"I've recently been promoted to MIS manager at a software company. One of my first projects is to move our remote offices off leased lines and onto a VPN (virtual private network) solution. That project has snowballed, and now I'm modernizing the Internet links at both the main and remote offices. I come from a more managerial than technical background, although I have experience administering Windows NT and some NetWare. I really want to do this project right, but I'm a bit over my head.
"So far, we don't have any security other than packet filters on our routers.
I'd like to move to real firewall solutions, but I'm a bit confused by all the choices. Which is better: a proxy-type firewall or a stateful-inspection firewall? Is stateful inspection the same as packet filtering and, if so, why would I buy a separate box to do that? Are there any firewalls you would recommend I look at?"
-- R. Neydavoud
Brooks: Well, we can probably give some general advice here, but I would definitely recommend bringing in a consultant.
The line between proxy firewalls and packet-filtering firewalls has become increasingly blurred, and most of the leading firewall vendors offer some combination of both functions in their product.
Stateful inspection goes beyond packet filtering by actually knowing about connections, and watching them to make sure nothing weird is going on. Typical router-based packet filters allow or deny traffic to and from some combination of ports and addresses. A stateful inspection-type device, on the other hand, would notice if, for example, something other than HTTP was running over port 80.
Proxy-based firewalls are typically more secure, because the machines behind them don't have a real IP address. The problem here is that funky protocols often have problems with proxies; it took forever for the major vendors to fix H.323 videoconferencing.
I hope that gives some background to the situation and, in closing, I would definitely recommend hiring an expert to look at your particular network and requirements.
Pace: Having an expert to help you out is very good advice. Moreover, trying to analyze your firewall needs without spending the time and research it takes to become savvy with security is a major mistake. Just leaving it up to the expert can be a mistake as well, however. The key to security is identifying your assets and risks, and then choosing the solution that will minimize your loss should your security become compromised.
Let me take a minute to plug risk-analysis software. It is vitally important to know what risks you are taking in exposing your data. This goes for anything from exposure to internal sources (your employees) to allowing access to your data over the Internet. Not having a clear idea of what your data is worth or what it will cost you should someone else come into possession of it is a serious problem. Executives as well need to have a clear answer to the question, "What will happen if our competitor gets access to our data?" This threat goes way beyond firewalls; this goes all the way to almost every company's worst security risk: physical access to systems. Look to vendors such as L3 Security (www.l3security.com) or Internet Security Systems (www.iss.net) for risk-analysis solutions.
One thing I've been frustrated with lately in the security market is the fact that everyone seems to try to come up with a buzzword to describe their security techniques, rather than just explaining them correctly. Most solutions these days are hybrids of packet filters, proxies, and stateful inspection.
If you are looking for a recommendation, my two favorite firewalls are Cisco Systems' PIX and Checkpoint's Firewall-1. Both are stateful inspection-based and offer support for many of the latest and more unusual protocols. As Brooks mentioned, many consider the proxy-based approach more secure. My opinion, however, is that a well-secured stateful engine can be just as powerful and safe as proxies. The benefits of the stateful engine come down to the amount of effort administrators need to spend supporting the firewall when new services are required -- proxy-based systems almost always require new proxies or more extensive setup times.
Of course, for maximum security, I recommend both packet filtering on your routers as well as a stateful firewall. Having a few lines of defense is always good. Also, having a monitoring package to alert your staff of problems when they occur is very important. I don't know how many corporations I've gone into that have good or great security measures in place only to compromise themselves by not having a strong logging and alerting mechanism. Look to your security expert and to your firewall vendor to recommend log analysis and alert tools to make sure you are aware of what is happening.
Brooks Talley is senior business and technology architect for InfoWorld.com.
Mark Pace is a member of the InfoWorld Review Board. Send your questions for them to email@example.com.