|
|
| Previous | Table of Contents | Next |
Internet firewalls have become popular recently mostly out of fear—the fear that someone out there will peek inside your network and see or change something you’d rather keep secret.
The primary goal of an Internet firewall is to control the connection between a corporate network and the Internet. Firewalls allow access to services and protect the users of those services. Choosing an Internet firewall starts with a clear definition of your security goals. The firewall market includes a full spectrum of hardware and software solutions built to fit most any environment, security policy, and management style. Although the firewall marketplace looks confusing, once you have defined your requirements, you’ll find that only a few products fit the bill.
This chapter will prepare you to make a decision regarding purchasing a firewall for your organization. The chapter begins with a brief rundown on what a firewall is and continues with some important questions to ask yourself when picking a firewall. You will learn what different types of firewalls are available and what their performance characteristics are.
Note: Much of this chapter is a summary of research done by Opus One, a consulting firm in Tucson, Arizona. Opus One has been studying the firewall market for several years, and this chapter presents their findings and advice about the firewall marketplace. When performance statistics are presented, these statistics are based on Opus One’s testing of firewall products available during the first quarter of 1997. Exact details on the configurations used are in the section “Evaluating Firewall Performance,” found later in this chapter.
Before comparing firewall products, it’s important to keep the different architectures and design choices in mind. Different firewalls are built for different environments. To find the best firewall for your organization, you first must map your requirements to a particular firewall architecture. Once you have picked the architecture that is right for you, the products become a lot less daunting.
In the following paragraphs, the three main types of firewalls are reviewed: router-based packet filters (stateless), stateful packet filters, and transport/circuit gateways.
Firewalls all have a similar architecture to each other. They both connect and protect two (or more) TCP/IP networks. For this chapter, the emphasis is on firewalls with two Ethernet ports: one Ethernet port connects to the internal (secure corporate) network and one Ethernet port connects to the external (insecure Internet) network. For smaller installations, some firewalls can be configured with a WAN port instead of or in addition to the insecure Ethernet port. A firewall with a WAN port, such as a frame relay or ATM line, allows the firewall to connect the corporate network directly to an Internet service provider. Many organizations are electing to employ the two-Ethernet firewall, usually combined with a separate router with its own port. By using two (or even three) Ethernet segments, the organization can place Internet information servers, such as World Wide Web (WWW) and Gopher servers, as well as mail and news gateways, outside the firewall.
Putting all Internet information servers outside the firewall makes managing and administering the firewall simpler because the rules are simpler: no incoming connections ever get through the firewall, period. By keeping all incoming connections from the Internet outside, the security manager doesn’t have to constantly keep adjusting the firewall configuration. More importantly, a system inside the firewall with no restrictions becomes a hole. If that inside server is broken into, the entire firewall becomes useless.
Internet firewalls fit into a broad spectrum of capabilities, strengths, and weaknesses. In this chapter, these are separated into three groups: routers, packet filters (more correctly called “network layer” firewalls), and application gateways. Each group supports a different type of security policy and goals. Because these firewall products are very different from each other, comparing them in groups, rather than all together, is most useful. Thus, you will learn about routers separately from packet filters and application gateways.
Choosing an Internet firewall starts with a clear definition of your security goals. Each of the firewalls available in the marketplace offers a different style of protection. It is impossible to select the appropriate firewall product without understanding how each one meets (or fails to meet) your security goals. Evaluating any firewall at your own site before buying it to make sure that it fits is very important.
| Previous | Table of Contents | Next |