Posted by: Arian Eigen Heald
Admins and Auditors, IT audit, Networking, Security
There are some amazing firewall appliances out there – application-level firewalls that monitor for web attacks, intrusion prevention features where the firewall can block an IP that is performing suspiciously, etc. These are complex machines and software that require training and daily monitoring. It’s definitely not a “set it and forget it” arrangement. Too many small businesses are treating it that way.
A firewall is only as good as where you put it and how you let traffic IN. I’ve seen organizations that put special applications behind their firewalls and left the rest of their network behind routers. Thank heaven there’s not enough bad people to find configurations like this. A firewall should be between your Internet router (usually managed by your Internet services provider) and the rest of your network. I’ve had business managers tell me a well-configured router is the same as a firewall. NO. No. No. Routers are meant to route traffic. It’s like calling a really good door with no lock a locked door.
Next, what traffic are you letting into your network? By default, NOTHING should come in. NADA. All ports should be closed. Knock on your door, rattle the knob, bang on it even, they should not get in. Some employees want to access their email, or their machines from their home network (that’s a WHOLE other article). OK, firewalls have this nifty feature called a segregated subnet (a DMZ). Put your spam-catcher and Web-accessible mail on a server in the DMZ. Put your FTP server where customers drop off files on your DMZ. Segregate the Domains if you are using Windows.
What about customers? Put the web server for them in the DMZ (NOT the database. NO. Just say NO. Tell the auditor to say NO).
Create what’s called an “extranet” for clients who need to access certain things on your network. Don’t allow them free access via a router to everything you have. You don’t know who has gotten into their network. Put a firewall between your network and the extranet.
Run a college or university, where it’s all about “open access?” Put your critical financial applications and records behind a firewall inside the school network. They can whoop it up out there, with some protection, but not where it really counts.
You may say, hey, everybody knows this stuff already, but I have seen organizations in the last year that have had exactly these issues. Scary, but true. Part III will be on firewall rules.