Who exactly am I protecting myself against
Firewalls and Their Role in Network Security for Small and Medium Sized Businesses are for anyone who has an interest in the information contained on the computers on your LAN or anyone who wishes to destroy this information is a possible candidate. Motives can vary from a competing business trying to steal company secrets, to a “hacker” who wants to conquer your network. Firewalls provide solutions for these problems. It is naïve to believe that a firewall or similar network security device is not needed because you do not think anyone will attempt a break-in.
Why do I need a firewall
Firewalls are needed to protect the privacy of traffic flowing in and out of your LAN. Additionally, and arguably more importantly, they protect against malicious outside users from compromising your system (by using a computer’s OS against it). For businesses using a permanent connection to the Internet, an outside malicious user has as much time as they want to survey your system and discover a back door. Under these circumstances, your system can be compromised after business hours when you are least likely to detect it (usually these break-ins are only detected because of damage inflicted i.e. files erased, etc.). If this is the case, then installing a firewall is a good idea. The degree to which the firewall should be configured is really a matter of importance and paranoia surrounding the network. You must consider what degree of risk can be tolerated when configuring the firewall Another consideration is cost. To reap the benefits of a firewall, not only the installation cost should be considered (outlined above), but also the maintenance costs.
What is the safest way to set up a firewall
A foolproof firewall is quite simple to set up, actually… just block all traffic from flowing through it. A cheaper alternative is to unplug your LAN from the Internet. This is not very practical, but raises an important fact; no firewall that allows any traffic through it is completely secure.
Where are the “Security Problems”
Basically, there are two ways, as mentioned before, for a security breach to occur: one is IP packets, the other is breach of OS security. These really go hand in hand because PC Operating System security can be breached through a firewall only by allowing illegitimate packets in to manipulate the system. PC Operating Systems have only recently (relatively) incorporated IP into their kernels. This is problematic because “back doors” may not have been properly identified and dealt with. Also, it is not a wise practice to believe “the pricier, the better.” Even some free operating systems can be considered more secure and robust than their expensive counterparts.
How does a firewall work
Although they can come in two flavors (software or hardware), the implementation is similar. Every packet traveling between your LAN and the Internet must pass through the firewall. A good practice when setting up a firewall (for maximum security) is to disable everything, then enable only tasks relevant to your current goals. There are a variety of “filters” that all data must pass through. All data packets failing the various filter tests are dropped. The firewall only looks at key parts of an IP packet. A diagram of an IP header. The firewall is most concerned with this, where it can find information such as the source and destination address of a packet, type of service, etc.
How it uses this information is shown in the following filter types listed below
Packet Filtering – Packet filtering is easily implemented and provides excellent security, but decreases network functionality and versatility. In essence the firewall scans each packet. Depending on the configuration of the firewall, it may allow HTTP, DNS, POP3, and SMTP packets to pass through, but not FTP or Telnet packets. You can see how this now limits your LAN.
Client/Server Access Lists – Client Access Lists work well in conjunction with Packet Filtering. The firewall grants different rights to users based on IP address. This can be used to block E-mail from certain annoying spammers. It can also be used to allow FTP communication between your LAN and another LAN that is known to be secure. Remember, although another company may be “trusted,” you must consider the overall security implementation on their system as well. By granting access to your network, you are potentially allowing everyone they allow on their network to use your network. Server Access Lists work in a similar manner as Client Access Lists except they prevent users on your LAN from accessing insecure servers. This may also be used to prevent employees from visiting “inappropriate” web sites during work hours. The problem with Client/Server Access Lists is that it is quite easy to “spoof” an IP address. In other words, a crafty outside user can make it appear as though his IP address is actually originating from that secure LAN mentioned before, possible giving him FTP access to your LAN. Fortunately, most firewall software/hardware is capable of detecting IP spoofing, especially if the IP address being spoofed is inside your LAN. In this case, it can tell by detecting what port is accessed (internal or external).
User Authentication – Sometimes legitimate users need to log in from home and use FTP facilities. This can be accomplished using User Authentication. When implemented properly, an outside user can dial into the LAN (passing through the firewall), and submit both a user name and a password. This can be easily defeated if a listener simply records the raw packets the legitimate user sends for authentication. Even if the user name and password are sent with weak encryption, a simple playback of this recording at the appropriate time will breach these security measures. Strong encryption algorithms such as public key encryption should be used so the data is not encrypted the same way every time. Once the connection is established, the degree of encryption can be lowered or eliminated. It is important to regulate this practice very closely. If users are allowed to create their own passwords and do not have to change them frequently, illegitimate users may be able to find these passwords quite easily (for instance, trying the names of the user’s children).
Address Obfuscation – Address Obfuscation is another feature provided by firewalls. When implemented properly in conjunction with other firewall features, it can greatly increase LAN security. When inside the LAN, users see each other’s actual IP address. However, the outside world sees different IP addresses, sometimes dynamic in nature. This prevents illegitimate users from identifying resources behind the firewall.
Do Firewalls Protect against Viruses
In a nutshell, no. Firewalls cannot protect against data-driven attacks. Unfortunately, a virus can be transmitted through the firewall if it passes all filter tests. The purpose of a firewall is to regulate ALL information passing to and from other networks. The payload sent in each packet is irrelevant. Viruses can sneak in (even unencrypted) if the packet is originating from an acceptable source. Email is probably the easiest transport mechanism for this. Currently, the best way to avoid contracting viruses is to install virus protection software on each workstation on the LAN.
You must remember it is unreasonable to build a house of straw and install a 10-inch thick titanium door. Firewalls can only protect your business’ data that flows through the firewall. A firewall cannot protect a business with poor internal security. For instance, if critical information is stored on magnetic media, security measures must be taken to ensure that this information is not copied or removed from the premises. Also, if information is of the highest security, there may be no reason at all to connect this to the Internet at all. Sometimes it is best to isolate very critical information, in which case no firewall is needed it all.
Firewalls cannot protect you from incompetent or malevolent employees either. Employees can willingly or unwillingly provide secured information such as passwords over a tapped telephone or via fax. Firewalls should not be considered a universal solution for security problems. They work best when integrated into an already secure local environment.
Discover what Cloud Hosted Data Services and Security are and how Simplistic IT Solutions can help your business with disaster recovery in the DFW area. Call Simplistic IT Solutions to learn more about our Managed Services Provider (MSP’s) and Cloud services offerings at 972.416.1415 (office) or 855.211.1415 (toll free).
Simplistic IT Solutions offers a fully Dallas BBB vetted services warranty. We have not found any other MSP’s Managed Services Providers (MSP’s) in the DFW Metroplex, that provides a up front warranty. This warranty is on Simplisticit’s Web site Home Page at the bottom. Such warranties usually require time consuming and burdensome negotiations.