Firewalls

Firewalls provide a critical role in providing protection from undesirable Internet activity.

Firewalls are fundamentally software processes and so a firewall can't be any more secure than the operating system underlying it. Some firewall producers customize an operating system, usually Unix, and install their firewall software in a sealed box. These systems are marketed as firewall appliances, and are designed to provide an additional layer of security. More importantly, the kernels of these customized OSs are stripped down and adapted for firewall functionality instead of general-purpose application execution.

When a LAN is connected to a public network, the LAN is exposed to spies, thieves, hackers and a variety of other threats. Because the Internet has come to play such a critical role in everyone's networking strategy, protection from threats like these is a necessity. One of the central elements of safe networking is a properly designed and configured firewall.

There are three basic designs for firewall operation. The first, and simplest, is the packet filter. Most routers can be configured to filter packets based on a comparison of packet contents with filter specifications. For example, particular IP addresses or subnets, TCP or UDP port numbers, or combinations of these can always be denied passage.

Adding a security-based filter step to the packet forwarding process of routers is easily done and can have very high performance. Unfortunately there are a number of options for getting around simple filtering. For example, they can spoof packets to seem as if they come from an acceptable source.

 

The second basic firewall design enhances packet filtering so that it can't be by-passed by these measures. This process is known as stateful inspection. Stateful inspection extends the packet-by-packet filtering process to include multipacket flows.

The third firewall design is the application proxy. With a pure application proxy, no traffic at all goes through the firewall. Instead, the application proxy behaves like a server to clients on the trusted network and like a client to servers outside the trusted network.

In the mid-'90s, it was common for tests to be designed around speed of processing. Unfortunately a fast performance of a firewall may mean that security is lacking and really tells mothing about how well a firewall is operating. Testing for security is difficult. It's impossible to prove that every vulnerability has been eliminated. There are some online tests. Security scanner tools that have gathered together all known exploits can be run against firewalls, but that isn't the same as proving invulnerability.

 

Other Issues

While understanding firewall architectures and technical vulnerabilities is essential to protecting the enterprise network, developing an appropriate security policy is perhaps even more important. Establishing policy requires understanding the value of data, of undisrupted business processes, of various forms of legal and fiduciary liability, and other nontechnical organizational matters.

IT and security people can help ask the right questions, but they aren't the last word on such issues. Once enterprise management determines the fundamental policy guidelines, technical people can implement practices and procedures to carry out those guidelines.

 

Additionally it is important to understand that a misconfigured firewall can be more dangerous than none at all because they may be configured to allow the wrong people unrestricted access to dangerous areas of the computer.

A related issue is firewall management. Large enterprises will have numerous firewalls to deploy, and will want to implement similar policies in many locations and some enterprises will use internal firewalls to protect against potential internal threats. The configuration of these will differ from firewalls that protect against external threats. Consistency and flexibility is important for these internal firewalls too.

 

Firewall logs are critical for anticipating threats, for postmortems after attacks, and for understanding future requirements. Application proxy firewalls, which have the most detailed information about traffic, can provide the most detailed logs. Logs often serve to trigger alarms-you can be paged in the middle of the night when a Distributed Denial of Service (DDoS) attack hits an e-commerce site. Logs provide valuable evidence after successful or unsuccessful firewall activities, and they can certainly play an important role in tracing intruders, in convicting them once they're caught, and in proving that your site took pains to prevent intrusions.

Firewalls can't be expected to do the impossible. If there are back doors into your network, such as desktop or laptop machines with dial-up Internet accounts, or home cable-modem users with access to your network, the firewall can't defend those pathways. Successful firewall operations are dependent on the device being a single point of contact between the untrusted network and the trusted network.

Furthermore, firewalls installed to protect the internal network from outside intruders are no help against insiders. Firewalls don't replace access controls on servers, file systems, databases, or applications. Nor can they protect the network from viruses.

 

However if a firewall is well thought  and configured they can keep even dedicated attackers from wreaking havoc on a network.