There are hundreds of firewalls on the market, running on numerous different platforms. Selecting a firewall that matches your security requirements could take quite a bit of time. Fortunately for you, the firewall market has shaken out a lot of competitors lately. Among the remaining firewalls, you need only seriously consider the following, which are among the strongest in the field and which remain reasonably inexpensive. They are listed here in order of ease-of use (easiest to hardest) and security (increasingly strong) order:
SonicWALL Firewalls The easiest to use and least expensive device-based firewalls. They do not include proxy-level filtering, but can forward traffic to a proxy. Very similar to Firewall-1 in security and configuration, with a web interface.
WatchGuard Firebox Series Strong security in a low-priced device-based firewall. These are the only true devices (no hard disk drive) that actually proxy the protocols. Based on Linux and FWTK underneath, with an administrative application that runs only in Windows. Symantec VelociRaptor Security Device A device (with hard disks) version of the strong Raptor security proxy. These are Sun RaQ computers preconfigured with Raptor Firewall. NAI Gauntlet Firewall The strongest firewall available, derived from the original TIS FWTK firewall software commissioned by the Defense Advanced Research Projects Agency. Also available in a 'deviceified' version based on the Sun Sparc Ultra platform.
There's no reason to select a firewall just because it runs on the same operating system as the rest of your network. Most firewalls that run on operating systems are significantly less secure than device-based firewalls, because they rely on the operating system to withstand denial-of- service attacks at the lower layers and because other nonsecure services may be running on the operating system.
Note The majority of firewalls are configured by creating a specific policy called a rule base, which typically lists pass/fail rules for specific protocols and ports. Typically, these rules are searched in top-down order, and the final order in the rule base is a 'deny all' rule.
Once you've selected a firewall, configuration depends entirely upon the firewall you've selected. You need to make yourself an expert on that specific firewall. This isn't particularly difficult anymore, and there's little reason to worry about learning other firewalls once you've selected one.
Review Questions
1. Firewalls are derived from what type of network component? 2. What is the most important border security measure?
3. Why is it important that every firewall on your network have the same security policy applied?
4. What is a demilitarized zone?
protocols?
6. What fundamental firewall function was developed first? 7. Why was Network Address Translation originally developed?
8. Why can't hackers attack computers inside a Network Address Translator directly? 9. How do proxies block malformed TCP/IP packet attacks?
Answers
1. Firewalls are derived from routers.
2. The most important border security measure is to control every crossing.
3. Your effective border security is the lowest common denominator amongst the policies enforced by your various firewalls.
4. A DMZ is a network segment with a relaxed security policy where public servers are partitioned away from the interior of the network.
5. It's better to deny by default because a new protocol (used by a Trojan horse) may crop up that you aren't aware of that would then have free access to your network if you only blocked known threats.
6. Packet filtering was the original firewall function.
7. NAT was originally developed to conserve public IP addresses.
8. There's no way to address computers directly since the public address connection has to use the IP address of the NAT itself.
9. Malformed TCP/IP packet attacks are blocked by terminating and regenerating the TCP/IP connection for all protocols that flow through them.
Terms to Know • application-layer proxy • border gateway • circuit-layer switch • content blocking • demilitarized zone • firewall
• Network Address Translation (NAT)
• packet filter
• proxy server
• source routing
• stateful inspection
• stateless packet Filters
• transparent
• tunneling
• Virtual Private Network
• virus scanning
Overview
Virtual Private Networks provide secure remote access to individuals and businesses outside your network. VPNs are a cost-effective way to extend your LAN over the Internet to remote networks and remote client computers. VPNs use the Internet to route LAN traffic from one private network to another by encapsulating and encrypting unrestricted LAN traffic inside a standard TCP/IP connection between two VPN-enabled devices. The packets are unreadable by intermediary Internet computers because they are encrypted and they can encapsulate (or carry) any kind of LAN communications, including file and print access, LAN e-mail, and client/server database access. Think of a VPN as a private tunnel through the internet between firewalls within which any traffic can be passed securely.
Virtual Private Networks
A packet stream that is encrypted, encapsulated, and transmitted over a non-secure network like the Internet.
Pure VPN systems do not protect your network-they merely transport data. You still need a firewall and other Internet security services to keep your network safe. However, most modern VPN systems are combined with firewalls in a single device.