Description
This article is from the Firewalls
FAQ, by Matt Curtin cmcurtin@interhack.net and Marcus J. Ranum
mjr@nfr.com with numerous contributions by others.
16 What are some of the basic design decisions in a firewall?
There are a number of basic design issues that should be addressed by the
lucky person who has been tasked with the responsibility of designing,
specifying, and implementing or overseeing the installation of a firewall.
The first and most important decision reflects the policy of how your
company or organization wants to operate the system: is the firewall in
place explicitly to deny all services except those critical to the mission
of connecting to the Net, or is the firewall in place to provide a metered
and audited method of ``queuing'' access in a non-threatening manner? There
are degrees of paranoia between these positions; the final stance of your
firewall might be more the result of a political than an engineering
decision.
The second is: what level of monitoring, redundancy, and control do you
want? Having established the acceptable risk level (e.g., how paranoid you
are) by resolving the first issue, you can form a checklist of what should
be monitored, permitted, and denied. In other words, you start by figuring
out your overall objectives, and then combine a needs analysis with a risk
assessment, and sort the almost always conflicting requirements out into a
laundry list that specifies what you plan to implement.
The third issue is financial. We can't address this one here in anything but
vague terms, but it's important to try to quantify any proposed solutions in
terms of how much it will cost either to buy or to implement. For example, a
complete firewall product may cost between $100,000 at the high end, and
free at the low end. The free option, of doing some fancy configuring on a
Cisco or similar router will cost nothing but staff time and a few cups of
coffee. Implementing a high end firewall from scratch might cost several
man-months, which may equate to $30,000 worth of staff salary and benefits.
The systems management overhead is also a consideration. Building a
home-brew is fine, but it's important to build it so that it doesn't require
constant (and expensive) attention. It's important, in other words, to
evaluate firewalls not only in terms of what they cost now, but continuing
costs such as support.
On the technical side, there are a couple of decisions to make, based on the
fact that for all practical purposes what we are talking about is a static
traffic routing service placed between the network service provider's router
and your internal network. The traffic routing service may be implemented at
an IP level via something like screening rules in a router, or at an
application level via proxy gateways and services.
The decision to make is whether to place an exposed stripped-down machine on
the outside network to run proxy services for telnet, FTP, news, etc., or
whether to set up a screening router as a filter, permitting communication
with one or more internal machines. There are pluses and minuses to both
approaches, with the proxy machine providing a greater level of audit and
potentially security in return for increased cost in configuration and a
decrease in the level of service that may be provided (since a proxy needs
to be developed for each desired service). The old trade-off between
ease-of-use and security comes back to haunt us with a vengeance.
Continue to:
Share and Enjoy
Bookmark this story so others can enjoy it:
Tags
security, Internet, firewalls, ssl, port, protection, application layer, proxy server, packet screening, filtering rules, viruses, terms
