With the barrage of recent Internet attacks such as Nimda, Code Red and the constant flow of Web defacements, protecting your company from unauthorised access has become absolutely necessary. Probably the most commonly known and used security mechanism to protect your organisation from these threats is the firewall. The huge range of firewall products on the market today can make choosing the right product for your organisation a daunting task.
To ease the task, there are a number of tips for selecting a firewall solution. Firstly, it is essential to determine what your organisational requirements for the firewall are. A good starting point is to work out the value of what needs to be protected.
If you need to protect corporate information that is worth millions of dollars then it is essential that you spend annually on a sophisticated enterprise firewall system and management. If an organisation is small, with little valuable company or client information then you may consider opting for a less sophisticated and less expensive firewall product. Building a list of selection criteria is also an important step in selecting the right solution. Ultimately, the right firewall product depends entirely on what you need it to do. Some of the questions to consider when building selection criteria include:
-- Do you require the product to integrate with existing security products, such as gateway antivirus screening software and network intrusion detection systems?
-- Do you require advanced features within your firewall product such as integrated virtual private network (VPN) functionality, quality of service (QoS) capability or network address translation (NAT) requirements?
-- How many computers will be on the network the firewall must protect, and how many concurrent connections through the firewall will be expected?
-- What sort of logging and reporting functions does the firewall need to perform?
It is also important to consider the resources needed to implement and maintain the firewall product. Frequently, organisations overestimate the capabilities of their IT staff when it comes to sophisticated IT security products. It is absolutely essential the people installing and maintaining the firewall understand security and understand the product they are installing. Far too often, a misconfigured firewall is the cause of a successful hack.
If you are unsure whether your IT staff have the capability to manage your firewall systems, then a cost-effective option is to outsource to a reputable information security company which provides managed firewall services.
Often, corporate or regulatory requirements might also influence the selection of a firewall. An example is Federal Government, where the agency may be required to use a product that has been (Information Technology Security Evaluation Criteria) ITSEC or Common Criteria certified by the Government.
Finally, and often most importantly, you need to consider cost. Cost of a firewall will take a number of forms including hardware costs, software licensing costs, and support costs. In most instances, cost will be one of the main driving factors in choosing your firewall.
Also, when you do make that final decision, remember that a firewall is only as good as the policy it implements and the team who support it. To help maintain security requires active security administration and a regular cycle of security review and testing.
Pete Merrick is the director of security services for TurnAround Solutions. He is based in Canberra and can be contacted at firstname.lastname@example.org