Select the right firewall: Part 2

Authentication
Most organizations need to support users who access the network remotely, either through a VPN or direct dial-up connection. Find out what authentication mechanisms are available on any firewall you are considering. Typical authentication features include user authentication, client authentication, and session authentication. User authentication is the most basic; it allows a user to access the corporate network from remote locations. Client authentication checks for the integrity of a remote IP address. Session authentication validates the connection itself and in essence assigns the connection a non-reusable session ID. Session authentication is typically used when connecting via a VPN, and requires the use of a digital certificate, token, or public key.

Laura Taylor is the Chief Technology Officer and founder of Relevant Technologies. Most firewalls support Network Address Translation (NAT), which is typically used when private, internal IP addresses need to be converted into legal or public IP addresses. Quite a few companies, before they started connecting to the Internet, actually used other people's IP addresses--basically, illegal addresses. An illegal address is an address that was not assigned to you by the NIC, or your registrar. In some cases, companies used illegal addresses when they ran out of their own legal addresses. Since private addresses will not work out on the Internet, you need to convert them to public, or "normal" IP addresses before packets are sent out to other networks.

Basic NAT provides one-to-one (host-to-host) IP address mapping, taking a single internal IP address and converting it to one legal for packets traveling outside the firewall. One-to-one IP address is sometimes referred to as Static Address Translation. Often times readdressing your network--taking the bad illegal addresses off and replacing them with valid legal addresses--can create a multitude of problems. For example, if you have a lot of mission critical applications or systems that are all dependent on a particular illegally addressed system, putting a new legal address into operation can create significant downtime, which often is unacceptable or cost-prohibitive. In cases such as this, NAT is a great workaround for companies with IP address management problems.

Firewalls vary in the extended NAT features they support. In more advanced many-to-one NAT configurations, several internal IP addresses can be translated to one external address. One scenario where you might want to do this is if you have a DHCP scope of addresses that you would like to map to one external address. A many-to-many NAT configuration takes a group of private internal IP addresses and rewrites them to a group of good public addresses. Many-to-one (network-to-host) or many-to-many (network-to-network) NAT configurations are particularly useful in load-balancing scenarios. If you don't need to load-balance the traffic coming into your network, a firewall that can do basic one-to-one NAT will suffice.

With time ranges you can specify what kind of traffic to allow into your network during specific time intervals. Say you have a strategic partner that provides database updates weekly to a server on your network. The update process might put an inordinate traffic load on your network, so you want to make sure that updates are allowed in only from 2 to 4 a.m. Sunday morning. By applying time-range restrictions to incoming traffic, you can more easily predict and manage the load on your network.

All firewalls offer built-in auditing and logging. Find out whether log files grow infinitely without administrator intervention, or if the vendor provides automatic archiving or rollover capabilities. Log rollover is the scenario in which a log file is automatically overwritten after a certain date. This is something you probably wouldn't want to do unless you were also archiving the log files. Log archiving takes it one step further and creates a volume, or set of log files before over-writing and moving them offline--sometimes compressing them, and sometimes encrypting them. If you plan to administer more than one firewall, find out whether multiple log files can be written automatically to an enterprise console manager. Of utmost importance, be sure your firewall logs any attempt to modify the firewall rule-set.

If you use server-based software to filter out objectionable incoming content, consider a firewall that supports content filters or profiles. With content filtering, you set up profiles for different types of forbidden content and list sites in these profiles that you want to block access to. You can then set a firewall rule that blocks everything in a profile in one fell swoop.

Some firewalls have antivirus modules that can be plugged into the content security feature. An anti-virus module can stop viruses at your firewall, before they reach the desktop, and also prevent your organization from spreading viruses out to the rest of the world. The same module can also prevent viruses from coming in to your network--as long as incoming e-mail doesn't bypass the firewall. Most often, when a firewall supports antivirus software, it does so as an optional plug-in. For example, Check Point's Firewall-1 supports Symantec, Trend Micro, Aladdin Knowledge Systems, and F-Secure antivirus packages.

A rule-set tells a firewall what packets to let in from particular destinations. On large or medium-sized networks, firewalls can have hundreds of rules. On most firewalls you have to make sure each rule is listed in the proper order, because if packets meet the criteria of multiple rules, only the first rule listed is applied. Managing the rule-set can be a time-consuming ordeal.

Some firewalls provide order-independent rule checking. For example, let's say there was a huge network of bad guys you wanted to block, except within that network of bad guys, there was one good guy named Bob that you wanted to let in. If you had a rule that said Allow Bob, followed by Disallow bad guys--Bob would essentially be blocked because right after allowing him, you would be disallowing him. A smart firewall that could do order independent rule checking would know to put Disallow bad guys first, and then Allow Bob second so that you would "Disallow" all the bad guys, and then make an exception to that rule and "allow" Bob into your network.

Automatic order-independent rule checking is one of the best features a firewall can have, because of the significant amount of time that is saved in configuring the firewall rule-set. At this point, only Symantec's Enterprise Firewall, and Raptor firewalls perform order-independent rule checking, to the best of my knowledge.

If you don't have an in-house security engineer, and don't plan to hire one anytime soon, you need to have an outside company manage your firewall. Most managed service providers (MSPs) support only one or two types of firewalls, so shop around for one that supports a product that meets your needs. If a firewall MSP is not able to provide you with a managed firewall Service Level Description, it probably won't do a good job for you. A Service Level Description defines all the intricacies of the service, clearly spelled out, to give you an understanding of what to expect as a customer.

There--we're done. If you understand how your organization can use these firewall capabilities, you are well on your way to figuring out which firewall is right for your organization.