Remote Users and Virtual Private Networking
If your company's mobile users or telecommuters must connect to your
corporate systems via the Internet, or if you want to establish Internet links
with business partners, suppliers, or customers, you must use encryption between
the remote locations and your firewall. This use of encryption to enable private
communications across the Internet is a Virtual Private Network (VPN).
Unfortunately, no NT firewall product supports emerging VPN encryption
standards. Instead, vendors use proprietary encryption techniques. So all
members of your VPN must use products from the same vendor.
Encryption standards are especially important for Internet connections
among trusted business partners (e.g., to support EDI applications). With such
standards in place, partners need not have the same firewall to exchange
information.
The Internet Engineering Task Force (IETF) has already defined the main set
of VPN encryption standards, the IP Security (ipsec) standards. They include the
Encapsulation Security Payload (ESP) protocol--RFC 1827--or encryption and the
authentication header (AH) protocol--RFC 1826--for authenticating TCP/IP
packets. Encryption vendor RSA Data Security has introduced S/WAN, an
alternative to ipsec. S/WAN uses the proprietary RC5 encryption protocol. The
IETF continues to evaluate standards for a key-management protocol, the method
by which encryption keys are automatically passed between computers. (For more
on encryption and key management, see Lawrence Hughes, "Secure Enterprise
Email," May 1996; "Digital Envelopes and Signatures," September;
and "Exchange Email," October.)
If you plan to connect to other organizations across the Internet in the
next year or two, find out whether the firewall vendors you're considering have
participated in VPN standards interoperability testing and whether they plan to
introduce ipsec support (including Internet Security Association and Key
Management Protocol--ISAKMP--/OAKLEY key management, which, because of strong
support from Cisco Systems and other vendors, is likely to be the key management
standard the IETF will choose). Both FireWall-1 and Raptor claim that the next
release of their NT firewall products will include ipsec support.
If you want to establish a VPN that includes only your company's sites, you
can use proprietary VPN technologies to implement a secure working solution
right now. Similarly, if you want to let remote users connect via dial-in
Point-to-Point Protocol (PPP), many vendors can provide a solution that uses
software on a remote PC to provide an encrypted path back to the firewall.
Another common approach is to provide encryption between a remote system and a
server inside the firewall. However, this approach requires establishing a path
through the firewall, which can open a security hole.
Enterprise-Level Functionality
Large organizations usually require an enterprise-capable firewall that
includes multiple firewalls and multiple interfaces on those firewalls. An
enterprise-capable firewall lets a network administrator centrally manage
remote firewalls over an encrypted path and as one entity, with a central point
for logging network information. Many firewall products achieve this
configuration by separating the management interface program from the
rule-processing engine. Some firewall vendors, including CheckPoint and Raptor,
also let you download packet filters to routers such as those from Bay Networks
and Cisco Systems. An enterprise-capable firewall also needs to provide realtime
notification of suspicious activity via email and pager and needs to generate
Simple Network Management Protocol (SNMP) traps that you can integrate with the
enterprise network management system. (SNMP is a standard protocol that network
management systems use to collect information from network devices.)
NT-Specific Features
If you plan to run your firewall on NT, answers to a few additional
questions will determine your firewall product needs. For instance, during the
product's installation, does it automatically configure NT to maximize security
(e.g., does the firewall disable IP forwarding, nonessential services such as
the server service, and the guest account)? Is the product tightly coupled with
native NT features such as User Manager for Domains, Event Viewer, and Perfmon?
Will the product run on the Digital Equipment Alpha version of NT? Will it run
on NT 4.0? Is the product integrated with Microsoft's DNS Server, or does it
require a different DNS server? (This question is more important if you intend
to use NT 4.0, which includes Microsoft's DNS Server.)
Start with the Basics
When evaluating your organization's firewall requirements, start with the
basics and add more complexity as needed. A basic firewall that consists of a
proxy system and packet-filtering device and supports common Internet services
can be enough for a small organization. Large organizations and those with
sophisticated users can require multiple firewalls that support more Internet
services. Stay tuned for an upcoming article that will review several NT-based
firewall products in tests in a real-world, corporate NT environment.