Information, Articles, Tools, and Useful LinksCommittee Listings, Member Forums, and Find a CITPInformation on AICPA Tech. Conference, Seminars, Webcasts, and ConferencesIT Section Membership Information, CITP Credential Information, Members Only Tools and Communications, and MorePublications, CPE, Conferences, and Webcasts
 
Search
 

Search Options

Printer Friendly View

Infotech Home > Resources > Information Security Management > Deploying Firewalls
Deploying Firewalls
Source: US-CERT

A firewall is a combination of hardware and software used to implement a security policy governing the network traffic between two or more networks, some of which may be under your administrative control (e.g., your organization’s networks) and some of which may be out of your control (e.g., the Internet). A network firewall commonly serves as a primary line of defense against external threats to your organization's computer systems, networks, and critical information. Firewalls can also be used to partition your organization’s internal networks, reducing your risk from insider attacks.

Who Should Read These Practices
What These Practices Do Not Cover
Security Issues
Security Improvement Approach
Summary of Recommended Practices
Abbreviations Used in These Practices

Firewall technologies have entered into the mainstream. The "1999 Computer Security Institute/FBI Computer Crime and Security Survey" [Power 99] indicates that 91 percent of the organizations surveyed already deploy firewalls. Articles and other references covering evaluation, selection, and configuration of firewall technologies are now common in the popular press.

However, there has been little published about designing, installing, deploying, operating, and maintaining firewalls. The practices in this module will address designing, installing, and deploying firewalls.

The term firewall is taken from the structural analog whose purpose is to slow the spread of fire in a building. In the computer literature, popular press, and vendor marketing materials, the term is used in many ways. Some people use it to identify a specific hardware component or software package, while others consider the entire collection of systems and software deployed between two networks to be parts of a firewall.

Throughout these practices, we will generally use the term firewall as an adjective modifying a noun (such as system, hardware, software, product) to make the reference clear. When we use the term firewall as a noun, we mean the general concept of a technological mechanism for the enforcement of a network traffic security policy. While this may seem cumbersome at times, we believe these distinctions will increase your understanding of our intent.

Who Should Read These Practices

These practices are intended primarily for experienced system and network administrators and integrators.

These practices are applicable to your organization if its information infrastructure either includes or will soon include

  • interconnections between internal networks and networks not under its administrative control, such as the Internet or business partner networks
     
  • interconnections among internal networks with different security requirements
  • the purpose of this module is to cover the fundamentals of firewall functionality (packet filtering) and the deployment process. These practices assume that your desired firewall architecture includes packet filtering as a first step. Later versions of this module will address additional firewall capabilities such as proxies and VPNs (virtual private networks).

Back to top

What These Practices Do Not Cover

These practices do not address

  • the creation of a detailed security policy including the policy to be enforced by the firewall
     
  • the evaluation and selection of specific firewall products
     
  • post-deployment operation and maintenance of firewalls
     
  • the design and deployment of more advanced firewall capabilities, such as
    - proxies (including SOCKS)
    - stateful inspection or dynamic packet filtering
    - network address translation
    - virtual private networks
    - Internet Protocol version 6 or other non-Internet Protocol version 4 protocols
    - network and host intrusion detection technologies
     
  • networking fundamentals, such as
    - specific Internet protocols
    - routing and route management
    - switching and VLANs (virtual local area networks)
     
  • system management fundamentals, such as
    - operating systems installation and maintenance
    - application software installation and maintenance
    - host intrusion detection technologies
     
  • cryptography and encryption technologies

Back to top

Security Issues

Increasingly, organizations are connecting to the Internet to establish a business and electronic commerce presence and to access information rapidly. When your organization's networks are connected to the Internet without adequate security measures in place, you become vulnerable to attacks from external adversaries. Without firewalls, you will be unable to prevent many forms of undesirable access to your networks, systems, and information assets. The risks include

  • loss of confidentiality of business information (e.g., financial records, strategic planning data, engineering models and prototypes, marketing plans, medical records, as well as inability to guarantee the integrity of such information)
     
  • loss of availability of mission-critical services such as EDI (electronic data interchange), ERP (enterprise resource planning), just-in-time inventory controls, and electronic mail
     
  • exposure of critical data about your information infrastructure that can be used by your adversaries in planning their attacks
     
  • legal liability, regulatory liability, or public loss of confidence when your adversaries use one of your computers to carry out attacks against other organizations
     
  • vandalism of public information services (such as your public Web site)

The use of firewall technology provides you with one of the most effective tools available to manage your networks’ risk by providing you with access control mechanisms that can implement complex security policies.

 

Back to top

Security Improvement Approach

To effectively deploy firewall technology, we recommend a four-part approach. It requires implementing security practices in these areas:

  • preparing for firewall system deployment
  • configuring your firewall system to reflect your security policy
  • testing your firewall system to ensure it performs according to your specifications
  • deploying the correctly configured firewall system

Back to top

Summary of Recommended Practices

 

Area

Recommended Practice

 Prepare

  1.  Design the firewall system.

 Configure 

  2.  Acquire firewall hardware and software.
  3.  Acquire firewall documentation, training, and support.
  4.  Install firewall hardware and software.
  5.  Configure IP routing.
  6.  Configure firewall packet filtering.
  7.  Configure firewall logging and alert mechanisms.

 Test 

  8.  Test the firewall system.

 Deploy

  9.  Install the firewall system.
 10. Phase the firewall system into operation.

 

 Back to top

Abbreviations Used in These Practices

 

DMZ

Demilitarized Zone

DNS

Domain Name Service

EDI

Electronic Data Interchange

ERP

Enterprise Resource Planning

FTP

File Transfer Protocol

HTTP

Hypertext Transfer Protocol

ICMP

Internet Control Message Protocol

IDS

Intrusion Detection System

IP

Internet Protocol

ISP

Internet Service Provider

LDAP

Lightweight Directory Access Protocol

NAT

Network Address Translation

NFS

Network File System

NTP

Network Time Protocol

OS

Operating System

OSPF

Open Shortest Path First

RAM

Random Access Memory

RCS

Revision Control System

RIP

SCCS

Routing Information Protocol

Software Configuration Control System

SOCKS

General Purpose Application Proxy

SMTP

Simple Mail Transfer Protocol

SNMP

Simple network management protocol

SPAK—network traffic generator tool available at the COAST Web site.

Send Packets

SSH

Secure Shell

SSL

Secure Socket Layer

TCP

Transmission Control Protocol

UDP

User Datagram Protocol

VLAN

Virtual Local Area Network

VPN

Virtual Private Network

WWW

World Wide Web

 

 

Back to top