When a business decides to implement the organization's security policy, the next step is to choose a safe, affordable, and suitable firewall. When choosing a firewall, consider the following aspects.
First, choose the requirements of the firewall
1 Basic function that the firewall should have
Support for "Unless explicitly allowed, it is disabled" design strategy, even if this strategy is not the initial policy; it supports security policies, not to add it; if the organization's security policy changes, you can join a new service; Advanced certification means or linked programs, you can install advanced authentication methods; if you need, filtering technology allows and prohibits services; you can use FTP and Telnet to be installed, so that advanced certification means can be installed and running On the firewall; have interface-friendly, easy programming IP filtering language, and can be packaged according to the nature of the packet, the nature of the data package has the target and source IP address, protocol type, source and destination TCP / UDP port, TCP package ACK bit, outbound station and inbound network interface, etc .;
If the user needs NNTP (Network Message Transfer Protocol), X WINDOW, HTTP, and GOPHER, the firewall should include the corresponding proxy service. The firewall should also have a function of centralized mail to reduce the direct connection of the SMTP server and the external server and can centrally process the entire site email. The firewall should allow public access to the site. The firewall should separate the information server and other internal servers.
2 Other features
Firewalls should be able to centralize and filter into access, and can record network traffic and suspicious activities. In addition, in order to make the logs are readable, the firewall should have the ability to streamline the log. If the firewall uses the UNIX operating system, you should provide a fully UNIX operating system and some other tools that guarantee data, and should install all the operating system patches. Although there is no need to make the firewall's operating system, the operating system within the company is used, but the operating system that is familiar with a manager on the firewall will make management simple.
The strength and correctness of the firewall should be verified. The design of the firewall should be simple to understand and maintain the administrator. Firewalls and corresponding operating systems should be upgraded with patches and upgrade must be performed regularly.
As mentioned earlier, the Internet has changed every moment, and the new easy attack point may be generated at any time. When new hazards appear, new services and upgrade work may have potential resistance to the installation of the firewall, so the adaptability of the firewall is very important.
Second, buy or build yourself
Some companies have their own ability to assemble firewalls, they use the available software components and devices or write a firewall program yourself. Other enterprises use the firewall technical services provided by dealers, such as corresponding hardware and software, development security policies, risk assessments, safety testing, and security training.
The advantage of building a firewall is that the internal personnel understand the details of the firewall design thus able to facilitate application. However, the homemade firewall takes a long time consumption, record documentation and maintenance, and the cost is high. In contrast, it is more economical to buy a firewall from the seller.
The company decides whether to build and successfully run a firewall to consider the following questions:
How should a firewall test?
How to prove that the firewall works on demand?
Who can do everyday firewall work, such as backup and repair?
Who will upgrade the firewall, such as installing new proxy servers, patches, and other upgrade programs?
Can security vulnerabilities can be corrected regularly?
Who will conduct technical support and training for users?
Many vendors not only provide installation services, but also provide firewall maintenance, so if a company has no ability to do the above, we should consider the service provided by the vendor. Regardless of the method, the company should regard the maintenance of the firewall as an extremely important job and take time as much as possible. In some small companies, this work may not require a full-time person, but this work should be more prioritized than other work.
Only effectively maintaining a firewall can work effectively. An improper firewall may give people a safe illusion, but in fact, there are many security vulnerabilities. Security strategies should clearly react to effectively carry out importance of firewall maintenance. In the company's management, firewall should be given sufficient support, such as priority providers, funds, and other necessary resources. With a firewall, you cannot relax the management of the site. In fact, if a firewall is broken, a managed site will be invaded and suffered more serious losses. The existence of a firewall does not mean to reduce the demand for high quality management. A firewall allows a site in a proactive location on system maintenance, because the firewall provides a barrier, so people can spend more time on system maintenance, rather than spend most of the time in the process of accident.
A site should do the following in the maintenance of the firewall:
Standardize the version and software of the operating system to install patch and security patches;
Effective new procedures and patch installation activities should be carried out within the full site;
Use various services to help manage system, if some services can bring better management and better security, use these services;
Periodic scan checks for the host system to discover the errors and weaknesses on the configuration, correctly correct it;
Ensure that system administrators and security administrators can communicate in time, warning for site security issues.
Third, further advice
No firewall design can be applied to all environments, so it is recommended to select the right firewall based on the characteristics of the site. If the site is a confidential mechanism, but the FTP service for some people will need to have a strong authentication function.
Also, don't look too much from the level of the firewall. In the grade selection in various newspaper magazines, the speed of the firewall has a large proportion. If the site is connected to the Internet via T1 line or slower line, most firewalls can fully meet the needs of the site.
Here are other factors that should be considered when purchasing a firewall:
The network is threatened;
If the intruder broke into the network, there will be potential losses will be affected;
Other security measures that have been used to protect networks and their resources;
Due to hard or software failures, or firewalls have been "denial of service invasion", the user cannot access the Internet, resulting in the loss of the entire organization;
The agency wants to provide services to the Internet, as well as services that you want to get from the Internet; you can pass through the number of users of the firewall;
Have you experienced experience in the site;
Possible requirements in the future, as requested to increase network activities through firewalls or require new Internet services.
Fourth, the limitations of firewall
We should also be aware of the limits of firewalls while using the firewall, sometimes the firewall will give people a false sense of security, resulting in relaxing security vigilance inside the firewall. Many attacks are internal crime, which is no powerful for any isolation-based prevention measures. Similarly, the firewall cannot resolve all security issues that enter the firewall's data. If the user caught a program to run locally, the program is likely to contain a malicious code, or the sensitive information is blocked, or the user's system is destroyed. With the promotion of Java, JavaScript and ActiveX controls and their corresponding browsers, this problem becomes more prominent and sharp. Another disadvantage of the firewall is that it is easy to use, most products also require network administrators to establish. Of course, this problem will be changed immediately.
The presence of firewalls in today's Internet is vital, but it cannot replace security measures within the wall, so it is not a component of all network security issues, just an integral part of network security policies and strategies.
V. Some major firewall products introduction
Tis fwtk
Tis fwtk is a referusion of Trusted Information Systems (TIS) FireWall Tools Kit, also known as FWTK. It is a typical representative of the application gateway firewall package. FWTK is a toolset for establishing and maintaining internal network firewalls. Its code is written in C language, and its source code can be found online. It can run on many platforms based on BSD UNIX, containing many separate components, most components are proxy applications. It includes the following services:
Telnet; ftp; rlogin; sendmail; http; x window system.
FWTK is a complex system that is not installed to start the protection network. It is a "toolbox". After installation, the user must make certain decisions and know what results can be obtained, so this is not a simple configuration problem. If the established rules or decisions are wrong, use the network will face a lot of problems.
FWTK's outstanding advantage is to integrate good access control into its design. For example, users can licenten (or rejected) from a network, or a part of a network, even from an address to protected networks.
RAPTOR EAGLE series firewall
Raptor has had a long history. It starts selling its firewall series from 1991. Raptot's online description is located in: http://www.raptor..com/products/brochure/40broch.html# Abontraptor.
The company's firewall products use many firewall technology, including a lot of log records; event triggers for suspicious behavior; strict classification access control, etc.
And these products support application agents. Related sites: http:/www.raptor.com/products/brochure/40broch.html
Checkpoint FireWall and FireWall-1
CHECKPOINT was founded in 1993 with Israel. At present, eight cities in the United States have opened a branch. This company's series of products can be used in a variety of platforms.
An interesting feature of CheckPoint FireawAll-1 is to control the time object. This feature allows the administrator to specify a certain period of time in one day and perform access control within this time. FireWall-1 can also disperse the processing task to a set of workstations, thereby reducing the burden on each workstation.
Articles and news about CheckPoint can be found online, please refer to:
http://www.checkpoint.com/press/index.html
If you want to get more details about CHECK POINT, please visit this address:
Http://www.checkpoint.com/products/firewall/intro.html
Sunscreen
SunScreen's SunScreen is composed of a range of products. The main products include:
SunScreen SPF 100 / 100G, implements the Turnkey solution, and provides communication capabilities without IP addresses, hidden the IP address of the internal host.
SunScreenTmefs can make strict packet filtering and encryption processing. Provides remote management and functions managed through the HTML interface, making the administrator's management work more convenient. Some instructions about SunScreenTmefs are located in the URL:
http://www.sun.dom/securit6/prodspec.html
SunScreen Skip, this product can make PCs and workstations for security verification.
Portus Secure Network FireWall
