Selecting and Configuring a Firewall

 

Selecting and Configuring a Firewall

Protecting your nonprofit organization’s information and network with firewalls

According to the SANS Institute, an unpatched, unprotected computer on the open Internet will be attacked and compromised in four minutes, on average. It’s a regular, reliable process because you don’t have to wait until a human being “sees” your new computer and begins the attack with the push of a button or the typing of a command. These days, Internet-based attacks are almost entirely automated and scripted, and they usually originate from innocent, third-party machines that were themselves attacked and compromised. In other words, the owner of the computer probably has no idea it’s being used to attack your network.

Since the attacks are automated and continuous, you need automated solutions to defend yourself. In most organizations, firewalls are the cornerstone of the network security infrastructure. Deciding exactly which one to buy is beyond the scope of this article, since the models change so often. Instead, we’ll look at some of the basic firewall types and the features that you’ll be able to choose from.

Firewalls Compared with Other Network Security Devices

Long ago, you had a handful of choices when buying network security tools. Ninety-nine percent of the security equipment on the market fell into the firewall category. Now, you’ll find a confusing array of tools with different names and overlapping functionality.

In particular, intrusion detection systems (IDS) and intrusion prevention systems (IPS) often complement firewalls in larger organizations. IDS and IPS systems actively monitor switches, routers, servers and other devices, looking for security breaches and intrusions. Depending on the device, an IDS/IPS might react to an event by triggering an alarm, blocking the malicious traffic or quarantining the infected machine. An IDS/IPS resembles an application-level firewall (defined in the next section), but firewalls focus on blocking external threats, while an IDS monitors the network for attacks that have already broken through the perimeter firewall. Most organizations buy a firewall before an IDS/IPS.

Another type of device that’s been gaining in popularity recently is the unified threat management system (UTM). A UTM is an all-in-one network security device that might include traditional firewall capabilities along with email spam filtering, Web content filtering, an antivirus scanner and IDS/IPS functionality. Security appliances are similar — they include firewall functionality, but they usually incorporate other features as well (e.g., VPN encryption, virus scanner, etc.). The bottom line is that the name isn’t too important. Whether you’re evaluating a firewall, a UTM or a security appliance, look at the features and the amount of traffic it can handle.

Other Considerations when Selecting a Firewall

With some of the firewall features described, you have to choose between a firewall extension and a standalone device. In other words, if you need virtual private networks (VPNs), content filtering, bandwidth management and other services, you can choose a firewall with those features built in, or you can choose a specialized piece of hardware. You usually get more power and flexibility with a standalone device, but the cost is higher.

Size of network:

Does the firewall device have enough memory and processing power to handle the traffic on your network? Most firewalls are rated by bandwidth, number of simultaneous connections or both.

Network topology:

How many networks do you have that need some unique level of protection or isolation? Suppose the firewall you’re evaluating has three Ethernet ports. Is that enough? Let’s say you need one subnetwork for the staff machines, one for the public access machines, one for your wireless access point and one for your servers. In this case, you need a firewall with four Ethernet ports, as well as a port for your Internet connection. Or you could use a second firewall or a managed switch to provide the network separation you’re looking for. Search Security  describes several different network topologies and how that decision affects the purchase and placement of firewalls.

DMZ:

Do you need a DMZ for your Internet-facing servers? A DMZ (short for demilitarized zone) is a small subnetwork for hosted Internet services such as Web servers and email servers. The firewall protects the servers in the DMZ and checks traffic to and from those servers, but it also isolates them from the rest of your local area network as much as possible. Your Web server can handle requests from random computers on the Internet because you’ve presumably hardened and secured that server. On the other hand, your average staff machine shouldn’t be exposed to the Internet in that way. Also, if something goes wrong and the Web server is compromised, the damage will be partially contained. There are several ways to set up a DMZ, and your DMZ architecture may affect the type(s) of firewall(s) you decide to buy. Wikipedia describes two common approaches to setting up a DMZ.

VPN:

A VPN (virtual private network) encrypts data sent between two or more locations when that data is sent over the Internet or another public network. Nonprofits often set up VPNs so that staff members who work from home can securely access files and programs on the office network. Also, in many organizations, the main office and branch offices use VPNs to transfer private, sensitive information. If you’ve purchased high-speed, dedicated data lines from your service provider, you may not need VPNs for office-to-office communication. However, dedicated lines are expensive, so a lot of organizations use VPNs instead. Some firewalls can handle VPN encryption and decryption, but you can also buy separate, standalone devices to handle this function. VPNs can be tricky to configure and maintain, so you should talk to an expert. For more about VPNs, check out How Virtual Private Networks Work and Introduction to Virtual Private Networking.

Level of control:

Do you want to block all traffic for certain applications, or do you need to implement more granular filtering so certain computers or users have more capability than others? For example, you might block ssh traffic (ssh stands for secure shell, a remote logon utility) for most of your network but allow it for systems administrators who need to access remote servers. Does the firewall you’re evaluating give you the degree of control you’re looking for? Some offer user authentication to help you control access privileges.

Technical expertise:

Do you have the in-house expertise to properly configure and manage the firewall, or will you need external technology support? Measure your expertise against the size and complexity of the firewall you’re buying. Is it a large, complex device that requires months to fully understand? How many features do you really need? Hooking up a device you don’t understand is as bad as or worse than having no device at all.

Managed services:

Often, your service provider will configure and maintain your firewall for a price. On the other hand, if you don’t understand fundamental security concepts, you might end up paying your ISP for firewall features that you don’t actually need. Also, how responsive will your service provider be when you need to change the access rules on your firewall? In other words, you have to know at least enough to ask the right questions and evaluate the answers.

Budget:

With firewalls ranging in price from $50 to $10,000, the budget represents the biggest consideration for most organizations. While your nonprofit may want all of the features, you need to determine the most important based on your requirements and resources.

Content filtering:

Does your computer-use policy require some form of content filtering? For most nonprofits, this isn’t the case, but organizations providing Internet access to the public and to children often filter content. Some firewalls can block content based on keyword or based on blacklists provided by the firewall manufacturer or a third party. Of course, this feature may add to the cost of your firewall, and performing this type of filtering at the firewall could slow down the performance of your network. Buying a separate content filter makes more sense in some situations.

Bandwidth management:

Do you need to control bandwidth usage? Do you need to limit the bandwidth available to particular users, particular applications or particular network segments? If you’re bumping up against the limits of your broadband connection, bandwidth management tools and wide area network (WAN) optimization devices can help. Some firewalls have these capabilities, but you can also buy separate, standalone devices to handle these tasks. For more information, see The Options for Network Optimization.

Logging and alerts:

Every firewall should have logging capabilities so you can see what sorts of traffic the appliance is blocking and what traffic is going through. However, firewalls differ somewhat in the information they record and the readability of the log files. Also, how does the firewall handle alerts? Does it send alerts by email; by text message? Are they the alerts you need?

Further Resources

TechSoup currently offers two Cisco firewalls to qualified nonprofits. Cisco is the industry leader in network and security hardware, and the Adaptive Security Appliance (ASA) line has replaced the older Pix line as their main security device. Smaller organizations with basic needs should check out the ASA 5505. The ASA 5510 can handle more traffic and has advanced features, such as VPN capability, but it costs a few hundred more than the 5505. For more on these two appliances and the differences between them, read An Introduction to the Cisco ASA 5505 and 5510.

TechSoup no longer sells the Pix 501 Firewall, but if you’ve inherited one, you may want to look at our basic and advanced setup guides.

Search Security’s Firewall Architecture Tutorial tells you how to choose firewalls and where to place them on your network. Windows Networking also has an article on Choosing a Firewall. It’s a few years old now, but still has relevant advice. A Guide to Unified Threat Management has advice on researching and testing devices that fall into this vague, amorphous category. Network World’s Firewall Buyer’s Guide is a good resource for comparing specifications, but since it relies on manufacturers to submit information, there are currently no Cisco products listed.

Also, be sure to check out Shield’sUP!. This free, easy-to-use Web site probes your network and tells you which ports are open and which ones are closed. Vulnerability testing tools and port scanning utilities let you know if you’ve configured your firewall properly.

For their invaluable suggestions and corrections, special thanks to: Steve Shields of Shields Networking in Seattle, WA; Chris Jowaisas of the Texas State Library, and Chris Shipley of NutmegIT in Hartford, CT.

Update: Bill Albertson has some great observations relating to this topic in our TechSoup Networking forum. In particular, he writes about monitoring your firewall, support contracts, and open-source solutions. He also emphasizes the importance of talking to other nonprofits (including on-site visits) and incorporating the firewall decision into your overall network infrastructure planning process.