There is a common misconception that you can protect all assets with only a firewall. Find out why every organisation must consider a multilayer approach along with the firewall to protect all its assets

While firewalls can secure Internet access, protect mission-critical information, and leverage the Internet to connect a global enterprise, they're just the starting point for building a security fortress. Some organisations may believe they're secure with current firewalls in place, but it won't be long before they realise they need more tools for securing their next connectivity initiative, such as a VPN.

Whether you want to improve, replace, or initially install a firewall, it's a good time to refresh your knowledge of firewalls and understand the vital steps, such as developing a security policy, that you must take before making any more security moves.

False firewall beliefs
A common misconception is that one firewall can protect every asset. While that might have been true a few years ago, it's not enough protection, given the advancements in hacking and increasing external threats.

According to the CERT Coordination Center at the Software Engineering Institute (CERT/CC), the number of reported network security incidents has almost tripled in the past two years -- from 21,756 in 2000 to 73,359 at the end of Q3 2002.

A second misconception is that a firewall device is a "connect, turn on, and forget about it" device. It's actually a technology that requires constant review, fine-tuning, and evaluation.

In addition, many organisations plug firewalls into place without a security policy. Firewall deployment should be tied directly to security policies that address and support your company's objectives. Enterprises must consider a multilayered security approach, with a security policy, firewalls, and additional security tools (such as virus software).

What a firewall can and can't do
A firewall can be hardware- or software-based. The tightest security is obtained when the two options are used in combination. Yet, even in this approach, a firewall system has its limits:

• It can't protect the enterprise from attacks and threats from within your network.
• Virus protection is limited without additional software and specialised technologies.
• A firewall can't protect an organisation from attacks that avoid a firewall -- an external hack via a dial-up account can fully compromise the entire security plan.

Firewall technology, obviously, also can't protect organisations from employee carelessness or mistakes with passwords and unauthorised access. Only specific tools and policy guidelines on expected computer use and access can thwart those issues.

Page 2

• What asset(s) (corporate, customer, e-commerce) is/are at risk?
• What is the value of that asset? What are the ramifications relating to downtime, lost revenue, or lost client and customer confidence?
• What is the actual threat? Have internal threats been sealed off? What's the potential for external breaches?

CIOs and network administrators need a complete and comprehensive understanding of not only Internet activities but also internal network traffic, such as bandwidth requirements, protocols in use, and access requirements. Remember that all access points are vulnerable and subject to attacks.

Once you have this information, you can move on to building a firewall architecture.

Basic firewall design considerations
When it comes to architecture, you have two choices: a single firewall or a multilayer firewall approach (see Figures A and B).

Figure A

Single architecture

Figure B

Multilayer architecture

To determine which would work best for your enterprise, you need to first flesh out and develop a security policy, because the two are tightly linked.

Developing the security policy
Because security policies are a direct reflection of a corporation's security needs, the immediate decision is how much access is required. An organisation can meter out services or deny all but the most critical required access.

The second policy issue, which also directly ties to any firewall decision, is the access level. Do you want all users to have basic access or limited access? This requires examining current use -- does each user separately log into the Internet? What will be each user's site restrictions? Don't forget to examine the types of file extensions you want allowed and disallowed for downloading and document transfers. The policy also must determine the degree of redundancy your organisation needs -- should you have a failover backup or provide multitiered protections? Also, what, who, and how do you want to monitor network access and Internet use?

Finally, take into account the financial considerations of a firewall technology purchase -- you don't want to buy too much or unneeded protection, but you will have to provide for ongoing maintenance costs.

A few final tips
While a security policy and firewall plan should be created and developed, that's not where security ends. IT administrators must ensure they have all vendor patches properly applied and that each system is kept up-to-date. The true value of a firewall system is in the constant maintenance of all resources.

Comprehensive security requires safeguards in a layered defensive approach. Keep in mind that your ultimate solution must be flexible enough to provide for scalability and growth.

Copyright © 1995-2008 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET Networks, Inc.