet that they shouldn't. The firewall places a barrier between your network and the Internet. You can then manage the barrier to make sure that your network is safe. While it's not 100 percent foolproof, you need to have a firewall on your LAN for security if you plan to connect to the Internet.

The December issue of ZDNet Australia's Technology & Business Magazine contains reviews of firewall products, including Editor's Choice Awards for the best products. For subscription information, visit Technology & Business.

Types of Firewalls

There are several different ways firewalls filter information to protect networks:

Packet filtering: Each packet entering or even leaving the network is checked and either passed or rejected depending on a set of user-defined rules.
Packet filtering is relatively effective and transparent to users; however, it is difficult to configure and is susceptible to IP spoofing (a technique used to gain unauthorised access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host).
A packet filter firewall is essentially a router with packet-filtering software. Packet filters are an attractive option where budget is limited, where some flexibility is desirable, and where only shallow access control is required.
Application filtering: An application gateway firewall uses software to intercept connections for each Internet protocol and to perform security inspection.
It involves what is commonly known as proxy services. A proxy is a piece of code designed for a specific application, eg, FTP. The proxy acts as an interface between the user on the internal trusted network and the Internet. With application-level firewall technology, the proxy checks for permission to connect to another network and can enforce access control rules specific to the application (packet filtering cannot do this).
While this is considered to be the most secure type of firewall design, the extra overhead of transporting data up to the application layer can lead to degradation in performance.
Circuit-level gateway: This gateway applies security mechanisms at the TCP or UDP level and only while the connection is being established. Once the connection is established packets can flow between the hosts without further checking.
Proxy server: A proxy server effectively hides the true internal network addresses and intercepts all messages, both entering and leaving the network.
Stateful inspection: Stateful inspection technology, developed and patented by Check Point, works at the network layer and does not require a separate proxy for each application.
Stateful inspection evaluates IP header information and constantly monitors a dynamic state table for each connection. A connection is rejected when it attempts an action that is not a standard use of the protocol.
A firewall appliance is a specially designated computer with integrated firewall software to separate from the rest of the network so that no incoming request can get directly at private network resources.
For smaller organisations, software firewall solutions can be installed directly onto each machine to offer limited protection. In fact, to this end, McAfee now includes an Integrated Personal Firewall in its VirusScan product and Microsoft includes a basic firewall in Windows XP.

Screening specifics

There are a number of firewall screening methods. One simple approach is to screen requests to make sure they come from a list of acceptable domains or IP addresses. Unfortunately this method is also very easy to circumvent.

It is unlikely that all your organisation's "legal" external client systems are very secure and typically an intruder might be able to insinuate themselves into one of these systems to bypass your firewall.

Of course, they must then overcome your LAN's own security so both this and your firewall security must be as robust as possible. To allow mobile users access to a network, firewalls make use of secure logon procedures and authentication certificates.

Most of the security-related problems on the Internet come from so-called "script kiddies", people who find software available on the Internet and use it to try and break into systems.

Less common, but more difficult to keep out is the dedicated cracker who delves into the code and may spend many months "casing" a company and looking for weaknesses.

In fact, a firewall should be just one part of an overall security policy, which will include many aspects such as physical security (can someone walk in and physically steal a copy of your data?), or social engineering (where the cracker rings up pretending to be from the IT office and asks, "We're having a few problems with your setup, can I have your username and password?").

Four essential components of end-user firewall training

Policies of any kind are difficult to implement, but IT polices seem to be even more troublesome. Most employees have no idea what the IT department does or why. They don't understand that when you take their screensaver away, you have a very good reason for doing so (to avoid having to troubleshoot their PC later). Accordingly, new IT policies are rarely met with enthusiasm--they usually eliminate something employees enjoy using.

This is why end-user firewall policy training is critical. Users must understand why your organisation has a firewall and how important following the policy is. Here are four techniques you can use to train your end users on a new or existing firewall policy.

1. Have a written policy and user agreement
When an IT department establishes its firewall policy, it should work with the human resources department to draw up a contract for all employees to sign. In essence, tell employees they are being given Internet access, but they have to use it appropriately.
Then, before anyone gets an account on the firewall, they have to sign this document. Having a written contract serves a dual purpose. It is an introduction to the policy and helps protect the organisation if employees abuse their Internet access.
2. Personalise the need for security
Unfortunately, just signing the agreement isn't enough. Employees must understand the importance of surfing the Net with their life jackets on.
To help get that message across, give employees specific examples of how inappropriate use of the Internet can hurt their job performance. For example, a breach in security could corrupt or destroy a spreadsheet that took all day to create.
By bringing it to a level that personally affects them and their hard work, employees are more likely to follow security procedures. The occasional virus that does infect your network is also a good wake-up call.
If your company is hit by a virus, try to use incident to stress the importance of security policies. Obviously, being hit once a month with a virus isn't a very productive way to remind your users about security, but you should take advantage of the opportunity if it presents itself.
3. Periodically reinforce safety procedures
The company's newsletter is also a good place to issue reminders about the importance of Internet and e-mail safety. These reminders could be placed in a small box that contains a safety tip users can utilise at work as well as at home.
Most employees take the time to read the company newsletter, and a written security tip might be just the thing to remind them about the importance of the security policy.
Occasionally send out a "tips and tricks" e-mail to users that includes software tips and shortcuts. Adding safety warnings and advice in these e-mails is another way to get the security message to the masses.
Messages such as "Don't share your password with anyone" or "Don't leave your Internet connection open when you leave your computer" remind users of important but easily forgotten safety precautions.
4. Stress management support
Of course, no firewall policy is effective without management support. It is management's responsibility to ensure their staff is working and not spending their days surfing online auctions (unless that is their job).
It's important to get management support right from the beginning of your firewall project. Let them know what you expect from them, and what information you will be providing to help them enforce the firewall policy.
Producing monthly or bimonthly firewall logs for department managers is a great way to help monitor employees' Internet usage. Remind management that there's only so much the IT department can do without their backing.

Do you need VPN capabilities?

If you're implementing site-to-site encryption, get a firewall with built-in VPN capabilities. Be sure to select one that also supports a secure remote access VPN client.

And be sure the VPN supports IPSec, the most popular standard in VPN encryption protocols, since more add-on auxiliary security services and products interoperate with IPSec than any other security protocol.

What Can't a Firewall Do?

Firewalls can't protect your network from everything. Nor are they always 100 percent effective. Firewalls only protect against information flowing across your network. So they can't protect you from attacks that may occur through dial-up lines.

Finally, your firewall can't protect you against someone who's really determined to get past it.. Firewalls will protect your network against 99.9 percent of the troublemakers out there. But, as with most man-made security measures, there are always ways to bypass firewalls.

These methods include rogue programs, Trojan horse, IP Tunnelling, and exploiting holes found in buggy software. If you want to be 100 percent secure from outside attack, all you can do is pull the plug.