Firewall
In building structural terms, a firewall is designed to resist
the passage of
something undesirable, i.e., a fire, from one
side to the other. In technology,
a network firewall serves
a similar purpose. A network firewall is a network
device
that is designed to resist the passage of undesirable net-
work traffic
from one side to another. Unlike building fire-
walls, network firewalls actually
can have many "sides" and
can protect devices on any one side from
those on any other
side.
Primarily,
firewalls allow or block network traffic between
devices based upon rules set
up by the firewall administrator.
Each rule defines a specific traffic pattern
you want the firewall
to detect and the action you want the firewall to take
when that
pattern is detected.
Types of Firewalls
A network-based
firewall is a dedicated piece of hardware
and software installed on a
network to protect a number of
computer servers and/or workstations,
A personal
firewall is a piece of software that resides on an
individual workstation
primarily to protect that workstation.
While
the two types of firewalls perform similar functions, this
discussion will
focus on network-based firewalls which are func-
tionally more robust that
personal firewalls.
Network-Based
Firewall Placement
A perimeter
firewall is placed at the point at which the campus
network connects to
outside entities, such as the Internet, private
leased lines to other
institutions and businesses, etc. The purpose
of a perimeter firewall is to
control the network traffic between off-
campus devices and those on-campus.
An interior
firewall is
positioned within the campus network to control network traffic
be-
tween the general campus population and specific groups of devices
(e.g.,
institutional servers, devices associated with a specific depart-
ment, etc.).
Performance
and Network Availability Considerations
Whenever
a firewall is placed between groups of devices, every piece
of network traffic
between any device on any one side of the firewall
and one on any other side
must pass through and be analyzed by the
firewall. If the firewall fails, all
traffic between devices on opposite sides
of the firewall is interrupted.
Therefore, when implementing a firewall,
it is important to consider network
performance and to plan how you
will restore network connectivity in case of a
firewall failure.
Why Firewall?
It depends on your diligence and risk tolerance.
Routers, already on the network, can also block traffic
based upon
source, destination and requested service.
Anti-spoofing and network address translation can also be
performed
by routers.
Servers can be configured to shut down unnecessary services
or to
screen out specific sources to specific services.
If server and workstation software is updated with the
latest security
patches as soon as they are released, the risk of an attack
being suc-
cessful is reduced.
Nonetheless, a firewall can provide value:
Since a firewall passes traffic to/from many devices, and
since firewall
software usually provides easy-to-use management tools, setting
(and resetting) rules and monitoring network traffic for a wide range
of
devices is a fairly simple process. Managing a large number of inde-
pendent
devices and remembering to reapply rules after a device is re-
built can be far
more complex.
Being an independent device, a firewall can be helpful in
preventing
attacks from a compromised server from reaching their targets.
A firewall can protect devices that are running unused,
vulnerable
services that may be unknown to the device's primary user.
A firewall can provide centralized virtual private network
(VPN)
services for many devices.
Summing it up...
A firewall might not be necessary if:
The devices within the network are effectively managed and
software
is updated as soon as new security patches are available,
There is sufficient knowledge and time allocated to the
management
of dispersed "rules" across multiple devices,
Special actions taken to protect individual services on
specific devices
are well documented and are taken whenever the device is
rebuilt.
But even then, a second lock couldn't hurt.
|
