Last month's column described the operating system installation that lays the groundwork for
firewall implementation.

Implementing firewall software is not really that hard.
Maintaining it is. If you can take a step back and look
down the road at the possible traffic jams, you can make maintenance
easier by spending a little extra time with the implementation. This
column will attempt to offer some advice that could save you some
maintenance headaches.

I always find that examples are the best way to explain a point. The
problem with using examples when discussing firewalls is that there
are many types to choose from. Trying to give examples of each would
be tedious (assuming that I even could). To keep it simple, I'll
try to stick to general issues and give examples from two of the
most popular firewalls available: Checkpoint Firewall-1 (stateful inspection)
and TIS Gauntlet (proxy). This is not to be construed as an
endorsement of either -- I'm just more familiar with these.

Know your firewall

It doesn't matter what type of firewall you are installing; you're going to have
to take the time to learn it. For vendor-proprietary firewalls, this
means that you will probably have to take a class to learn the
vendor interface. Of course, this does not necessarily make you a
firewall expert, but it is worth taking the time to learn how to use
the product in the manner intended. Some vendors are pretty good
at supporting backward compatibility so that future releases just
require reading over the documentation.

For a firewall based on open source standards, there is more that
you have to learn, and the management interface may not be as easy
to use. The bright side is that the technology learned can be used
in other places. Once you develop the technical skills, you can
customize the firewall.

Prune the architecture

It's easy to get carried away when designing a security
architecture. Just remember, the more complex you make it, the
harder it will be to maintain with efficient performance. Once
you've learned more about the particular firewall that you are
implementing, see where you can streamline the architecture. For
example, if you are requiring users to authenticate on the firewall
before going out to Web sites, you will take a performance hit and
add a lot of maintenance. Is it worth it? If it is that important
to make sure that users are not going to inappropriate sites, it
might be better to implement a Web-caching product that also
provides filtering.

Along with the services, consider how many firewalls are in the
architecture. If you're looking at an architecture with more than
50 firewalls, you will need a centralized management mechanism. For
very large implementations, a firewall farm that runs on
high-capacity systems may be a more efficient method than
maintaining hundreds of little firewalls. Some firewalls support
load balancing, which uses the resources efficiently and provides
redundancy.

Can't get there from here

Quite a lot of time is wasted in firewall implementations because
the basic network connectivity is not there. It cannot be stressed
enough: test your network routes before you even begin to install
the firewall software. Otherwise, you will find yourself wasting an
inordinate amount of time trying to debug firewall rules when it's
not a firewall problem.

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine