7. Other Issues

This section covers several areas, such as the expanded security role of firewalls, sources of additional information about commercial firewall products, and security for home or small business office Internet connections.

Firewall Expansion
These days firewall vendors are busy adding new security functions to their products. Detailed discussion of these functions is beyond the scope of this guide, but they are worth mentioning as they may affect your buying decision. There are four main functions:

A. Malicious code scanning -- checking internetwork traffic for viruses, Trojan horses, and malicious applets written in ActiveX or Java.

B. Web surf monitoring -- recording which users travel to what Web sites via the corporate Internet connection. This may be done to help determine or enforce policies about use of company resources. Logs of Web surfing can also be used to substantiate or refute claims of inappropriate activity.

C. Web surf filtering -- controlling employee access via the corporate Internet connection to Web sites deemed inappropriate or unproductive.

D. Virtual private networks -- securing networks so that they can safely communicate in private over the public Internet. This is done by strong authentication of the connecting firewalls and encryption of all traffic between them. Standards are emerging that will allow firewalls of different brands to link together in VPNs. Without that, VPNs are only feasible between firewalls of the same make.

When you are deciding between different commercial firewalls, the ability to support one or more of the above may be important to you.

Product Information
One of the problems you may encounter when you start shopping for a firewall is a lack of standards in product literature. Of course, it is quite reasonable for vendors to prepare marketing literature that puts products in the best possible light and describes them in ways that are appropriate to the company's design and sales philosophies. However, if you look at other areas of hardware and software you will see that some standards have emerged, both in terminology and the description of features. For example, when a car brochure refers to brakes as being anti-lock, or states there are dual air bags, we can expect these items to fall within certain parameters (for example, we can expect the air bags to be microprocessor-controlled supplemental restraint systems and not a pair toy balloons and bicycle pump).

One of the first steps taken by the NCSA Firewall Product Developers' consortium after it was formed in July of 1995 was to back a solution to this problem developed by Marcus Ranum and referred to as Firewall Product Functional Summaries. The purpose of the firewall product functional summary program is twofold:

· To provide a structured format in which vendors can describe the distinguishing features and advantages of their products.

· To provide a structured format from which potential firewall customers can compare and contrast the features and design principles of firewall products.

In other words, the functional summaries provide product information to potential firewall customers in a format that allows for meaningful comparisons between products while still allowing for claims of product uniqueness. The summary format used in the program was derived through an open process including firewall vendors, agencies of the computer security community, and the firewall customer community. This cooperative industry effort, a voluntary program, was coordinated, and the summary format copyrighted by, Marcus Ranum of V-ONE. Since 1995, NCSA has been collecting Firewall Product Functional Summaries from members of the Firewall Developers' consortium and posting them on the NCSA Web site. Copies have also been made available on the NCSA Firewall Buyer's Guide CD which can be ordered from the NCSA bookstore. These Firewall Product Functional Summary documents are well worth reading as part of your efforts to better understand firewall technology since they give you added insight into the various techniques and designs currently being deployed

Firewalls for SOHO Users?
Most firewall conferences and seminars focus on the needs of large corporate users. But at such events we are frequently asked the question "What about when I surf the Internet from home?" The questioner is often a corporate IT professional who has occasion to work from home, but many small businesses have similar concerns (the term SOHO is widely used in Europe for the "Small Office Home Office" category of computer user). The concerns of SOHO users arise from several different Internet access scenarios.

To address the simplest scenario first, consider a dial-up or dial-on-demand ISP account. When you need to send e-mail or surf the Web, your PC's modem dials an Internet Service Provider and establishes a TCP/IP connection that lasts until you log off or until the connection times out from lack of use. Such connections almost always use something called dynamic IP addressing, which means that the address of your computer on the network (yes, your computer is part of the network for the duration of the call) is randomly assigned from a group of numbers that belong to the ISP. The effect is to make your computer a small blip on the Internet radar and thus a relatively improbable target for attack.

For example, suppose someone broke into your machine during an Internet session and stole an encrypted password file. If they cracked the file off-line and wanted to get back to your machine to exploit the passwords they would have a hard time finding it. Such an attack is not impossible to conceive, but you have to consider the motivation to arrive at a risk factor -- do you have anything on your computer that would make such an attack worth the effort? For most home computers the answer is probably no. In the case of a company laptop being used from home or a hotel room somewhere, the answer might be closer to the affirmative, but the attack is still a difficult one to mount and would only approach probable if other types of attack had been tried and thwarted.