Make Your Firewall Work for You

I’ve recently had the opportunity to listen in on a couple of debates regarding firewalls and their utility, as well as their future in the corporate and educational environment.

Now there are two kinds of firewalls &#151 there is hardware which is most frequently network based, and software firewalls which are generally deployed on local hosts. Network-based firewalls can be considered perimeter or enterprise firewalls since they sit at the gateway to the Internet and inspect packets before allowing ingress or egress. But you know all this already (or you’ve been pretending that you do).

Network firewalls consist of hundreds and hundreds of rules that packets are matched against to determine if the packet is malicious. This is a good thing. However, if your network carries more traffic than the firewall appliance can handle, it’s a bad thing. The appliance usually defaults to ”open” &#151 letting traffic through &#151 rather than ”closed” &#151 dropping the un-inspected packets on the floor. The first can be problematic for the security of the network. The second is problematic for the people trying to get work done.

Another problem arises when you have extensive amounts of what might be considered anomalous traffic. This might be anything from JPEGS being
uploaded or downloaded (or even viewed in a browser) to plaintext instructions on how to do something that contains URLs of various forms. This type of traffic can be flagged as Web attacks or directory traversal attacks, when they aren’t at all.

This brings us to the downside.

Somebody, somewhere has to interpret the output of these appliances to determine if there has been an attack. If there was, was it successful? And if so, how widespread might it be? You are either paying an employee to do this or you are paying an outside organization to do it, but you are paying.

Plus, there is a significant investment in the tuning of your appliance. That is to take the default signatures (or rules) and disable the ones that don’t apply, and revise (if possible) the ones that should apply but give so many false positives they’re not very useful. Tuning also involves making sure that every time there is a significant change to the topology of the network, it’s reflected in the configuration of the firewall. You are (or should be) paying someone to do that, too.

There is the issue of maintaining the firewall. There are new vulnerabilities and exploits coming out every day that must be added to the signature (or rules) list. They have to be vetted to make sure that installing them doesn’t cause your little portion of the universe to implode.

Finally, if your network is not one-size-fits-all, you may need to figure out which firewall rules should be employed in one segment of the network and which should go in another segment of the network. This can be done, but it involves more hardware and more maintenance. And if your topology isn’t logically oriented (all the finance people on one subnet, all the marketers on another) then it can get kind of messy.

Enter the personal firewall.

Currently, both Apple and Windows have embedded firewalls in their operating systems. But there may be room for third-party solutions to the firewall equation.

The Windows ICF (Internet Connection Firewall) is limited to incoming traffic. Basically, when you turn on ICF it prevents any incoming traffic connections that you did not initiate. Thus, it lets through your Web traffic, but it does not let through an attempt to FTP to your machine. There’s no tuning, no signatures &#151 strictly filtering all unsolicited inbound traffic.

There are other considerations, however. If you’ve been compromised through e-mail, Web surfing, instant messaging or any other user initiated connection, that traffic will go out whether you want it to or not. You can’t use the ICF if you are located behind a NAT box (Network Address Translation) because it will drop all packets coming from the router (since you didn’t ask the router for anything).

The Apple OSX firewall is more flexible &#151 and then again, it’s not.

It’s certainly more transparent to the end user. It comes on automatically, you can’t turn it off, and it doesn’t need to be tuned. While there are rules, you don’t make them and you don’t manage them. They are created as a function of the
Sharing sub-menu in System Preferences. If you turn on Personal File Sharing or FTP access, the system writes rules to cover those activities. You can see these rules by opening a terminal window and typing: sudo ifpw list.

Windows users who need more flexibility or more features in a firewall should look at the many third-party products available.

Products are available from nationally known virus protection companies to smaller vendors trying to break into the market. There are free ones and there are expensive ones. The one thing they all have in common, however, is that they must be managed. Configuration files need to be customized, rule sets have to be tuned and maintained. In a sense, you’re back where you were with a perimeter device. Someone has to invest the time and effort to go to each machine to keep it up to standards.

You may decide that it is simpler to centralize the headache of maintaining a firewall. Or you may have the luxury of being in an organization where individuals are technically sophisticated enough to handle their own firewall needs at the local host. Either way, there is overhead. Decide what amount of aggravation you are willing to accept (or inflict on someone else) before you move forward.

And before you go out and plunk down your cash for some machine room monstrosity, or a tiny download for $29.95, take some time to determine what you really need in a firewall and why you need it. By reviewing your needs and your organization’s needs, you can better ensure that you solve the problem the first time.

I don’t believe the firewall, in the larger sense of the word, is dead. The necessity of keeping the bad packets out and the other bad packets in is still very real. How that gets done is a very complex decision that is different for everyone.

Until there is a new and better way to protect our assets, we have to make what we have work for us.

Linda LeBlanc, who served as a Gunnery Sergeant in the U.S. Marine Corps., now is a network security analyst at MIT. She also does security consulting for Web-based businesses. LeBlanc’s columns reflect her own opinions, and not employer.

Adapted from

Do you have a comment or question about this article or other small business topics in general? Speak out in the Forums. Join the discussion today!

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.