Firewall Wizards mailing list archives
Re: Software and platform for an Enterprise Firewall
From: Bennett Todd <bet () rahul net>
Date: Wed, 24 Dec 1997 04:26:57 -0800
1997-12-22-15:01:15 Paul Schmiege:
[...] I would like to know what other firewall administrators consider the right software and operating system.
In other words, ``what's the best firewall''. There's a standard answer to that, works every time. ``It depends''. If you're _really_ doing things right, you won't find out what is ``the right firewall'' until very late in the game. The sequence goes something like this: 1) Define a preliminary trial at a security policy. Make it as strict as is practical for your organization. How strict is practical? It depends; that tradeoff ends up being set by your organization's needs. In each case, if there's debate, it needs to be settled by weighing the security risks against the utility of the service under dispute. It's really important to make this preliminary policy as tight as you can; it will only loosen over time. 2) Refine and adjust that security policy; resolve all disputes over what services will be allowed to which users. Get senior management to endorse the results; they must grant enforcement authority to the security admin else there's no point in going any further. Then advertise the policy; make sure all the users know about it and are prepared to live with it. If you get objections settle 'em now. 3) Research available firewalls, to see which ones are best able to implement your security policy. For some security policies a simple screening router, or a screening router with clever hacks bolted on like ``stateful inspection'', may suffice; for others you'll need an application proxy firewall. Find out which firewalls can implement your policy, and how well they can implement it. That will probably conclude your shopping decision, as there will be at most one that can almost but not quite do what you want. If you should end up with multiple choices, then look at the vendor's reputation in the security business --- how long have they been doing firewalls? What do firewall experts think about the choices? If you still end up with a choice, then maybe add in ``how much does it cost'', ``how familiar am I with the OS/hardware it's running one'', or even ``how fast is it''. 4) Once you've chosen your firewall, buy it, set it up, and test it. Initially have it attached to the internet, with only a test client on the inside, and another one sitting just outside the firewall, in the DMZ. Using these test clients, probe the firewall. Hit it with strobe. Try to break in to any services you find. Then try again from outside the screening router, to make sure it's enforcing the policies it is supposed to. See what showed up in logfiles when you tried burgling it. Rig log-file watching software to set off alarms when anything unusual happens. 5) Hook it up to your real net. If you've done things right, 95% or more of the time and effort was spent getting that security policy right. -Bennett
Current thread:
- Software and platform for an Enterprise Firewall Paul_Schmiege (Dec 23)
- Re: Software and platform for an Enterprise Firewall Bennett Todd (Dec 24)
- Security Policy methodologies Bret Watson (Dec 29)
- Re: Security Policy methodologies Jeff Sedayao (Dec 29)
- Security Policy methodologies Bret Watson (Dec 29)
- Re: Software and platform for an Enterprise Firewall Rick Smith (Dec 24)
- Re: Software and platform for an Enterprise Firewall Bennett Todd (Dec 24)