Enterprise Perimeter Security and Firewall Systems
The perimeter of the enterprise and the first line of defense, firewall systems, are vital to the security of any business. The perimeter of the enterprise establishes the boundary between the inside of the business and the outside. While businesses are vulnerable to insider and outsider threats—both of which are significant—the enterprise perimeter and the firewall system are designed to protect the inside from outsider attacks.
So how do you secure your internal network from an external network, such as the Internet? One potential solution is to set up a firewall system. A firewall is designed to keep intruders from getting into your internal network.
A firewall is one or more systems, which may be a combination of hardware and software, that serve as a security mechanism to prevent unauthorized access between trusted and untrusted networks.
Firewall systems are typically the first line of defense between an organization’s internal network and its connection to the Internet. Firewall systems are typically the primary tool used to enable an organization’s security policy to prevent unauthorized access between networks. An organization may choose to deploy one or more systems that function as firewalls.
A firewall refers to a gateway that restricts the flow of information between the external Internet and the internal network. The trusted internal network may include several LAN and WAN subnets—a firewall is a system or systems that separate an autonomous network from the external network. Firewalls may be internal or external.
Firewall systems can protect against attacks that pass through network interfaces. Firewall systems cannot protect against attacks that do not pass through the firewall.
For example, consider an organization’s internal network, which may include several LAN and WAN subnets. The WAN subnets may be used to provide connectivity to the corporate network. Thus, technologies such as frame relay, ISDN or dedicated point-to-point circuits (56 kbps, fractional T-1, T-1, T-3) may be used to provide connectivity between branch offices and the corporate network. If access to the Internet is through a router on the corporate network and that is where the firewall system architecture is defined, it is possible for the firewall system to control inbound and outbound access to the Internet on the basis of filters (rules) that have been defined.
Types of Firewalls
There are several types of firewall systems. These include:
- Packet-filtering firewalls
- Stateful-inspection firewalls
- Application-proxy gateway firewalls
A packet-filter firewall is a lower-layer firewall device that includes access-control functionality for system addresses and communication sessions. An example of a packet-filtering firewall system is a boundary router. This typically is deployed on the “edge” of the enterprise network. Its advantages are that it is fast and flexible. It can filter out unwanted protocols, perform simple access control and then pass data to other, more advanced firewalls.
Stateful-inspection firewalls represent a superset of packet-filter firewall functionality. These firewalls can interpret and analyze the information in layer-four headers (transport layer). The firewall creates a directory of outbound TCP connections along with each session’s “high-numbered” client port. This state table information is used to validate any inbound traffic.
Application-proxy gateway firewalls are highly advanced firewalls that combine the capabilities of access control provided at the lower layers with application layer functionality. Typically, these have extensive logging capabilities and can authenticate users directly. These devices are less vulnerable to spoofing attacks.
Firewall systems sometimes provide an organization with centralized control in today’s highly decentralized computing environment. This implies that security tools for logging events, auditing transactions and defining alarms for threats detected can all be defined and controlled centrally as a part of the firewall system.
In large, multifaceted organizations that are made up of more or less “independent” subsidiaries, centralized firewall controls may not be in place. Rapid consolidation of some businesses has been facilitated by continual merger-and-acquisition activity. This has left some large organizations with numerous connections to external data communications networks, each having some level of firewall infrastructure, yet without effective coordination. This presents such organizations with a significant risk—consider the “hacker” saying, “You have to plug every real and probable hole across your organization, but I only need to find and exploit one to win.”
Also, keep in mind that a firewall infrastructure must perform an incredibly difficult task. Remember when we said above, “A firewall is designed to keep intruders from getting into your internal network.” That is absolutely true. The problem is that firewalls must also pass data traffic.
At the traffic flow—or network—level, all communications tend to look the same. Consider, for example, the standard TCP/IP session that consists of the three-way handshaking process, transfer of data and then the session teardown. Many modern firewalls can be configured to disallow session initiation from one or another side of the network boundary layer.
Some firewalls can also detect and drop (or reject/deny) malicious attempts to send “mid-session” TCP/IP frames into a network from the outside. (This technique can be used to help map the resources that are available inside your network.)
Other firewall infrastructures may sometimes include programs called “proxies” that accept traffic destined for “the other side of the firewall” and examine the higher-level details of specific application communications and then either pass valid traffic along to the intended destination or drop (or reject/deny) malicious or otherwise inappropriate activity.
Risk-conscious companies are installing systems that are able to identify a wide range of malicious activities. The systems react by initiating actions that will help employees effectively deal with the threat. Today’s firewall systems protect sites from vulnerabilities in the TCP/IP protocol suite. They are also able to integrate capabilities that can not only provide access control on TCP/IP packets, but also filter the content of traffic entering or leaving the enterprise.
Some examples of firewall vendors include Check Point, Cisco and SonicWALL. Firewall systems require expert knowledge to implement and configure. Most security certification programs, as well as those offered specifically by firewall vendors, include training designed to acquire skills to deploy firewalls successfully.
Each organization must defend its perimeter—its connections with the outside world. Firewall systems are the first line of defense. The design of the firewall system architecture, the selection of the firewall solution that meets your enterprise requirements and the configuration and management of the system will be critical to “close and lock” entry and exit points.
Security is only as strong as the weakest link—firewall systems can help make your enterprise security architecture a lot more formidable at the perimeter.
Uday O. Ali Pabrai, CEO of ecfirst.com, created the CIW program and is the co-creator of the Security Certified Program (www.securitycertified.net). Pabrai is also vice-chair of CompTIA’s Security+ and i-Net+ programs and recently launched the HIPAA Academy. E-mail him at email@example.com.