Evaluating Firewalls

Organizations are moving quickly to embrace the Internet's ubiquitous infrastructure and platform for information dissemination. At the same time, I sense real fear about how far to go with this emerging platform. Therefore, I hear many IT managers deciding to implement an Intranet rather than an Internet Web site. I suspect that this distinction comes from worries about security. Many companies are simply reluctant to open up their corporate infrastructure to a host of customers and suppliers before they have a firm security policy. Two first steps are required. One is related to establishing a well-thought-out corporate policy; the second step is establishing a firewall. In this article, I look at how organizations can begin to establish a plan for both the Internet and Intranets.

Establishing a Security Policy

No matter what security level is needed, all organizations must take certain steps to ensure a basic level of protection. For example, do employees keep their various passwords taped to their workstations? Are passwords changed frequently? Do employees leave important information readily visible on their workstations when they go to meetings? These may sound straightforward and obvious, but even the most sophisticated security won't help if these basics are ignored. Although management may be wary about intrusion from the outside, internal problems may be an even greater security threat. So make sure every employee has training so that security becomes part of the routine.

Firewalls: A Place to Start

• Administrative Functionality. Administrators must be able to install and configure a firewall with relative ease. They must also be able to verify operations and manage security proactively. These goals can best be achieved by a firewall based on an underlying object-oriented, rules-based technology. Necessary administrative functions that can be built on top of such a technological framework include logging, auditing, and reporting; alerting; and documentation and administrative utilities.
• Firewall Security Services. Firewalls are expanding their role as the Internet gatekeeper to include virtual private networking and the compartmentalization of private networks. Firewalls can best perform these new roles by incorporating security services such as address translation, advanced authentication, and encryption. When considering a firewall, make sure that it offers address translation, because many organizations have invalid IP addresses on their private networks. To meet the needs of a diverse customer base, firewalls should offer more than one method of address translation. In addition, you should choose a firewall that supports advanced authentication (the verification of identification). Advanced authentication schemas are based on a combination of two or more of the following: something the person knows, such as a password; something the person has, such as a smartcard or authentication token; and something unique to the person, such as a fingerprint or signature. Encryption translates data into a format unreadable by anyone who does not have the correct decryption key. It is crucial for firewalls to support encryption among firewalls, between clients and firewall, and between remote administrative workstation and firewall. With encryption capability between clients and firewall, remote users can securely transmit data to and from a private network. Encryption among firewalls and between firewalls and remote administration is the foundation for virtual private networking.
• Security of the Firewall System Itself. Ensuring a secure physical configuration is the first step in achieving a secure firewall. Dedicating the firewall machine and modifying the host operating system are just as integral: A dedicated machine offers more security than a shared machine. Shared hosts usually contain user accounts and thus passwords and privileges. With a dedicated machine, it is unlikely that user accounts will be maintained on the firewall, thus limiting password-cracking attacks. Additionally, isolating a firewall on a host removes the possibility of an attacker gaining access via another server on the firewall system. The fewer programs running on a machine, the less an intruder has to work with --and the less likely the firewall system will be breached.
• Support for Standard and New Computing Services. To keep up with the rapid pace of technology change, firewalls must support new services with ease and speed. Adding support for a new service on a packet-filtering firewall is a matter of adding a rule to the rules table, taking care to use the correct syntax. Most hybrid firewalls are flexible in their ability to support new services, and most ship with support for many popular computing services. Usually an administrator defines a new service on a hybrid firewall by assigning it a name and port and giving it a list of parameters. The administrator then adds a rule or rules concerning the new service to the rules database. For application gateways, adding support for a new service entails coding a new proxy or customizing a generic configurable proxy and then compiling that code on the firewall. Generic proxy configuration should be straightforward but often is not. Coding a proxy from scratch can take days or years, depending on the complexity of the program.
• Platform and Protocol Support. Most firewalls are Unix-based, with one or two leaders supporting Windows NT. Few firewalls are designed to run on DOS or Windows because both are insecure operating systems. Prospective buyers must know not only which platforms a firewall runs on, but also which platforms the administrative software runs on.
• Vendor Risk Assessment. The number of firewall companies is rapidly increasing. At least 45 vendors offer commercial firewall products. I expect this group to diminish to a dozen or fewer within the next one to two years. This reduction will occur through merger, acquisition activity, or company failure and market exit. In this climate, it is critical to select a firewall vendor with a leadership position in the space. Organizations should look for extremely compelling, differentiated technology and sound management resources. Otherwise, businesses may find themselves with a discontinued and unsupported network security product --and thousands of wasted dollars.

The presence of a firewall tends to lull organizations into the assurance that their resources are safe. Organizations must remember, however, that firewalls make up only one small part of the security picture. Modems and floppy diskettes are additional ways for information to leak out of an organization --and for "the bad guys" to get in. Administrators must establish internal access controls to information resources and then define these access controls on a firewall. Network communications and sensitive data stored on internal systems should be encrypted. And all of this should be founded on a solid security policy and wrapped in a blanket of security administration.