5. Specifying and Procuring a Firewall
Once the decision is made to use firewall technology to implement an organization's security policy, the next step is to procure a firewall that provides the appropriate level of protection and is cost-effective. We cannot say what exact features a firewall should have to provide effective implementation of your policies, but we can suggest that, in general, a firewall should be able to do the following:
· Support a "deny all services except those specifically permitted" design policy, even if that is not the policy used.
· Support your security policy, not impose one.
· Accommodate new services and needs if the security policy of the organization changes.
· Contain advanced authentication measures or should contain the hooks for installing advanced authentication measures.
· Employ filtering techniques to permit or deny services to specified host systems as needed.
· Use an IP filtering language that is flexible, user-friendly to program, and able to filter on as many attributes as possible, including source and destination IP address, protocol type, source and destination TCP/UDP port, and inbound and outbound interface.
· Use proxy services for services such as FTP and TELNET so that
advanced authentication measures can be employed and centralized at the
firewall.
Other Basic Functions
It is also helpful, if services such as NNTP, X, http, or gopher are
required, for the firewall to contain the corresponding proxy services.
The firewall should also contain the ability to centralize SMTP access,
to reduce direct SMTP connections between site and remote systems. This
results in centralized handling of site e-mail. The firewall should accommodate
public access to the site, such that public information servers can be
protected by the firewall but can be segregated from site systems that
do not require the public access.
The firewall should contain the ability to concentrate and filter dial-in access. The firewall should contain mechanisms for logging traffic and suspicious activity, and should contain mechanisms for log reduction so that logs are readable and understandable. If the firewall requires an operating system such as UNIX, a secured version of the operating system should be part of the firewall, with other security tools as necessary to ensure firewall host integrity. The operating system should have all patches installed. Note that there is no reason for the firewall machine itself to use the same operating system as your company network. Indeed, numerous firewalls use their own proprietary operating system, optimized for performance and security. However, it may be helpful for the management of the firewall to take place on a system with a familiar operating system and interface.
The firewall should be developed in a manner that its strength and correctness is verifiable. It should be simple in design so that it can be understood and maintained. The firewall and any corresponding operating system should be updated with patches and other bug fixes in a timely manner. As mentioned in earlier discussion, the Internet is a constantly changing network. New vulnerabilities can arise. New services and enhancements to other services may represent potential difficulties for any firewall installation. Therefore, flexibility to adapt to changing needs is important, as is the process of staying current on new threats and vulnerabilities. You may want to subscribe to some of the mailing lists that we list on our Web site (www.ncsa.com) or consider a paid subscription to reconnaissance services such as NCSA's IS/Recon.
Buy or Build?
Some organizations have the capability to put together their own firewalls
using available software components and equipment or by writing a firewall
from scratch. At the same time, there are plenty of vendors offering a
wide range of services in firewall technology, from providing the necessary
hardware and software, to developing security policy and to carrying out
risk assessments, security reviews and security training. Whether you buy
or build, you start with a policy. If your organization is having a hard
time developing a policy, a consultant or vendor may be able to expedite
the process.
One of the advantages of building your own firewall is that in-house personnel understand the specifics of the design and use of the firewall. Such knowledge may not exist in-house with a vendor supported firewall. On the other hand, an in-house firewall can be expensive in terms of time required to build and document the firewall, plus the time required for maintaining the firewall and adding features to it as required. These costs are easy to overlook. Organizations sometimes make the mistake of counting only the costs for the equipment. If a true accounting is made for all costs associated with building a firewall, it could prove more economical to purchase from a vendor. Consideration of the following questions may help your organization decide whether or not it has the resources to build and operate a successful firewall:
A. How will the firewall be tested?
B. Who will verify that the firewall performs as expected?
C. Who will perform general maintenance of the firewall, such as backups and repairs?
D. Who will install updates to the firewall, such as for new proxy servers, new patches, and other enhancements?
E. Can security-related patches and problems be corrected in a timely manner?
F. Who will perform user support and training?
Many vendors offer maintenance services along with firewall installation; therefore, the organization should consider whether it has the internal resources to perform the functions listed above. Finally, firewall administration is a critical job role and should be afforded as much time as possible. In small organizations, it may require less than a full-time position; however, in such cases, it should take precedence over other duties. The cost of a firewall should include the cost of administering the firewall. A firewall can only be as effective as its administration. If the firewall is not maintained properly, it may become insecure; it may permit break-ins while providing an illusion that the site is still secure. Your security policy should clearly reflect the importance of strong firewall administration. Management should demonstrate its commitment to this importance in terms of full-time personnel, proper funding for procurement and maintenance and other necessary resources.
A firewall is not an excuse to pay less attention to site system administration. It is in fact the opposite: if a firewall is penetrated, a poorly administered site could be wide-open to intrusions and resultant damage. A firewall in no way reduces the need for highly skilled system administration. At the same time, a firewall can permit a site to be proactive in its system administration as opposed to reactive. Because the firewall provides a barrier, sites can spend more time on system administration duties and less time reacting to incidents and damage control. It is recommended that sites:
· Standardize operating system versions and software to make installation of patches and security fixes more manageable.
· Institute a program for efficient, site-wide installation of patches and new software.
· Use services to assist in centralizing system administration, if this will result in better administration and better security.
· Perform periodic scans and checks of host systems to detect common vulnerabilities and errors in configuration.
Finally, you should ensure that a communications pathway exists between system administrators and firewall/site security administrators to alert the site about new security problems, alerts, patches, and other security-related information.