Re: Software and platform for an Enterprise Firewall

[Bennett Todd <bet () rahul net>]

1997-12-22-15:01:15 Paul Schmiege:
> [...] I would like to know what other firewall administrators consider
> the right software and operating system.

In other words, ``what's the best firewall''. There's a standard answer
to that, works every time. ``It depends''.

If you're _really_ doing things right, you won't find out what is ``the
right firewall'' until very late in the game. The sequence goes
something like this:

1) Define a preliminary trial at a security policy. Make it as strict
   as is practical for your organization. How strict is practical? It
   depends; that tradeoff ends up being set by your organization's
   needs. In each case, if there's debate, it needs to be settled by
   weighing the security risks against the utility of the service under
   dispute. It's really important to make this preliminary policy as
   tight as you can; it will only loosen over time.

2) Refine and adjust that security policy; resolve all disputes over
   what services will be allowed to which users. Get senior management
   to endorse the results; they must grant enforcement authority to
   the security admin else there's no point in going any further. Then
   advertise the policy; make sure all the users know about it and are
   prepared to live with it. If you get objections settle 'em now.

3) Research available firewalls, to see which ones are best able to
   implement your security policy. For some security policies a simple
   screening router, or a screening router with clever hacks bolted on
   like ``stateful inspection'', may suffice; for others you'll need an
   application proxy firewall. Find out which firewalls can implement
   your policy, and how well they can implement it. That will probably
   conclude your shopping decision, as there will be at most one that
   can almost but not quite do what you want. If you should end up with
   multiple choices, then look at the vendor's reputation in the
   security business --- how long have they been doing firewalls? What
   do firewall experts think about the choices? If you still end up with
   a choice, then maybe add in ``how much does it cost'', ``how familiar
   am I with the OS/hardware it's running one'', or even ``how fast is
   it''.

4) Once you've chosen your firewall, buy it, set it up, and test it.
   Initially have it attached to the internet, with only a test client
   on the inside, and another one sitting just outside the firewall, in
   the DMZ. Using these test clients, probe the firewall. Hit it with
   strobe. Try to break in to any services you find. Then try again from
   outside the screening router, to make sure it's enforcing the
   policies it is supposed to. See what showed up in logfiles when you
   tried burgling it. Rig log-file watching software to set off alarms
   when anything unusual happens.

5) Hook it up to your real net.


If you've done things right, 95% or more of the time and effort was
spent getting that security policy right.

-Bennett