Before you can choose the type or brand of firewall to purchase, you have to ask yourself a very simple question (one that can be very time consuming to answer): What are (or should be) the rules that deal with the flow of data traffic in and out of your network? The answers to this question will form your access control policy. An access control policy is simply a
corporate policy that states which type of access is allowed across an organization’s network perimeters. For example, your organization may have a policy that states, “Our internal users can access Internet Web sites and FTP sites or send SMTP mail, but we will only allow inbound SMTP mail from the Internet to our internal network.”
An access control policy may also apply to different areas within an internal network. For example, your organization may have WAN links to supporting business partners. In this case, you might want to define a limited scope of access across this link to insure that it is only used for its intended purpose.
An access control policy simply defines the directions of data flow to and from different parts of the network. It will also specify what type of traffic is acceptable, assuming that all other data types will be blocked. When defining an access control policy, you can use a number of different parameters to describe traffic flow. Some common descriptors that can be
implemented with a firewall are listed in Table 5.1.
Tip If you do not have an access control policy, you should create one. A clearly defined access control policy helps to insure that you select the correct firewall product or products. There is nothing worse than spending $10,000 on new firewall software, only to find it does not do everything you need it to.
Table 5.1: Access Control Descriptors
Description Definition
Direction A description of acceptable traffic flow based on direction. For example, traffic from the Internet to the internal network (inbound) or traffic from the internal network heading towards the Internet (outbound).
Service The type of server application that will be accessed. For example, Web access (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP).
Table 5.1: Access Control Descriptors
Description Definition
Specific Host Sometimes more granularity is required than simply specifying direction. For example, an organization may wish to allow inbound HTTP access, but to only a specific computer. Conversely, the organization may only have one business unit to which it wishes to grant Internet Web server access.
Individual
Users Many organizations have a business need to let certain individuals perform specific activities but do not want to open up this type of access to everyone. For example, the company CFO may need to be able to access internal resources from the Internet because she does a lot of traveling. In this case, the device enforcing the access control policy would attempt to authenticate anyone trying to gain access, to insure that only the CFO can get through.
Time of Day Sometimes an organization may wish to restrict access during certain hours of the day. For example, an access control policy may state, “Internal users can access Web servers on the Internet only between the hours of 5:00 PM and 7:00 AM.”
Public or
Private At times it may be beneficial to use a public network (such as Frame Relay or the Internet) to transmit private data. An access control policy may define that one or more types of information should be encrypted as that information passes between two specific hosts or over entire network segments.
Quality of
Service An organization may wish to restrict access based on the amount of available bandwidth. For example, let’s assume that an organization has a Web server that is accessible from the Internet and wants to insure that access to this system is always responsive. The organization may have an access control policy that allows internal users to access the Internet at a restricted level of bandwidth when a potential client is currently accessing the Web server. When the client is done accessing the server, the internal users would have 100 percent of the bandwidth available to access Internet resources.
Role Similar to restricting access to individual users, administrators use roles to group individuals with similar access needs. This grouping simplifies the complexity of access control and eases administrative workloads. Be creative and try to envision what type of access control your organization may require in the future. This will help to insure that you will not quickly outgrow your firewall solution. I have had quite a few organizations tell me that they had zero interest in accessing their local network from the Internet. Many of these same clients came back within six months, looking for an Internet-based remote access solution. Always try to think in scale—not just according to today’s requirements.
Chapter 5: Firewalls
In this chapter, we will discuss firewalls and their implementation. Not all firewalls operate in the same way, so you should select a firewall based upon the security it provides, while insuring that it is a proper fit for your business requirements. For example, if the firewall you chose will not support AOL’s Instant Messenger and IM is a critical business function, it may have been cheaper to simply
Defining an Access Control Policy
Before you can choose the type or brand of firewall to purchase, you have to ask yourself a very simple question (one that can be very time consuming to answer): What are (or should be) the rules that deal with the flow of data traffic in and out of your network? The answers to this question will form your access control policy. An access control policy is simply a
corporate policy that states which type of access is allowed across an organization’s network perimeters. For example, your organization may have a policy that states, “Our internal users can access Internet Web sites and FTP sites or send SMTP mail, but we will only allow inbound SMTP mail from the Internet to our internal network.”
An access control policy may also apply to different areas within an internal network. For example, your organization may have WAN links to supporting business partners. In this case, you might want to define a limited scope of access across this link to insure that it is only used for its intended purpose.
An access control policy simply defines the directions of data flow to and from different parts of the network. It will also specify what type of traffic is acceptable, assuming that all other data types will be blocked. When defining an access control policy, you can use a number of different parameters to describe traffic flow. Some common descriptors that can be
implemented with a firewall are listed in Table 5.1.
Tip If you do not have an access control policy, you should create one. A clearly defined access control policy helps to insure that you select the correct firewall product or products. There is nothing worse than spending $10,000 on new firewall software, only to find it does not do everything you need it to.
Table 5.1: Access Control Descriptors
Description Definition
Direction A description of acceptable traffic flow based on direction. For example, traffic from the Internet to the internal network (inbound) or traffic from the internal network heading towards the Internet (outbound).
Service The type of server application that will be accessed. For example, Web access (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP).
Specific
Host Sometimes more granularity is required than simply specifying direction. For example, an organization may wish to allow inbound HTTP access, but to only a specific computer. Conversely, the organization may only have one business unit to which it wishes to grant Internet Web server access. Individual
Users
Many organizations have a business need to let certain individuals perform specific activities but do not want to open up this type of access to
everyone. For example, the company CFO may need to be able to access internal resources from the Internet because she does a lot of traveling. In this case, the device enforcing the access control policy would attempt to authenticate anyone trying to gain access, to insure that only the CFO can get through.
Time of Day
Sometimes an organization may wish to restrict access during certain hours of the day. For example, an access control policy may state, “Internal users can access Web servers on the Internet only between the hours of 5:00 PM and 7:00 AM.”
Public or
Private At times it may be beneficial to use a public network (such as Frame Relay or the Internet) to transmit private data. An access control policy may define that one or more types of information should be encrypted as that information passes between two specific hosts or over entire network segments.
Quality of
Service An organization may wish to restrict access based on the amount of available bandwidth. For example, let’s assume that an organization has a Web server that is accessible from the Internet and wants to insure that access to this system is always responsive. The organization may have an access control policy that allows internal users to access the Internet at a restricted level of bandwidth when a potential client is currently accessing
Table 5.1: Access Control Descriptors
Description Definition
the Web server. When the client is done accessing the server, the internal users would have 100 percent of the bandwidth available to access Internet resources.
Role Similar to restricting access to individual users, administrators use roles to group individuals with similar access needs. This grouping simplifies the complexity of access control and eases administrative workloads. Be creative and try to envision what type of access control your organization may require in the future. This will help to insure that you will not quickly outgrow your firewall solution. I have had quite a few organizations tell me that they had zero interest in accessing their local network from the Internet. Many of these same clients came back within six months, looking for an Internet-based remote access solution. Always try to think in scale—not just according to today’s requirements.