How to build firewalls that grow with your business

Building a firewall infrastructure with growth in mind can save money and ensure that your security setup can keep up with your expanding business.

Every organization that connects its network to the Internet needs a firewall to protect against intrusions and attacks from "out there." And today's security vendors make firewall products to fit every budget.

But if your company plans to grow (and what company doesn't?), it pays to keep scalability in mind when selecting firewall solutions. Let's take a look at how a small business can build a scalable firewall infrastructure from the very beginning.

Start small, think big
Many businesses are launched as one-person operations or with only a few employees. Their networks consist of only a few computers, often joined as a workgroup. The workgroup uses an inexpensive Internet connection that is shared via Microsoft's ICS or a third party NAT solution. Even if your "business network" consists of a single Internet-connected computer, you still need a firewall. But in a small business, it will often be the Windows Firewall built into Windows XP (called Internet Connection Firewall or ICF prior to Service Pack 2) or another low-cost host-based software firewall such as ZoneAlarm or Norton Personal Firewall.

When your company grows to include several computers on the LAN, it's time to start thinking about perimeter security. Many broadband routers have basic firewall functionality built in, but these tend to be simple packet filtering firewalls. Some include features such as MAC filtering and URL filtering, but most are designed for consumer use, rather than business use. An attack that crashes your network can affect your bottom line, so you need more sophisticated protection.

Hardware vs. software solutions
The easiest way to go is with a relatively low cost dedicated firewall appliance at the perimeter. This is often called a "hardware firewall." Examples include the PIX 501, SonicWall Pro 1260, WatchGuard Edge X15 or NetScreen 5 series. They are "turn key" solutions that are easy to set up. However, you may find that these low-end products are not very scalable. They're usually limited in the number of connections allowed and the throughput bandwidth. It’s difficult or impossible to upgrade the hardware, so as your network grows and your needs change, you may have to buy a new edge firewall. Other appliances are capable of handling more capacity than their initial cost allows; you only need to buy additional licenses to utilize that capacity.

Although the initial cost may be higher and it may not be as easy to set up, you may find that a "software firewall" such as Microsoft ISA Server, CheckPoint, or Symantec Enterprise Firewall can more easily grow with your business. These firewall products are installed on top of a regular network operating system (Windows Server, UNIX, Solaris). That means you choose the box and configuration and can easily upgrade to a faster processor or more memory if needed later.

Software firewalls also usually support a larger number of connections than the low-end appliances, and throughput is based on the hardware you choose. These business-level software firewalls are designed to protect the network, and shouldn’t be confused with software firewalls that are host-based or "personal" firewalls designed to protect a single computer.

Moving to a multiple firewall solution
As your network gets larger and more complex, a single firewall at the perimeter may not be sufficient. At this point, you may have branch offices in remote locations that connect to your LAN at headquarters, and you may also want to control what enters the sub-networks of some departments or divisions (such as accounting or personnel) from the rest of the LAN.

This requires a different firewall deployment strategy and the recognition that the Internet edge is not the only perimeter; there are also interior perimeters you need to protect. This is analogous to a physical security plan: you not only put locks on the gates (the outer perimeter), but also put locks on the buildings and on individual office doors within the buildings. Likewise, you can place departmental firewalls or branch office firewalls at those perimeters to provide internal protection.

Another situation requiring multiple firewalls is the need to have some of your servers accessible over the Internet by outside users who don’t have accounts on your company network. In this case, the best solution is to construct a "DMZ" (also called a "screened subnet" or a "perimeter network") by placing those Internet-accessible servers between two firewalls. One firewall sits at the Internet edge and the other sits at the "entry point" to your internal LAN. The computers and devices between the two firewalls are in the DMZ. This means that if a hacker is able to compromise a computer in the DMZ, he still doesn’t have access to the internal LAN.

Finally, you may need multiple firewalls to more efficiently provide protection while maintaining performance. Traditional packet-filtering firewalls are fast, but they miss attacks that are carried at the application layer. Application layer filtering (ALF) firewalls do a more thorough job of filtering, examining not just packet headers but also the contents of the packets. However, that slows them down. For that reason, you might want to put a traditional packet filtering firewall at the Internet edge where traffic is heaviest, and then place multiple ALF firewalls behind it to perform the more tedious content examination.

Use legacy firewalls to support growth
If you plan properly, you can continue to use the firewalls you purchased when the network was small, as your company grows. The low cost, lower capacity appliance that was once on the Internet edge can be moved "inside" to serve as a departmental firewall when you buy a more powerful (and more expensive) firewall to handle the outer perimeter traffic. The software firewall that was installed on a low-end server can have its hardware upgraded to handle higher capacity, or it can be moved to the LAN edge on the DMZ to perform application layer filtering while a new, fast packet filtering firewall handles traffic as it comes in from the Internet. If the software firewall itself is retired or moved to a different machine, the server box can be "recycled" to function as a file server or in another capacity on the network.

Planning your firewall infrastructure with growth in mind from the beginning will ensure that you get the most value for the money you spend on firewall hardware and software.