FireWall

A firewall sits between your network and a network you don't trust (like the internet), controlling and monitoring the traffic going into and out of your network. All internet traffic passes through the firewall, making it an effective sentry point and traffic cop. For this reason, intrusion detection software and content filtering software are often used  in conjunction with the firewall.

Firewalls can allow all the computers on your network to share a single internet connection using one routable IP address. This has made firewalls extremely useful in small office/home office environments where an ISDN line, DSL line or cable modem with one IP address is the gateway to the internet.

A good rule of thumb in securing a network is to disallow services you aren't using: you lose nothing by turning off unnecessary services, but you prevent a potential attack that uses those services. To take just one example, certain versions of FTP have a history of security-related bugs. To prevent those security problems you could simply block incoming FTP requests at the firewall. The alternative is to disable FTP software on each computer on the network, and disable it again each time the operating system is re-installed. Even then, someone could install unauthorized FTP software. By using a firewall to enforce a "no FTP" policy, the administrator can do the same job with far less effort and be certain of compliance.

Your network may have public servers (such as Web, mail or FTP servers) that need to be accessed from both the internet and from the LAN. These public servers should be placed on a third network - referred to as a Demilitarized Zone (DMZ). The DMZ is protected from most attacks, but you can assign it a different set of rules so that it can perform its given function without compromising your internal network. Going back to our example, you might disable incoming FTP for your internal network, but allow FTP access to the public FTP server on the DMZ.

Firewalls must be given policies (rules) defining what the firewall will and won't allow. A mis-configured firewall may offer no security, but can work without giving errors or interrupting traffic, resulting in a false sense of security. Firewalls are one of the few products that can be completely mis-configured yet appear to work. If in doubt, hire a professional to install your firewall. SecureHQ offers installation service for most of the firewalls we sell.

Four things you need to determine before you buy

1. How many computers/IP addresses will be behind the firewall?

2. How much bandwidth do you have to the Internet?

3. Do you need to protect public servers, such as mail or web servers?

4. How much technical expertise do you have in your organization?

1. Firewalls are typically licensed based on the number of IP addresses they protect. Your network administrator should know the number of IP addresses on the network. See the next question,"How are users/nodes/IP addresses counted?," for more information.

2. Most firewall appliances will easily handle an ISDN line, cable modem home DSL, or a T1. If you have a multiple T1s, a business-grade DSL line or a T3 you may need a more powerful appliance to be certain that the firewall won't become a bottleneck on your internet traffic.

3. Public servers - such as web servers, mail servers, news servers and FTP servers - should be on a network segment separate from your internal network, and separate from the internet. This third network segment is often called a de-militarized zone (DMZ).

All software-based firewalls support a DMZ. You'll just need to install a third network card in the computer running a firewall. Some hardware-based firewalls (also called firewall appliances) have a third network interface for a DMZ, but some do not. Typically, appliances that cost less than $1,000 lack a DMZ.

4. Some products are more difficult than others to install. Check Point is an outstanding enterprise-class firewall and VPN software, but it's a bit complicated for a smaller organization that lacks a network-oriented IT department. A better choice for a smaller organization might be a firewall appliance, such as those made by NetScreen, SonicWALL and WatchGuard. Another option is to buy an appliance that has Check Point pre-installed, such as the Nokia and Intrusion.com appliances.

How are users/nodes/IP addresses counted?

Firewalls are typically licensed based on the number of IP addresses they protect. Different manufacturers may refer to users or nodes instead, but in reality it is the IP addresses which are being tracked. Most computers have just one network card, which has one IP address, so the number of computers on your network is usually the same as the number of IP addresses. However, some servers may have more than one network card and/or IP address. Your network administrator will know the number of IP addresses on the network.

Axent
"The Raptor Firewall and VPN Server is primarily licensed as a function of the number of users protected by the firewall. Users in this context literally mean the number of unique IP addresses behind the firewall." "In some instances, companies will share a PC amongst a number of users. This is still considered as a single user license." - Axent Pricebook

Where is a firewall installed on a network?

A firewall sits between your trusted network and an untrusted network. In the most common situation, the firewall will site between your internet connection and your network. So for instance, say that your network is connected to the internet via a DSL router that connects to your Ethernet hub. In that case you would install the firewall between your DSL router and your Ethernet hub.

Firewalls need multiple network cards

A firewall sits between networks. The most common configuration is to put the firewall between your internal network and the internet. In that configuration the firewall would need two network cards: one to interface with your internal network and another to interface with the internet. If your firewall has a third network segment for a DMZ, you will need a third network card.

Some hardware-based firewalls (also called firewall appliances) have a third network interface for a DMZ, but some do not. Typically, appliances that cost less than $1,000 lack a DMZ.

Should I buy a software- or hardware-based firewall?

The decision usually comes down to cost and ease of installation.

For a small office/home office environment with a half dozen computers, a firewall appliance is an excellent choice. A SOHO product from SonicWALL or WatchGuard costs less than $500 and is easy to install. By contrast, most software-based firewalls cost well over $1,000, not including the computer to install them on.

Another advantage of firewall appliances is that they are pre-hardened. In contrast, if you install firewall software on a Windows or UNIX platform, you must harden the operating system by applying all of the security patches and closing all of the security holes that routinely exist in those operating systems.

Software-based firewalls have advantages as well. They often provide a better growth path for large organizations. You can add users by upgrading your license, add features from the vendor's product line, or even integrate the firewall with other vendor's products. For instance, many intrusion detection systems and content filtering solutions integrate with Check Point's firewall and VPN products.