Previous Table of Contents Next


Is the Firewall Secure?

Is a firewall secure? This is a difficult question to answer, because no formal tests exist that can be easily applied to something as flexible as a firewall. A safe rule of thumb is that the more the firewall lets in and out, the less likely it is to be resistant to attack. The only firewall that is absolutely secure is one that is turned off.

If the quality of a firewall from a particular vendor is worrisome, common sense should be applied. The same kinds of questions that would be asked of vendors about any other mission-critical product purchase should be considered. For example, how long have they been in the business, what is the size of their installed base, and do they have independent experts review their design and implementation. A vendor should be able to clearly articulate how the design of their firewall leads to its security. An organization should be wary of accepting a vendor’s hand-waving or insinuations that their competitors’ products are insecure.

COST ISSUES

In addition to managerial concerns, are cost issues. The most commonly asked question is: does more expense buy more security?

Does More Expensive Buy More Security?

A common misconception about firewalls is that what is gotten is what is paid for, and, therefore, the more expensive a firewall, the more secure it is. Unlike PC hardware, which is a commodity market, the firewall market has not yet settled down enough for consistent and competitive pricing to evolve. Most firewalls available commercially cost between $10K and $20K, but the more expensive offerings can cost as much as $80K and upwards. A firewall buyer should show some healthy skepticism when it comes to cost vs. value. If a firewall costs twice as much as another, the seller should be able to clearly explain why its product is twice as good.

COSTS AND DELIVERY

Before purchasing a firewall, it is important to be familiar with what typical installations involve and what are the deliverables that can be expected of a vendor.

A Typical Firewall Installation

Most firewalls used to be sold as consulting packages. When a firewall was sold, part of its cost was installation and support, usually involving a consultant from the vendor arriving onsite and assisting with the installation. Many of the sites that were connecting to the Internet had no local TCP/IP expertise, so the firewall installer’s job often also encompassed configuring routing and other tasks like setting up internal domain name servers and sendmail. Some vendors still provide such a level of service, and others simply ship a power-on-and-configure turnkey solution.

Typically, when a firewall is installed, the Internet connection must be ready, but not connected to the protected network. The firewall installer arrives, tests the machine’s basic function, and then may lead a meeting in which to work out the details of how the firewall will be configured: what access control policy should be put in place, where E-mail should be routed, and where logging information should be forwarded, for example. Once the installer clearly understands how the firewall should be configured, it is connected to the Internet side and tested for correct operation with the network. Then, the firewall’s access control rules are installed and checked, and it is connected to the protected network. Typically, some basic interoperation tests are performed, such as Web access and E-mail sending and receipt. When everything checks out positively, the organization is connected to the Internet.

What Vendors Typically Provide with a Firewall

Most vendors provide some kind of support period for basic questions pertaining to the firewall. Many provide an installation service such as the one previously described, which is valuable because the organization is given an opportunity to tailor its firewall in a way that makes sense for it, while having a qualified vendor support ready to help. Often, a difficult part of setting up a firewall is getting the various software packages behind the firewall to talk correctly to it. Some vendors provide direct support as far as hooking PC LAN mail systems into the firewall’s mailer or configuring domain name servers. If an organization does not have technical skills in these areas, having a vendor that is able and willing to support a custom configuration is a big time and energy saver.

Some Internet Service Providers (ISPs) offer a supported firewall as part of their connectivity service. For organizations that are new to TCP/IP or that are in a hurry, this is an attractive option, because the network support, leased line support, and firewall support are all supplied by the same vendor. The single most important service that vendors can provide with their firewalls is an understanding of how to make a sensible security policy. Unless an organization is certain that it understands what traffic it’s letting into and out of its network, it is not safe to just install a firewall that lets users point and click to decide what information to allow through.

Some firewalls can be configured to allow through things that they normally should not, on the assumption that users are experts and know what they are doing. Support from the vendor in getting everything set up with a reasonable baseline helps keep an organization from having a firewall that is accidentally configured to allow an attack through it.

What Vendors Typically, Do Not Provide with a Firewall

Vendors typically do not configure internal legacy systems to work with the firewall. For example, most firewalls assume that they are talking to Internet on one side and a TCP/IP network on the other. Usually, it is the customer’s responsibility to have TCP/IP capable systems on the inside network, which the firewall can interact with. For E-mail, firewalls mostly support only Simple Mail Transfer Protocol (SMTP), and it is the customer’s responsibility to have an SMTP compatible system someplace on the inside. Often, it is also the customer’s responsibility to know any system specific configuration changes necessary to get that internal SMTP system to forward all Internet outbound mail to the firewall. Unless an organization is buying a firewall from an independent service provider, it is usually the customer’s responsibility to have a class C IP network address and domain name allocated.

CONCLUSION

Choosing a firewall is a lot like choosing a car. The natural assumption is that choosing a car is easy because by the time most drivers can afford one, they already have accumulated a lot of the information needed to be able to assess quickly and easily the cost/benefit performance and convenience tradeoffs that different cars represent. The best way to ensure that a firewall is suitable is to gather enough information so that a choice can be made wisely. Books, such as the following, are also available: Firewalls and Internet Security: Pursuing the Wily Hacker by Bill Cheswick and Steve Bellovin, published by Addison-Wesley, and Building Internet Firewalls by Brent Chapman and Elizabeth Zwicky, published by O’Rielly and Associates.


Previous Table of Contents Next

Copyright © CRC Press LLC