Sister CISA CISSP

May 23 2008   6:55PM GMT

It’s Not Your Mother’s Firewall Anymore – Part II

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

There are some amazing firewall appliances out there – application-level firewalls that monitor for web attacks, intrusion prevention features where the firewall can block an IP that is performing suspiciously, etc. These are complex machines and software that require training and daily monitoring. It’s definitely not a “set it and forget it” arrangement. Too many small businesses are treating it that way.

A firewall is only as good as where you put it and how you let traffic IN. I’ve seen organizations that put special applications behind their firewalls and left the rest of their network behind routers. Thank heaven there’s not enough bad people to find configurations like this. A firewall should be between your Internet router (usually managed by your Internet services provider) and the rest of your network. I’ve had business managers tell me a well-configured router is the same as a firewall. NO. No. No. Routers are meant to route traffic. It’s like calling a really good door with no lock a locked door.

Next, what traffic are you letting into your network? By default, NOTHING should come in. NADA. All ports should be closed. Knock on your door, rattle the knob, bang on it even, they should not get in. Some employees want to access their email, or their machines from their home network (that’s a WHOLE other article). OK, firewalls have this nifty feature called a segregated subnet (a DMZ). Put your spam-catcher and Web-accessible mail on a server in the DMZ. Put your FTP server where customers drop off files on your DMZ. Segregate the Domains if you are using Windows.

What about customers? Put the web server for them in the DMZ (NOT the database. NO. Just say NO. Tell the auditor to say NO).

Create what’s called an “extranet” for clients who need to access certain things on your network. Don’t allow them free access via a router to everything you have. You don’t know who has gotten into their network. Put a firewall between your network and the extranet.

Run a college or university, where it’s all about “open access?” Put your critical financial applications and records behind a firewall inside the school network. They can whoop it up out there, with some protection, but not where it really counts.

You may say, hey, everybody knows this stuff already, but I have seen organizations in the last year that have had exactly these issues. Scary, but true. Part III will be on firewall rules.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: