Network security policy : use it

     Call to order at

     0 800 1111 222

     (toll free) or

     021 574 1111

A firewall sits between your company's private network and the more public Internet, and its primary job is to examine inbound traffic -- that is, traffic coming from the public side of the link destined for the private side of that link -- to make sure it's okay before permitting that traffic to pass through to the private side of the link.

Although every organization's firewall is configured to meet the organization's unique needs, there are two fundamental activities involved in setting up a secure firewall that reflects the business rules set down in a network security policy.

There are two kinds of firewalls:

• Software-only firewalls: A firewall program that runs on some computer that's attached to the Internet.
• Hardware firewalls: A kind of device that is attached to the Internet on one side and to an internal, private network on the other side. In some cases, this device may include other functions besides that of a firewall, such as a cable modem or Digital Subscriber Link (DSL) interface, and more. Hardware firewalls typically include both hardware and software, but you manage the two together as a single unit.

While the hardware portion of hardware firewalls is optimized for firewall functionality, when you deploy a software firewall, it is up to you to create and secure a host computer system to support the firewall software. Without a solid and reliable host, your firewall will be worthless.

The computer you install your firewall on must meet the minimum system requirements for whatever firewall software you choose to employ. Whenever possible, you should install as much high-speed high-capacity hardware on a host system as your budget can afford. Software firewalls require a significant level of computing power and it's better to build in more than you need so you don't restrict yourself with an under-performing communications bottleneck that hinders productivity.

When traffic passes through a firewall:

• The firewall inspects that traffic and looks into the various packets (i.e. small, manageable chunks) of information that make up Internet traffic.
  
• As it looks at packet content, it compares what it finds to existing filters or rules you define as part of your firewall setup.
  

• It applies any filters or rules you've configured in your firewall to decide if it should allow content to pass through or not.

A filter defines some specific pattern for which a firewall seeks a match. An exclusionary filter is one that results in traffic being blocked if a match occurs; an inclusionary filter is one that results in traffic being allowed if a match occurs.

Largely, filters and rules are two different ways of stating the same kind of information. A filter might take this form:

   Block port 80

In English, this filter will block all packets destined for port 80 (the port requests for Web pages almost always comes through). If this filter were set up on your firewall, the firewall would reject any requests from users outside your system for Web pages inside your system. An equivalent rule to block port 80 might be stated as:

   If port=80 then deny

The difference is a filters specifies an action for some specific value (like all traffic coming in on port 80), while rules usually apply a conditional statement that takes the form "if pattern match x, then take action y."

For many firewalls, filters or rules are set up to work together to define a general rule that established a basic filtering level, then setting exceptions to that rule to handle special cases. In this example, the first filter explicitly blocks all incoming traffic port addresses by default, then goes on only to allow use of well-known ports for FTP, SMTP, and Web services, plus the range of addresses reserved for temporary port use:

   Block port all
   Allow port 21, 22, 25, 80, 49,152-65,535

By contrast, this filter configuration allows all traffic through by default, and blocks only Telnet and NetBIOS-related services:

   Allow port all
   Deny port 23, 135-139

In reality, this second set of filters not a very effective security barrier since many other kinds of well-known attacks might be allowed through.

Rules and filters don't just apply to ports as in the previous examples, but can apply to a variety of different criteria that a firewall can learn about incoming traffic based on the packets of information that pass through it. For example, you could create a set of filters that allow employees to access local or Internet Web servers but that prevent users from outside the company from accessing a Web server on the company's side of the firewall.

Regardless of the size of your organization or the level of security you want to impose on your systems, firewalls are designed specifically to help you put your security policy into action. Home and small business firewalls usually have interfaces that make it very easy to configure your firewall rules and filters without much knowledge of ports, services, protocols, and the like. However, it's best if you have an IT professional configure an enterprise-level firewall, as firewalls at this level have more options and require more networking knowledge to secure your network properly.

When you start with a solid security policy that carefully balances employee needs for Internet connectivity with your organization's need for network security, you can easily find the right combination of hardware, software, and IT resources to implement that policy. Always remember that firewall configurations stem directly from business rules.