To determine whether your organization needs a firewall for Internet
security, you must first assess the risks of your Internet connections. The four
most common types of Internet connectivity in organizations are
- dial-up Internet email connections using the UNIX-to-UNIX CoPy (UUCP)
utility
- individual dial-up accounts with online service providers (e.g., Prodigy,
America Online, CompuServe)
- individual dial-up PPP connections to an ISP
- a full-time leased line (i.e., dedicated connection) to an ISP
Although all these connections represent a potential security hazard, the
most risky are those that use TCP/IP as the end-to-end transport mechanism. This
risk results from TCP/IP transport mechanisms supporting a range of services,
including services that hackers use. Full-time leased lines and dial-up PPP
connections use such TCP/IP connections. UUCP and online service provider
connections are generally safer because they use specialized transport protocols
for part of the connection. Such specialized transport protocols usually support
only the intended application and so limit the number of attacks possible over
the connection.
Note that individual accounts with online services can sometimes use TCP/IP
as the end-to-end transport mechanism. If your organization uses such accounts
for Internet access, you can expose your internal network to significant
threats, even if your service provider implements security measures (e.g., a
firewall between the service's system and the Internet). If online service
provider accounts or dial-up PPP accounts are starting to appear in your
organization, the time has probably come to move to a dedicated Internet
connection that you can protect with a firewall.
Some ISPs provide a firewall service, which may be a cost-effective option
for small companies. However, operating your own firewall lets you more easily
meet users' Internet-access needs so they won't be tempted to secretly install
dangerous dial-up accounts. Any organization that's large enough to have an
internal IS staff and must provide Internet access beyond simple email needs a
full, dedicated Internet connection that an onsite firewall controls. In
addition, any organization that must tightly control access to or from
particular departments or provide a dedicated network connection to an external
organization over the Internet needs a firewall.