No single firewall solution is right for everyone.
In the last few weeks, three of my friends–who also happen to be owners of small or medium-sized businesses–have struggled with the decision about which firewall solutions are right for their companies. All three asked lots of questions and sought out information on firewalls. Ultimately, all ended up choosing different solutions. One chose a Linux-based firewall, another chose personal firewall software, and the last chose a hardware-based firewall.
Why did these folks each choose different solutions? Simply put, their user base, network configurations, and network usage were very, very different. For example, the man who chose to use a Linux-based firewall operates a 100-person software development firm that uses internal IP numbers and Network Address Translation (NAT), has multiple internal servers, and operates from a single company location. In addition, his company wanted to migrate away from Windows and Internet Information Server (IIS) to Linux and Apache due to security concerns with IIS.
By contrast, the woman who chose the personal firewall software operates a five-person accounting firm. Her network of machines operates in a peer-to-peer fashion and all five are connected to the Internet directly via separate public IP addresses. She purchased five licenses for a software-based firewall and outfitted each machine with the software.
My third friend owns a 30-person services business that mainly operates from a single location. However, he also has five staffers who work remotely as virtual employees. At the main location, the company uses NAT. In addition, they wanted to begin self-hosting their Web site, and they wanted secure network access for the remote employees. So he chose a hardware firewall that supported NAT, virtual private networking (VPN) to support the remote workers, and a demilitarized zone (DMZ) port to support the self-hosting of their Web server.
Certainly, implementing a firewall is a critical part of any company’s security process. Your business’s firewall needs may be similar to those of the companies I just described, but more likely, your networking and security needs will be unique. How do you know which firewall to choose and whether you need one or more firewalls?
Firewalls are one technology category where price should not be the deciding factor when choosing a solution. Some large enterprises may spend thousands of dollars on firewall technology, but small and medium-sized companies needn’t do this. For some small and medium-sized businesses, personal firewalls, such as Zone Alarm Pro, will do the trick nicely for less than $50.
One of the best ways to begin figuring out which firewall will meet your needs is by understanding the different types of firewalls that are available. For small and medium-sized businesses, there are three major categories of firewalls.
Embedded firewalls are usually built into a network router or switch. Some routers and switches include this functionality by default as part of the product. Other routers and switches may offer embedded firewall capabilities as an add-on module that you purchase separately. You’ll need to check with the manufacturer of your particular router or switch to see if embedded firewall capabilities are available.
Though embedded firewalls do offer good performance when compared to other types of firewalls, they typically work at the network layer (IP level) and may not trap such application-level issues as worms. Many embedded firewalls offer limited security functionality, and many also store information, such as administrative passwords, in an unencrypted manner.
Software-based firewalls are available in a wide variety of packages and releases that support both server and desktop operating systems. For example, if you’re running Mac OS X servers, you might consider DoorStop Firewall, Server Edition. Likewise, if you use Linux, you might evaluate using IP tables or consider SINUS. For Windows systems, you might examine Norton Personal Firewall or BlackICE.
The term personal firewall usually refers to software that installs on desktop systems, while software-based firewalls that run on servers are usually clearly marked as such. For example, BlackICE offers both a personal firewall and a server-based firewall.
Some companies choose to implement firewall technology only on the server, while other companies, such as the peer-to-peer network mentioned above, find it better to implement firewall technology directly on the desktop. The chief benefit of software firewalls is that they are usually very easy to set up and use. Most are capable of deflecting attacks at the network and application layers.
Hardware-based firewalls are devices that come ready to plug into your network. They typically get plugged in between your WAN (Internet) connection and your LAN. There are some notable differences between hardware firewall devices. Most include a WAN port and one or more LAN ports. Some also include a DMZ port, which is usually plugged into a portion of your network that you want to make publicly available, such as a network segment that contains a Web server.
Device-based firewalls also differ in the types of network speeds they may support. Some only support 10Mbps Ethernet, while others offer 100Mbps Ethernet. No matter how fast you run your network, there are hardware firewalls to fit your needs.
A hardware-based firewall is usually accessible via a browser-based administrative interface. Most of these devices are capable of deflecting network- and application-layer security issues. However, be sure that sensitive information about your network (and the administrator password) is stored in an encrypted form on the device.
There are several key things to consider when choosing a firewall.
Number of users: If your company has fewer than 50 employees, you usually can implement a firewall that falls into the small-office/home-office (SOHO) category. If you have more than 50 employees or multiple locations, you may need to think about using multiple firewalls or investigating an enterprise-class firewall. For example, my friend who implemented a hardware-based firewall at his 30-person company also added personal firewall software to the desktops of his five remote workers for added protection.
Locations: Do you have one or two remote workers who are home-based? Do you operate one or more branch offices that have multiple employees in them? If the former, personal firewall software is a good choice; the latter may be best addressed by server-based firewall software or hardware-based firewalls.
Network type and speed: Be sure to check what types of network connectivity and speeds are supported by the firewall. Perhaps you are using 100Mbps Ethernet, AppleTalk, or even token ring. Be sure your network type and speed are supported before purchasing.
Network address translation: Many companies also use network address translation (NAT) to reduce the number of public IP addresses they need to purchase. For example, many small businesses use private IP addresses on the internal network, while all members of the network share a single public IP address when accessing the Internet. Most firewalls do support NAT these days, but if you are using NAT, check to be sure the firewall you choose can support it. In particular, there are some personal firewalls that do not support NAT.
Virtual private networks: Another firewall shopping point to be aware of is the inclusion of support for virtual private networking (VPN). If you want to enable secure remote access to your network using VPN tunneling, then you need to be sure your firewall will support it. For example, my friend with the remote workers uses VPN to enable secure access to company databases. You may want to enable VPN support to your network so that staffers can securely check e-mail after regular business hours. VPN support is included in many firewalls, but in others you need to purchase it as a separate module.
Logging: As activity takes place, firewalls log it. You need to be able to examine the firewall’s logs at certain intervals. Be sure to ask firewall vendors which events are logged, how events can be filtered for readability, and if certain events can trigger an alarm that can notify you. The most common logging format is Syslog.
Rules configuration: Finally, examine the tools provided by prospective firewalls to manage rules. Rules definitions determine which traffic will and won’t be allowed on your network. Some firewalls auto-create rules on the fly after consulting with you via a popup notification. Others use security zones to determine allowable behavior. The order of rules can also be important, as can the expected firewall response should none of the rules match.
There is no firewall that can guarantee complete security. You must maintain your firewall and combine it with other security tools to maximize security coverage overall. By doing a little firewall research and understanding your security needs, you can implement the firewall that is best suited to your computing environment–without breaking the bank.