Timothy
Parker Consulting Incorporated
|
|
|
|
Firewalls The last few columns on the subject of encryption had two purposes: not only to help you understand encryption systems available for protecting LAN and Internet data, but also to lead into the subject of firewalls, proxies, and similar devices. We start with firewalls, something that has been a hot topic for several years now, and despite a slight lull in the media fuss, is still on many network administrator’s lists of important subjects. VARs need to know about firewalls because you will be asked about them. The idea behind a firewall is simple. Consider a network attached to the Internet through a single machine. (The machine at the point of connection is usually called a gateway, although that term has several meanings). The gateway has several purposes. The most important for users is that they can access the Internet and all its features (World Wide Web, e-mail, FTP, Usenet, and so on). Users access the Internet by telling their PC where the gateway is (usually by name or IP address), and letting their browsers connect to the Internet through that gateway. For the network administrator the important role of the gateway is not letting users out to the Internet but preventing unauthorized access to the internal network from the Internet. Without going into detail now, it is remarkably easy for someone anywhere on the Internet to access a corporate network. All they need is an IP address, and from there they can try to access any machine on the network either through machines with no user control or by hacking into user accounts and passwords. There are so many services supported by the Internet that have security problems, that network administrators often face an impossible task to tighten security on each network machine enough to prevent hacking. A firewall is a piece of software that sits on the gateway machine. Every time a user wants to access the Internet from the internal network, the firewall checks that they are authorized and sometimes modifies the contents of their data to hide user information and IP addresses. When a hacker on the Internet tries to access the internal network, the firewall software steps in and blocks all but specifically authorized users and services. By placing the protection for the internal network on the gateway machine, network administrators have a centralized location to handle security, instead of having to worry about each individual machine on the network. Essentially, the firewall software is like a border crossing, checking each user and every packet of information to make sure they are allowed across the gateway. Firewalls can be purchased as a self-contained hardware system preloaded with firewall and gateway software, or firewall software can be purchases separately and added to existing hardware. The type of machine used as a gateway doesn’t really matter, as there is firewall software available for every operating system and hardware platform in common use. For smaller networks using a single gateway machine to the Internet, dedicated packages for Windows NT and SCO operating systems are attractive. Windows NT gateways require add-on software to implement a firewall. There are specific versions of SCO OpenServer and SCO UnixWare that already have the firewall functionality embedded in the operating system, and they are active as soon as the operating system is loaded. Firewall software is seldom inexpensive (although there are several packages that are cheap that don’t do a good job of protection). For platforms like Windows NT and SCO UNIX or SCO OpenServer it is not unusual to pay $5,000 to $10,000 for firewall software. For larger hardware platforms the price-tag can rise over $100,000. Add in the cost of the server itself, and firewalls can become an expensive item. Of all the firewall packages I’ve tested the one package I’ve repeatedly recommended to customers is Cyberguard’s CyberGuard Firewall (http://www.cyberguardcorp.com). It runs on several smaller platforms, including NT and UNIX, and I have yet to manage to hack in to the network when CyberGuard has been properly configured. Which brings up an important point: configuring any firewall product is a time-consuming (and often frustrating) job. Not only do you have to list all the users who are allowed through the firewall, but also control all the different services individually. Do you want to allow FTP and TFTP? What about rlogin and telnet? Can users on the Internet use finger to find information about internal users? All these pieces of the security puzzle have to be set up. Having made it sound onerous, it really isn’t that bad. Properly configuring CyberGuard takes about five hours, since the defaults are usually very good. The same applies for other good firewall packages like Firewall One. It can sometimes be difficult to justify purchasing this type of security for a network, especially for smaller companies with limited IT budgets. The sad truth is that many organizations don’t bother with firewall software until after a break-in has occurred. Selling the firewall software in advance of such an occurrence can be a challenge, especially since many people do not realize the vulnerability of their systems. Convincing management that the investment is worthwhile requires convincing them of the hazards of not having a firewall. Remember that firewalls have several purposes: not only do they control access in and out of the internal network, they also enhance privacy of the entire internal network (especially when encryption is also employed). Establishing a network security policy is important for all companies (few do it) and a firewall is an important step in reaching that goal. |
|
Send mail to
tparker@tpci.com with
questions or comments about this web site.
|