Epinions.com 
Join Epinions | Learn More! | Sign In   

What You Should Know Before Buying Hardware Firewalls

Read Advice   Write an essay on this topic. 

An Absolute Neccessity for Business

Aug 17 '01

The Bottom Line Hardware firewalls are a must for any business but hoe users should not use them due to the complexities of proper implementation.

Today, there are a multitude of threats ready to take on an enterprise network, ranging from harmless "fun" hacks as simple as port scanning or probing a service, to "grey hat" hacking in which somone tries to find a hole so the company can be notified and fix it, to hard worms and trojans like the recent rash of the Code Red virus and its mutants.

In order to be able to provide a reasonable layer of security to its users and its data, even the smallest companies need to invest a reasonable amount of resources in the formation of a hardware firewall as part of a perimeter network. While I am not telling you to go spend money you dont have, I will tell you that you will need a security solution scaled to your business size. The larger the business the more appetizing the target for a hacker, especially if the company happens to deal with internetworking or internet security.

99% Of the users of firewalls do not jsut rip open a box and plant the firewall amongst some cords and hope that it will work. A hardware firewall is usually a router which has two or more IP addresses depending on the number of interfaces in addition to hardware-based packet and datagram scanning. They can range in intellegence from a firewall which only disallows port scanning by providing a physical node that does not have "ports", to a full service firewall which actually can partially read portions of the packet data to scan for trojan signatures or other harmful entities.

Even if your company is implementing the most sophisticated firewall that the world has ever seen, a single firewall alone will not be sufficient to protect a company. Instead, one or more hardware firewalls should be part of an intergrated perimeter network that protects the internal network from the internet portals (the T1s, ISDNs, etc.). The first thing that you are probably going to need is an "outside" firewall that is relatively lax in the security that it provides, merely blocking obvious hacking attempts and ensuring that specific sorts of network traffic are going to various bastion hosts set up for that particular service (a bastion host is a computer which has been hyper-secured in order to provide a secure indirect link for connections between computers. the host is little more than a relay. various examples include mail gates, web servers, ftp servers, etc.).

The area immediately behind the outside firewall is called the perimeter network, also known some times as the DMZ (demilitarized zone, a holdover term from the Vietnam era). In this zone there should reside a mail gate (to handle mail and messaging services redirection between the outside and the internal mail server), a webserver (service provider in which all other services have been secured, and possibly a separate FTP server and any other servers specifically built for particular services. In addition, there should be a somewhat more sophisticated internal firewall which immediately protects the internal network.

The main thing that you have to understand is that a firewall is a router that has been built with specific configurations in mind for particular purposes. In this sort of example ther should be several static routes. Any port 25 traffic should only be allowed between the mail gate and the outside. Port 80, 8080, and any other web-specific ports should only be allowed between the webserver(s) and the outside, any other port 80 access should be set up so that an outside source can respond to a request from an internal client only. Port 21 access should be restricted to only access the FTP server and the outside. The internal server ocnfiguration is up to you depending on the size and needs of your network.

The planning for your perimeter security should be made by a professional who has experience in the field, it is not a task to be undertaken by those who have not dealt with this sort of environment and task.

For more on hardware firewalls, I would suggest that you visit your local network administrator or buy "Securing Windows NT/2000 Networks in a Nutshell". If you would like more information on perimenter security, feel free to email me at wfrazee@hotmail.com and I will provide any information I can based on my limited experience with them.
Comments on this Review
 Read all comments (1)
 Write your own comment
clocks

Epinions.com ID:
clocks
Member: Wayne Frazee
Location: Panama City Beach, FL
Reviews written: 100
Trusted by: 50 members
About Me:
I am an IT Manager for a game development company in Panama City Beach, FL.


Help | Member Center | Message Boards | Site Rules | User Agreement | Privacy Policy | Site Index | Topic Index  
About Epinions | Careers | Contact Epinions | Advertising  

Epinions | Shopping.com | Rent.com | Free Classifieds | Price Comparison UK

Shopping.com Network © 1999-2009 Shopping.com, Inc. Trademark Notice

Epinions.com periodically updates pricing and product information from third-party sources,
so some information may be slightly out-of-date. You should confirm all information before relying on it.