Make sure you set up a basic firewall before you expose your business to the Internet
MOST BUSINESSES TODAY have learned that an Internet connection
sharpens their competitive edge by giving them (and their customers) timely
access to information. But connecting to the Internet spawns a new set of
responsibilities for IS departments: They must deliver reliable Internet
services to corporate users while ensuring that systems and information stay
secure from outside threats--such as hackers--that an Internet connection
exposes them to. An important tool for protecting a corporate network from
Internet intrusions is a firewall--an intelligent device that controls traffic
between two or more networks for security purposes.
Just as a firewall blocks the spread of a real fire, a network firewall is a
hardware/software barrier between a corporate network and the Internet. The
firewall gives you control over who can access the connection and how they can
access it. A firewall usually consists of a UNIX or Windows NT computer running
special firewall software, though other hardware platforms such as routers can
also run firewall software. Although this software is usually associated with
Internet connections, you can use firewalls to control traffic between parts of
an intranet or between networks of different corporations.
Before you set up a firewall, you need a risk analysis to determine whether
your organization is a candidate for a firewall and you need to draft an
Internet security policy. For information about these issues, see "Who Needs a Firewall?" page 120, and "Drafting an Internet Policy Document," page 125.
Firewall Features
Different organizations have different firewall needs. Based on those
differing needs, firewall features fall into five major categories:
- basic requirements
- support for additional Internet services
- advanced security and control
- remote users and virtual private networking
- enterprise-level functionality
The rest of this article explores the significant issues in each category
and examines the features specific to NT firewalls. (For more information about
NT firewall products, see "Windows NT-based Firewall Vendors," page
122. And for information about National Computer Security
Association--NCSA--certification for firewall products, see "Can Your Firewall Take the Heat? " page 124.)
Basic Requirements
A basic firewall lets corporate-network users access common Internet
services while preventing unauthorized outside users from accessing internal
systems. A firewall needs to let a security administrator set up rules for the
types of allowed and prohibited connections. In addition, a firewall needs to
ensure that internal IP addresses remain invisible to the Internet and allow the
IP address range that you use inside the firewall to be different from and
larger than your company's registered Class A, B, or C IP address range. (For
more information on NT and IP addressing, see Mark Minasi, "How to Set Up
IP," February 1996; "IP Routing with NT," March; "NT
Workstations Using an IP Router," May; and "DHCP and Assigning IP
Addresses," August.)
Firewalls also log network activity in detail, filter the log to produce
meaningful reports, and alert a network administrator when the network has
reached a predefined suspicious-activity threshold. Make sure your firewall
software supports at least the following Internet services: Hypertext Transfer
Protocol (HTTP), File Transfer Protocol (FTP), Gopher, Simple Mail Transfer
Protocol (SMTP), Telnet. Your firewall also needs a way to provide Domain Name
System (DNS) name resolution (preferably by letting you run DNS on the firewall
and on an internal system).
In addition, a basic firewall system needs to be easy to use. In
particular, adding rules to firewall software needs to be easy and, more
important, examining and understanding previously entered rules needs to be
easy.
A firewall should have a graphical interface, especially if the firewall
will be administered by a staff member who is used to NT. Finally, a firewall
needs high-quality documentation that clearly explains how to configure each
type of Internet service and explains address-related issues such as setting up
DNS and configuring Web browsers.
Packet Filters and Proxy Systems
The two main methods for providing a basic firewall are packet filters and
proxy systems. A packet filter is a device (usually a router with
traffic-filtering capabilities) that controls traffic based on the IP
source/destination addresses and the TCP source/destination port in the header
information of each TCP/IP packet sent across a network (a port is a number that
identifies the service the packet is using). For example, you can set up a
traffic filter on a router that allows IP traffic only with a source or
destination IP address that corresponds to the Dynamic Host Configuration
Protocol (DHCP) scope you use for client workstations. You can add another
filter that specifically disallows TCP port 139, the port number NetBIOS uses
for connections over TCP/IP--the port number Windows clients use to log on to
servers (remember that even NT Workstation clients can run the NT Server
service). Finally you can filter User Datagram Protocol (UDP) on ports 137 and
138, which NT uses to advertise computer names and related information. With
these steps, you build a simple packet filter that goes some of the way toward
preventing outsiders from directly connecting to an internal server, while
allowing internal users to access Internet services.