Network Security: Firewall Reality Check

Strategies That Can Make The Difference

Top firewalls from major vendors have never been more adept. But the important news flash is that they are not plug-and-play, fail-safe devices-and they likely never will be.

Two pesky and unavoidable variables prevent firewall implementation from being simple: human beings and a network design that includes lots of external sources. In other words, every intranet today that has a Web operation, remote users and a VPN.

Here's a scary statistic: The FBI Computer Crime Unit reports that more than 80 percent of all network security breaches are inside jobs-and that doesn't even include remote employees. These hacks are compliments of the trusted employees sitting in offices and cubicles right around you.

So if you were thinking that you could save a little money and some headaches by deploying firewalls only for external connections, such as your Web server and remote users, think again. That's just one of many strategic decisions you have to make. It gets much more complicated.

Today, the things that top-of-the-line firewalls from Cisco, Check Point Software Technologies Ltd., Digital Equipment, IBM, Secure Computing Corp., Sun Microsystems, Trusted Information Systems Inc. and other heavy hitters are best at are securing multiple layers on the network and network performance management, monitoring and auditing. And management tools let you streamline the overhead for which negotiating traffic firewalls is famous. So, with the right strategies in place-which we'll outline here-you can deploy firewalls without bringing the network to its knees.

You also can create digital paper trails, so once someone does hack in, you can catch the person. And with enough coaxing, you may even get users to whine a little less about having to change passwords and put up with layers of security.

Intrusion Detection: No Easy Solution

The problem is that a good audit report doesn't prevent someone from sending a Trojan horse-which could be, say, a nice friendly-looking virus that automatically reformats your CEO's hard drive next time he reboots his PC. The prowess firewalls still lack overall today is comprehensive intrusion detection features that proactively seek out breaches in the network and are programmed to take evasive action. Exceptions are customized programming solutions from Network-1, a New York-based firewall consultancy, and Internet Security Systems Inc. (ISS). Check Point Software, the mustang of firewall products, is reportedly working on a joint venture with ISS.

The point is, there's no out-of-the-box solution. And, even with customized programming solution s, you have to think about all the strategic variables before you can competently set criteria for the intrusion detectors. This whole undertaking is so network- and user-dependent that you're talking about either a consultant's job or some serious time and money devotion on your part.

Still, it's perhaps the most overarching strategic firewall decision to consider. Think about it: The CEO might see you in a more forgiving light if you could walk into his office and say: "Employee X tried to send you a Trojan horse" instead of, "Uh, your hard drive is toast, but I know who did it."

That said, keep in mind that there is one truism about network security: There are no unhackable networks.

What you want to try and do with firewall technology, then, is maximize protection and network performance. Also, try and persuade honest users not to sabotage your efforts by doing stupid, albeit unwitting, things like leaving their passwords on Post-it notes stuck to their monitors.

Here's a rundown of the variables you need to consider and do something about before and after you purchase firewalls.

Understand The Cost. You and your company executives must accept the fact that securing your network is going to be expensive. High-end firewalls with elaborate management and intrusion detection tools cost upward of $20,000. And that doesn't include consulting fees, your time and the staff training expense. You are going to need multiple firewalls to protect internally as well as externally, and you need to get executives to understand this.

Three Kinds Of Firewalls. There are three types of firewalls from which to choose: packet filters, proxy servers and multilayer inspection servers. The difference has to do with how they handle external traffic. Think carefully about what each does before deciding-you may need a combination.

A packet filter can be as simple as a router configured with access lists permitting and denying appropriate packet types. Packet filters can be configured to allow TCP commun ications only when they are initiated from the internal network. The good news is that application-level proxy server firewalls, such as Digital's AltaVista Firewall and Raptor Systems Inc.'s EagleNT, up the ante with packet-filtering capabilities. Such firewalls typically support local caching of Web content and address translation, which hides your internal IP addresses from Internet surfers.

Multilayer inspection servers are generally more secure than basic packet filters. These firewalls also are more flexible than their application-level counterparts. Although proxy servers require a proxy for every application you wish to use, these don't. As with packet filters, you decide which packets will pass through your firewall based on the protocol, port, source and destination of IP addresses. Good examples of these flexible firewalls are Check Point's FireWall-1 and Network-1's Firewall/Plus.

Be sure to set an overall security budget, and remember, you also will have to deal with the human factor. S o, review security policies and procedures and set them if they don't exist. Security basics include firewalls, a dedicated box for each firewall, password policies for servers with mission-critical data, data encryption, backup systems (with their own security), user account management and training. Also, go over precisely what you want to protect-force management to make concrete decisions so you don't have to spend more money than necessary.

Do not, under any circumstance, cut corners when it comes to the whole company's staff training. All network users should understand why they have to change passwords every 90 days and be mindful of reckless Post-it note habits. Tech support should understand why they shouldn't change passwords over the phone.

Anyone can fake the CEO's voice over a phone and get a new password for the CEO's PC. You should seriously talk about deploying hardware password tokens to remote workers and telecommuters. Some firewalls have E-mail monitoring capability; talk this poli cy over with executive management.

You can spend hundreds of thousands of dollars deploying firewalls only to have the staff, the innocent ones-not the hackers-do things daily that seriously compromise security. You need management on your side so that you can ignore the thousandth complaint of "This is such a pain. I hate changing my password."