Sunday, April 6, 2008

What to Expect from a Firewall

A common mistake is to assume that a firewall will do more than it can because of its name. In the building trade, a firewall that is used to protect individual units in an apartment complex or a condominium is designed according to rules laid down by the local authorities. In the networking trade, no authorities specify what a product must do to carry the "firewall" label.

In fact, several kinds of applications and devices can be classified as firewalls. Do you need a packet filter? Do you need a device that can perform stateful inspection? Before you answer these questions, first decide what you are trying to protect and what methods you are currently using.

What Do You Want to Protect?

For example, if you have highly confidential information, such as patient records or financial information about customers, you should definitely get some good legal advice on your responsibility in keeping this information from the general public. Keeping important information on a dedicated server that cannot be accessed by ordinary users on your network is the first thing to do. However, assuming that an off-the-shelf firewall application will protect you from outside penetration is being a bit simplistic.

Internet 2010

Determine your vulnerabilities and examine your current network. Look at how sensitive data is protected now and look at the means used to access it. Then factor in how your current safeguards will enable you to keep the data secure.

Some information usually is available to everyone in the network. For example, an employee home page that contains information about processes and procedures, such as how to request a vacation or get a purchase order approved, usually will not be considered a high-priority security item. Other information, such as information you keep about your customers, not only is important to your bottom line if you want to keep the customer happy, but also might be confidential, such as a doctor's records about patients. This kind of information should receive your utmost attention when you're trying to decide how it can be accessed after you connect to the Internet. It might be generally available to a large number of employees, depending on your business, or it might be sequestered by OS protections so that only a single department can use this kind of data.

Of course, if you perform your payroll in-house, you are probably already aware of how sensitive this kind of information is. It must be protected from prying eyes both inside your network and outside your network.

Levels of Security

Because different kinds of information are on networks today that need various levels of security, youshould carefully structure your network to handle the way information is accessed.

One connection to the Internet, through a firewall, can protect you. However, with one connection and one firewall, you must make sure that the firewall is the most restrictive you need to protect the most sensitive data that you have. One firewall to protect the entire network is one point of failure. One mistake, and the whole network is vulnerable.

Another drawback is that many users resent extremely restrictive access mechanisms and, if allowed, circumvent them.

One method is to segment the internal network and use firewalls not only to keep intruders outside the company from getting access, but also to keep out those internally who might do mischief. Also, by creating different levels of security, you can act to prevent a single security breach that causes extensive damage. This is especially important if your organization (such as a library) offers unsecured wireless access to the public and also has a closed network.

Instead of using a single network, consider creating several smaller networks and using firewall technology to connect them. For example, in-house data that never needs to be accessed from external sources can reside on one network, whereas another network can host machines that provide WWW, FTP, and other services to your external clients. The firewall that connects this network to the Internet would not have to be as restrictive as the one that joins the two networks at your site.

If you have data that is so confidential that its compromise could do severe harm, you should place it on a computer that does not have a connection to the Internet. Remember, there is no way to guarantee that a computer cannot be hacked via a network, short of pulling the plug.

No comments:

Internet Blogosphere